Container and Kubernetes Security – A 2020 Update

Security has always been a big issue in the fast-paced world of DevOps,  Continuous Integration, and Continuous Delivery. Despite the multitude of tools and tech currently available for integrating security into existing workflows, container security is still an aspect that requires expert handling and the adoption of best practice approaches.

StackRox’s recently published State of Container and Kubernetes Security Report—the third edition of a comprehensive investigation into patterns in container usage and Kubernetes security—uncovered many interesting facts curated from a survey of 540 IT professionals. 

One of the most striking takeaways from this report is that many companies are adopting container technology for speed, yet progressively slowing down their application deployment processes to ensure no security steps are overlooked. This inspired a deeper reflection on my part to look at the other trends and statistics concerning approaches to container security in 2020.

(This post references’ StackRox’s The State of Container and Kubernetes Security (2020) report).

Leading Towards Widescale Digital Transformation

Containers, Kubernetes, and microservices are seen as the leading aspects of the faster adoption of cloud-native applications and innovations. Companies are quickly embracing cloud-native applications and the benefits they offer as part of a bigger digital transformation process.

Together, these three components are delivering a singular, competitive advantage by ensuring “faster application development and release” (see Figure 1 below). This is where things get interesting. While the main advantage of adopting cloud-native apps is rapid development and deployment, companies are not yet taking full advantage of this edge.

The State of Container and Kubernetes Security, StackRox 2020

44% of respondents—organizations—admitted to delaying deployment because of security concerns (see Figure 2 above). It is not always easy to integrate security into existing workflows, hence the delay in the rapid deployment of microservices and cloud-native apps.

Growing Container Security Threats

That actually brings us neatly to the next interesting point according to the report; there is a growing threat targeting cloud-native applications. The progressive slowing down of the workflow is not without a legitimate reason. From the surveyed organizations and professionals, the results indicate that 94% have had to deal with a security incident of some description in the last 12 months.

The State of Container and Kubernetes Security, StackRox 2020

That’s a staggering number, especially when you consider how catastrophic the impact of a security incident can be. A simple data breach could lead to a complete loss of trust in the app and its security, which in turn can lead to compounded business risks. The same is true for other forms of attacks such as Distributed Denial of Service (DDoS).

The report also poses that the majority of security risks are caused by human error, mostly in the form of misconfigured cloud environments or Kubernetes clusters. Incidents caused by code errors and cluster misconfiguration are just as common as known vulnerabilities that get remedied before incidents occur.

A Growing Priority

Security risks are growing and require special handling, but there is good news. Organizations are revising their view on container security and making it a top priority again. Speed matters, especially with the market being as competitive as it is today, but speed isn’t everything when your business is on the line. Security is now becoming an essential part of the container strategies of many organizations.

When the same study was completed in the Spring of 2019, 34% of respondents said that their container strategy wasn’t detailed enough (StackRox, 2019). In this edition, that number dropped to 22%, with details about how to secure the containerized environment among the most extensively discussed. Deployment workflows can be sped up again without neglecting environment security. 

At the same time, the container security strategies are becoming more applicable and easier to adopt, as seen from the level of adoption among organizations. 34% of respondents rate their security strategy as intermediate—i.e. advanced enough to mitigate most security threats—with 14% already reaching a mature state.

Containerizing Applications

As mentioned before, containers and Kubernetes together are driving innovation in organizations. More companies are turning their monolithic apps or solutions into microservices that can fully take advantage of the cloud environment (see Figure 24). 

The State of Container and Kubernetes Security, StackRox 2020

Plus, a significant 29% of respondents have more than 50% of their solutions running as cloud-native apps—nearly twice the number from Fall 2018 (see Figure 9).

The State of Container and Kubernetes Security, StackRox 2020

As discussed earlier, container security concerns reach the highest point during deployment and runtime. Most development environments are designed to be restricted and operate in a local ecosystem, so security concerns are not significant. It is when the applications are deployed and run in the cloud that security risks become more prominent.

When reviewed further, cloud professionals and organizations see misconfiguration as the primary cause of security risks. Attacks, on the other hand, aren’t viewed as a significant security threat, with only 12% of respondents showing legitimate concerns. Vulnerabilities are also not seen as a source of significant worry, with only 27% of respondents signaling concerns (see Figure 7).

