Survey Indicates Container Security Concerns Limit Adoption
A decade ago when a cloud was the latest disruptive technology, IT departments found they needed to rewrite the book on security. The old way of doing things — protecting the perimeter of the local network or data center with firewalls and other security precautions — wasn’t enough anymore. The data center and the LAN had expanded to include VMs, applications, and data sitting outside the firewall, on cloud servers owned and operated by the likes of Amazon Web Services, Microsoft Azure, or Google Cloud Platform.
These days, the advent of containers is bringing about yet another rewriting of security rules, because containers bring to the table more than convenience and portability, they also bring their own set of new and unique security issues. Even more container security problems are introduced as DevOps increasingly adopts continuous integration and continuous delivery (CI/CD), which often pushes containerized software into production before it’s properly vetted.
“With the increased growth and adoption of containers, security practitioners are feeling the pressure to speed their deployment,” said Tim Erlin, VP of product management and strategy at the cybersecurity company Tripwire. “To keep up with the demand, teams are accepting unnecessary risks by not securing containers.”
He was writing in the company’s recently issued report on its State of Container Security survey. According to the report, if 40 IT people were put in a room, on average two of them would raise their hands if asked, “Who isn’t worried about container security at all?”
Those two would be headed toward a rude awakening. Sixty per cent of the respondents in the survey said they’d experienced at least one container security incident in the last year, with 6 per cent having experienced 26-100.
Tripwire’s survey included responses from 311 IT security pros managing environments with containers. Some were working with containers, but not deploying them in production. Of those who were pushing containers into production, the majority were deploying 100 or fewer. A small percentage said they were deploying more than 1,000.
While not surprising, the results of the survey are cause for concern. Forty-six per cent are putting container security solely in the hands of their IT security teams, with 12 per cent handing the responsibility to DevSecOps. Only 22 per cent give security responsibility to DevOps. This is disturbing, especially in a world where more companies are adopting rapid deployment practices, where software is containerized and pushed into production receiving little to no direct input from dedicated security staff.
“Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production,” Erlin noted in the report.
IT departments seem to recognize the need to change their security models, however. Eighty-two per cent said they had considered restructuring how they share security responsibilities. Of those, 21 per cent indicated they had already reassigned security responsibility based on container adoption and 17 per cent ticked the answer, “container adoption is one of the many changes that is making us re-think security.”
The survey results seem to indicate that many IT departments are struggling to understand container security. In many cases, this is hindering container adoption, with 42 per cent saying they’re limiting container use due to perceived security risks.
Nearly a quarter said it would take them days to detect a container compromise. The good news is that nearly half thought they’d detect a compromise within hours, with 12 per cent lowering the time down to minutes.
Most expect the rate of security-related incidents involving containers to increase in the coming year, with only 29 per cent predicting either no change or a decrease in the number of containers hacked. When asked what they saw driving the increased risk, they cited the increased use of containers, especially in mission-critical systems, a belief that hackers attack new technologies when they’re perceived as weak, and a lack of security best practices for containers.
Nearly everyone surveyed said they’d like to have additional security capabilities for container environments available to them. The wish list included incident detection and response, the ability to isolate containers that behave abnormally, security-focused monitoring (including the ability to monitor containers for drift or behaviour changes), and artificial intelligence security analytics for containers.