Misconfigurations Tops List of Security Issues Hampering Kubernetes
A survey of 400 IT professionals published today by StackRox, a provider of a suite of tools for securing Kubernetes environments, finds that while adoption of Kubernetes is high, many organizations are now bedeviled by security issues.
The survey finds 91% of respondents are using some form of Kubernetes to manage their containers, with 50% opting to manage their Kubernetes environments on their own. Among those relying on instances of Kubernetes managed for them, the most widely employed is Amazon Elastic Kubernetes Service (EKS) at 44%, followed by Microsoft Azure Kubernetes Service (AKS) at 31%, IBM Red Hat OpenShift at 22% and Google Kubernetes Engine at 19%.
Michelle McLean, vice president of marketing for StackRox, says that while early adopters of Kubernetes continues to self-manage their Kubernetes environments, most IT organizations appear to be shifting toward managed services once they begin to deploy fleets of Kubernetes clusters.
The survey also finds a total of 44% are running containers both on-premises and in the cloud. In comparison, 41% of respondents said they were running cloud-only deployments (41%), while only 15% said they were on-premises only. When asked how they are deploying hybrid or multi-cloud deployments using Kubernetes, respondents cited Amazon Web Services (AWS) Outposts (31%), Azure Arc (30%), OpenShift (28%) and Google Anthos (16%).
Regardless of how Kubernetes is managed, 90% said they had a security incident involving Kubernetes. Misconfigurations top the list at 67%, followed by major vulnerabilities (22%), runtime incidents (17%) and failed audits (16%). A total of 44% said they have delayed rolling out applications into production because of security concerns.
On the plus side, 83% of some form of a DevSecOps initiative in place, with 40% saying they’re starting to have DevOps and security teams collaborate on joint policies and workflow. Another 27% say they’re integrating and automating security across the software development life cycle (SDLC) while 16% said they are implementing security as code. Only 25% said they lack a formal Kubernetes security strategy and only 17% said there is little to no collaboration between the teams.
Overall, internal skills shortage and a steep learning curve were both cited equally as the most signiﬁcant Kubernetes challenges impacting their companies by 70% of respondents.
McLean says the skills and steep learning curve result in so many misconfiguration issues. Kubernetes is one of the most complex platforms to manage ever deployed in production environments. There are many opportunities for IT teams to make mistakes, she notes.
It may take a while for IT organizations to master the best DevSecOps practices required to minimize misconfiguration issues. The survey, however, makes it clear those efforts are underway. As such, the number of security incidents stemming from misconfigurations should decline. Of course, as more organizations adopt Kubernetes, the number of IT teams making these mistakes for the first time should also increase unless the learning curve for Kubernetes becomes less steep.