Misconfigurations, Runtime Risks and Lack of Strategic Security Investment Threaten Operational Benefits Even as Adoption Increases by More Than 50%
StackRox, the leader in container and Kubernetes security, released the Spring 2019 edition of its State of Container and Kubernetes Security Report, revealing that organizations continue to struggle with container and Kubernetes security despite the rapid adoption and maturation of these cloud-native technologies.
Despite rapid container adoption, organizations are struggling to secure containers
Even though two-thirds of organizations have more than 10% of their applications containerized, 40% of the organizations remain concerned that their container strategy does not adequately invest in security. Another 34% report their strategy lacks sufficient detail.
More than 86% of organizations have adopted Kubernetes
The growth from a 57% adoption rate of Kubernetes six months ago to 86% today represents a staggering 51% increase. Just six months ago, close to half of organizations (43%) were not using Kubernetes. As to how they’re running Kubernetes, self-managed is the most popular form, with 44% of respondents, followed by Amazon EKS (27%), Azure AKS (16%), Google GKE (12%) and IBM Red Hat OpenShift (12%).
Hybrid cloud is more than a buzzword – it is a reality for container deployments
The report findings highlight the prevalence of on-prem deployments, most of which are in hybrid mode. Nearly three-quarters (70%) of respondents are running containers on prem, with 53% running them in hybrid mode, with containers deployed both on prem and in the public cloud. Only 17% are running containers only on prem, a drop from 31% six months ago.
Respondents are increasingly concerned about misconfigurations, accidental exposures, and runtime security risks.
The report shows that 60% of respondents identify misconfigurations and accidental exposures as their biggest container security concern, up from 54% six months ago. Runtime remains the container life cycle phase respondents worry about the most (43%), followed by deploy (35%) and build (22%).
“Just as with securing IaaS, missing container and Kubernetes security best practices and human error in misconfigurations create real threats to organizations and their bottom lines,” said Mark Bouchard, co-founder and CEO of AimPoint Group. “The consequences of overlooking security early in the container life cycle will be steep, both in lost time and money and in risk of exploitation.”
Vulnerability management, compliance, and visibility are the top 3 “must have” capabilities for a container and Kubernetes security solution.
More than half of respondents deemed seven core capabilities as “must have” features: vulnerability management, compliance, visibility, configuration management, runtime threat detection, network segmentation, and risk profiling and prioritization, in that order. Vulnerability management tops the list, with 75% of respondents highlighting it as a must-have capability.
DevOps and DevSecOps are the two primary groups responsible for container security
About two-thirds of organizations view DevOps and DevSecOps as the primary groups responsible for operationalizing container security. DevSecOps was the top group, with 31% of respondents saying they should run these platforms, up from 24% six months ago.
AWS continues to dominate, but Azure and Google Cloud Platform are catching up
Nearly 80% of respondents reported running containers in Amazon Web Services (78%). Google Cloud Platform (GCP) came in third among cloud providers but gained considerable market share, growing from 18% to 28% of respondents in the past six months.
“DevOps, containers, and Kubernetes are the backbone of digital transformation initiatives in every organization today, but security still needs to catch up,” said Kamal Shah, StackRox CEO. “Organizations are putting the operational benefits of agility and flexibility at risk by not investing in security. Containers and Kubernetes have moved well beyond the early adoption phase – security must be built-in from the start, not bolted-on after the fact, for organizations to securely realize the full potential of cloud-native technologies.”