The Year Ahead for Kubernetes and Container Security
A new study out conducted among the DevSecOps community shows that Kubernetes use is rapidly growing within the enterprise, and not just within test or development environments. As organizations try to catch their breath with the rapid adoption rate, the security community is scrambling to adapt to containers and cloud native architectures as the new normal.
The Alcide Kubernetes survey queried 200 professionals from development, operations, security, and cloud architect teams. It found that 45% of companies are now running Kubernetes in production, with some 37% of organizations using hybrid or multi-cloud enviornments for their K8 clusters. The study showed that Kubernetes use in production rose by 120% in the last year.
The most common driver of adoption was the implementation of microservices, which was cited by 60% of respondents. Approximately 53% said the need to improve innovation velocity and time to market was a major driver, and 44% cited application scaling.
This is among many signs that Kubernetes will continue to evolve as “the ‘Linux of the cloud,’” says Ben Newton of Sumo Logic, who believes that in 2019 it became clear that Kubernetes won the cloud orchestration war.
“Today, all the major cloud providers – Amazon, Google and Microsoft – all offer a managed Kubernetes service,” says Newton. “As multi-cloud adoption continues to accelerate its been highly correlated with higher Kubernetes adoption. Kubernetes will continue to remain an orchestration tool of choice as it offers broad multi-cloud support and can be leveraged by many organizations to run applications across on-prem and cloud environments.”
In spite of this market-determined standardization on Kubernetes, many security teams still remain behind the eight-ball with regard to securing K8 clusters. Alcide explained in its report that a study of 5,000 Kubernetes deployments last year found that 89% of them encoded sensitive information like passwords in plain text when the applications should have been using Kubernetes Secrets. What’s more, the study’s data showed that over 75% of the scanned deployments used workloads that mounted high vulnerability host file systems such as /proc, while none of the surveyed environments exhibited any kind of segmentation using Kubernetes’ network policies.
“These findings confirmed the increasing complexity of multi-cluster Kubernetes environments and the prevailing lack of connectivity with DevOps workflows complicating efforts by SecOps teams to keep pace with Kubernetes vulnerabilities and best practices,” the report explained.
Many Kubernetes users have at least an inkling of the security weaknesses they must tackle soon. Around half of teams admitted in the survey that they’re not confident their K8 deployments are secure and 67% anticipate that they’ll need to increase the use of Kubernetes specific security tooling in 2020.
According to some, the big level-up to come will be in the increased manifestation of security ‘policy as code,’ coupled with automated container security controls, some of them native and some through third-party tooling.
“Kubernetes ConfigMaps and Custom Resource Definitions (CRDs) are making it possible for configurations and rules to be automated right into the CI/CD and DevOps pipeline,” says Glen Kosaka, vice president of product for NeuVector. “Because of this, DevOps teams in 2020 will be much better equipped to analyze application behavior and set security policies for any and all workload deployments via YAML files. Expect this evolution of more efficient and automated security integration processes to be a particularly welcome change for DevOps next year.”
Automation and managed options are going to be crucial for Kubernetes and cloud-native security in 2020, as the already latent IT security skills shortage is exacerbated by the relative newness of these technologies. Just boning up on Kubernetes management knowledge is straining many organizations. The Alcide study showed that 44% of users admit that Kubernetes is still “somewhat of a black box” to them. As such, organizations will be looking for any shortcut they can find to catch up on Kubernetes security and management.
“The IT skills shortage will continue to plague the market, especially for new technologies such as Kubernetes, and (in) what is by now a chronic shortage in skilled IT security professionals” says Rani Osnat, vice president of strategy for Aqua Security. “It will drive organizations to seek solutions that provide a high degree of automation, with “zero-configuration” out- of- the- box capabilities that provide value immediately, and don’t require a lot of integration work or management overhead.”