StackRox, a leader in Kubernetes
and container security,
today released the Winter 2020 edition of its
State
of Container and Kubernetes Security Report. Among its findings, the survey revealed that container
security concerns have inhibited business innovation with nearly half (44
percent) of respondents delaying the deployment of cloud-native applications
into production. These delays compromise the biggest benefit respondents cite
as driving the movement to microservices and containers - the ability to
develop and release applications faster.
"One of the most consistent results
we get on our own surveys of DevOps and cloud-native security technologies is
how important security is for those environments," said Fernando Montenegro,
principal analyst at 451 Research. "It is interesting to see how this
observation fits well with the StackRox study, highlighting the need for both
engineering and security professionals to have visibility and then properly
deploy security controls and practices for container and Kubernetes
environments."
Nearly all - 94 percent - of the respondents have
experienced security incidents in their container environments in the past 12
months
Data breaches and exposures due to human error, such as
misconfigured containers and Kubernetes deployments, have become alarmingly
common. Among those reporting security incidents, the majority - 69 percent -
experienced a misconfiguration incident, while 27 percent reported a security
incident during runtime and 24 reported having had a major vulnerability to
remediate (respondents could select as many responses as applied).
Exposures due to misconfigurations dwarf all other
security concerns
In this third edition of the StackRox report, respondents
once again identified exposures due to misconfigurations as the most worrisome
security risk for their container and Kubernetes environments, with 61 percent
citing this concern. Only 27 percent cited vulnerabilities as their main
concern, and just 12 percent worry most about attacks at runtime. This data
speaks to the importance of configuration management in securing container and
Kubernetes environments - the flexibility of these powerful platforms brings its
own challenges.
Managed Kubernetes services have enjoyed major growth
Of the respondents running containerized applications,
Kubernetes is being used by 86 percent - the same as the Spring 2019 survey
showed. However, the way Kubernetes is being used has changed dramatically. No
longer is self-managed the most dominant way to run Kubernetes - 37 percent of
respondents cited using Amazon EKS compared to 35 percent managing Kubernetes
themselves, down from 44 percent in Spring 2019. Use of both Azure AKS and
Google GKE also climbed, with each cited by 21 percent of respondents.
Hybrid deployments dropped while cloud-only environments
grew
Hybrid deployments remain more popular than cloud-only
deployments, at 46 percent compared to 40 percent. But hybrid deployments saw a
big drop from our survey six months ago, when they represented 53 percent of
respondents. Of the cloud-only deployments, multi-cloud gained steam,
increasing from 9 percent to 13 percent, but single-cloud use still dominates,
at 27 percent for cloud only plus another 24 percent running on prem and in a
single cloud provider. On-prem-only deployments have fallen dramatically since
the first survey in Fall 2018, from 31 percent to just 14 percent today.
Skill shortages and a steep learning curve present the
biggest Kubernetes challenges
Knowledge of Kubernetes is impacting more than 60 percent
of respondents, with 33 percent citing an internal skills gap and another 28
percent identifying the steep learning curve as the most significant Kubernetes
challenge their organization is facing. Only 15 percent cited executive
understanding as their main difficulty, indicating that the business side of
organizations understands and has bought into the benefits of Kubernetes.
Other key survey findings:
- For the third time in a row,
security leads the list of top concerns users have about container
strategies.
- Container
security strategies continue to mature, with the percentage of respondents
who lacked any form of security strategy dropping 68 percent, from 19
percent to just 6 percent.
- Despite
misconfigurations topping the list of concerns and incidents, respondents
remain most concerned about the runtime phase of the container life cycle
(56 percent) vs. build and deploy.
- The percentage of organizations
with fewer than 10 percent of their containers running in production fell
from 39 percent to 28 percent.
"Our survey data affirms what we
hear anecdotally from customers, that security has become a high priority as
customers seek to deploy containers and Kubernetes applications in production,"
said Kamal Shah, CEO of StackRox. "Organizations have executive buy in - the
challenge is understanding the security and compliance requirements so that
they can be addressed early in the application development life cycle and
prevent delays to application deployment."
Download the
State
of Container and Kubernetes Security Report today.