ARN

93% of Kubernetes users struggle with security

State of Kubernetes Security report indicates security is a roadblock for organisations adopting Kubernetes, containers, and a cloud-native ecosystems, though devsecops adoption is on the rise.

Security is a significant concern for Kubernetes and container-based development, according to Red Hat’s State of Kubernetes Security report for 2022.

In fact, 93 per cent of survey respondents experienced at least one security incident in their Kubernetes and container environments in the past 12 months, sometimes leading to the loss of customers or revenue. This was likely the result of a variety of factors, including a lack of security knowledge about containers and Kubernetes, inadequate tools, and central security teams unable to keep up with application development teams. 

Red Hat also notes that Kubernetes and containers were designed for developer productivity, not necessarily security.

Published last month, the report analysed trends in Kubernetes, container, and cloud-native security. It was based on a survey of more than 300 devops, engineering, and security professionals. Red Hat published the following key findings:

  • 55 per cent of respondents delayed or slowed down application deployment due to security concern
  • 53 per cent detected a misconfiguration in Kubernetes in the past 12 months
  • 57 per cent worry the most about securing workloads at runtime
  • 78 per cent have a devsecops initiative either in beginning or advanced stages
  • 43 per cent consider devops as the role most responsible for Kubernetes security
  • 38 per cent have had a major vulnerability to remediate pertaining to containers and/or Kubernetes in the previous 12 months

Organisations adopting containers, Kubernetes, and a cloud-native ecosystems risk the security of their critical applications if they do not invest in security strategies and tools, Red Hat said. But devsecops — which builds security processes and tools into the devops pipeline — is seeing mass adoption.

Kubernetes is a highly customisable container orchestrator with various configuration options affecting application security, according to the report. Security tools should provide the guard rails to configure Kubernetes more securely. 

Runtime, in particular, represents the container lifecycle phase organisations worry about the most. But runtime security issues typically are caused by lapses such as a misconfiguration at the build or deploy stage.

Red Hat made the following recommendations to achieve better security:

  • Use Kubernetes-native security architectures and controls
  • Security should start early and extend across the full lifecycle
  • Portability should be required across hybrid environments
  • Developers should be transformed into security users by bridging devops and security