State of Containers Report 2019: ‘Security’ Remains A Challenge!
Technology Containers have gained popularity in recent years, with higher adoption observed across organizations of all sizes and verticals.
Container services have shown the IT industry the way to enhance application delivery cycle and deliver apps that are portable, distributed, fast-moving and platform-independent in nature.
Moreover, the rise of Kubernetes deployment boosted the demand for IT container services further, making them imperative for app-centric business transformation.
Advantages aside, one concern continues to be a major challenge for containers adoption i.e. ‘Security’, reveals the report titled ‘State of Containers and Kubernetes Security 2019’.
State of Container Security
Initially, in its 2018 survey of more than 200 IT professionals across different industries, StackRox found security as the leading container strategy concern for most organizations.
Six months later, it took on a new survey in 2019. This time, the survey reported rising Kubernetes adoption and the emergence of new technologies like service mesh and Functions-as-a-Service (FaaS).
But security remained a concern! Despite the rising adoption, organizations still reported a lack of security as a concern in their container strategy.
“Despite having a greater percentage of containers in production, these organizations have only modestly reduced their security concerns. Worries about misconfigurations and runtime risks persist, and still, too few organizations have a robust security plan in place,” says the ‘State of Containers and Kubernetes Security 2019’ report in its executive summary.
State of Container Security 2019: Key Findings
Here are some key findings from the report:
1) Inadequate investment in securing containers
Key factor that is hindering organizations from securing containers is ‘lack of related investment’. Inadequate investment in security remains a key challenge to organizations’ container strategy. Container adoption has outpaced investments in formulating a security strategy.
Concern has grown that organizations’ container strategies are failing to invest sufficiently in security
2) More than one-third of firms lack a container security strategy
34 percent of the survey respondents had no container security strategy or still in the planning phase. However, 30-41 percent of organizations have their strategy at the intermediate stage. Organizations realize that security cannot be an afterthought and should be present across the container lifecycle.
Organizations run a big risk by continuing to move forward with container adoption without making the needed investments in strategies and tooling to protect that critical application infrastructure
3) Misconfigurations as the greatest risk
Various other findings have shown Kubernetes vulnerabilities. Organizations continue to see user-driven misconfigurations and exposed Kubernetes dashboards or metadata as their biggest source of risk.
The percent of respondents identifying misconfigurations and accidental exposures as their biggest security concern increased from 54% to 60% in a span of six months
4) Security Issues in Runtime
Given the fact that runtime is part of container lifecycle, issues in runtime can cause the harm to the entire cycle. Runtime issues can arise due to lack of security practices during the build and deploy phases.
It costs significantly less time and money to fix a security hole during the build or deploy phase than during the runtime phase
5) Security span across different platforms
70 percent of organizations reported running containers on-premise, while 75 percent using on-premise are also running containers on cloud and 53 percent are running on hybrid cloud. The report says container security solution should have a wider span to match all the platform requirements.
With the hybrid model poised to continue to grow as on-prem-only organizations divest from their datacenters, a Kubernetes-native container security platform that delivers environment-agnostic controls will be essential
6) AWS dominates, Azure and GCP continue to rise
Amazon is leading the container deployments, followed by Microsoft’s Azure and Google Cloud Platform (GCP). Majority of the survey respondents, mostly into cloud-native services and SaaS providers, report Google as the attractive cloud partner owing to its expertise in containers and Kubernetes.
Google’s announcement of Anthos is a clear indication that more and more customers want to adopt the hybrid model and will need a security solution that consistently applies a broad set of controls across different environments. This universal portability is crucial to realizing many of the benefits of containers.
7) Kubernetes adoption on the rise, a 50 percent rise in 6 months
Kubernetes adoption across a wide range of deployment models has increased. This also includes across self-managed clusters and managed services such as Azure AKS, Google GKE and Amazon EKS. 51 percent of Kubernetes adopters self-manage some of their Kubernetes clusters, while 21 percent only use self-managed Kubernetes and 31 percent use single managed service.
The diverse way Kubernetes is deployed requires an equally portable security solution that spans cloud and on-prem environments as well as self-managed and managed service versions of Kubernetes
8) Feature-rich security platforms need of the hour
Respondents are very keen about container security use cases and are expecting broader and deep functionality across Kubernetes and container security platforms. They are keen about rich features and advanced capabilities to be part of DevOps and security practices. Moreover, widely-available container tools also have a prominence here.
DevOps focus is evident: Vulnerability management beats out compliance and visibility as the top use case, with 75% of respondents citing it as a ‘must-have’ capability
9) DevSecOps gaining prominence for container security
There is a growing inclination towards DevSecOps as an effective means to address container security. 42% of the survey respondents reported DevSecOps as the right means to run container security platforms. Though it’s ‘security as code’ mechanism with the cloud-native stack is effective, it demands processes and tooling to enable integration across groups.
IT Security professionals find value in designating the specific role of DevSecOps and its responsibility in running container security platforms
10) Rise in containerization rates
The percentage of applications undergoing containerization has increased in the last six months period, says the report.
- 15-23 percent of organizations have containerized 50 percent of their apps, depicting a 53 percent growth rate.
- 13-22 percent of organizations have more than 50 percent of containers running in production, showing a 70 percent growth rate.
Companies need to move past their out-of-date perspective that security matters only once containers are in production. In a DevOps world, security applies even in dev/test, since it’s all about building the assets securely
On an EndNote
Considering the report findings, it’s imperative for organizations to seriously think of effective security practices in containers implementation.
Lack of right security measures in building, deployment and running cloud-native assets can place operational benefits of agility and flexibility at risk.
So, it’s also important to focus on investment and measures, alongside adoption, to beef up container security for reaping benefits of containerization technology as a whole.