The State of Container and Kubernetes Security, StackRox 2020

The survey also reveals that native cloud apps are more popular than hybrid deployments. This means organizations are confident enough to run their solutions entirely in the cloud as opposed to relying on on-premise and in-the-cloud hybrid deployments. The more mature cloud infrastructure we have today is the primary reason behind this trend.

It is not surprising to find Amazon Web Services (AWS) topping the chart for cloud infrastructure in the containerized market, despite Google being the company behind Kubernetes. Google Cloud Platform (GCP) is not yet in 2nd place— that position is filled by Microsoft’s Azure—but if it continues growing at its current rate it may outpace Azure soon. And if that’s not enough, 78% of respondents trust AWS to support their apps. Check out a recent discussion I shared comparing the different costs, usability, and benefits between Google Cloud Platform (GCP) versus Amazon Web Services (AWS) here.

The State of Container and Kubernetes Security, StackRox 2020

With AWS leading the market, it is not surprising to find its orchestration tool being the most popular on the market. Accordingly, the top 5 most popular container orchestration tools are:

  • Amazon EKS—37%
  • Self-managed/self-hosted Kubernetes—35%
  • Amazon ECS—28%
  • Azure AKS—21%
  • Google GKE—21%

Amazon’s combined market share (among the respondents) is quite large. Both the Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS) dominate the market with their ease of use, seamless integration with other Amazon services and tools, and competitive pricing structure.

Obstacles and Other Interesting Facts

The trending migration towards cloud-native applications and containerized microservices is not without its challenges. Companies face serious obstacles as they try to convert their monolithic apps into microservices that leverage the power of cloud computing. For Kubernetes specifically, internal skill gaps and a steep learning curve are perhaps the biggest obstacles.

It is not easy to find talent that specializes in Kubernetes and containers. The platform navigates users through a complex learning curve covering a very different paradigm to standard software engineering. Given the relative infancy of the Kubernetes project, it is a challenge to find and hire those with significant background experience in the platform. This difficulty is further compounded by the level of risk management and expertise needed for container security.

DevOps engineers and increasingly available container security solutions are becoming crucial parts of the equation. DevOps engineers are now overloaded with options for new security solutions that simplify the whole process of securing containers and deploying security measures. Integrating security into CI/CD pipelines becomes easier to do when implemented sooner rather than later.

Critical must-have security features are now being made available as managed service offerings. Those crucial security features are:

  • Vulnerability management
  • Configuration management
  • Compliance checks
  • Runtime threat detection
  • Risk profiling and general assessment
  • Visibility management
  • Network segmentation

While there are security engineers and developers capable of handling code-level security, DevOps engineers tend to be responsible for securing the cloud environment and microservices running on top of it. The available tools and the aforementioned features simply make the task of ensuring maximum security easier to manage and maintain on a day-to-day basis.

Conclusions

The State of Container and Kubernetes Security Report, Winter 2020 report is rife with interesting facts about container adoption and Kubernetes security. It is clear that security is now a priority for organizations, which is certainly a shift in the right direction.

As the statistics demonstrate that container security on Kubernetes is becoming a high priority, we are lead to a number of important conclusions:

  • Kubernetes is more than a temporary trend. The shift towards improved container and Kubernetes security is a clear sign that containerization is here to stay, and Kubernetes is the orchestration tool of choice that will continue to be popular going forward. No surprises there really; the flexibility offered by Kubernetes—and the services built around this orchestration tool—make it invaluable for cloud-native applications development and deployment.
  • Containers—Kubernetes in particular—are universal and cloud-agnostic. This is one of the biggest advantages of Kubernetes. You can deploy the same set of microservices in different environments as long as the runtime requirements are met. This means security is a standardized process rather than a case-by-case workflow. You can secure any Kubernetes cluster using the same set of configurations and approaches.
  • And yes, security is a process. Security is no longer a task that needs to be completed at the end of your CI/CD pipeline. It is a process that runs in tandem with the rest of the CI/CD workflow, including code review and deployment.
  • DevOps is leading the way and building bridges. At the end of the day, your DevOps team will be the ones responsible for ensuring security across your cloud environment. Why not include them in the process from the beginning? In fact, why not encourage your DevOps team to instigate best practice approaches for improving container security in your cloud environment?

The biggest takeaway of them all from this report is that security needs to be a critical priority from the beginning. I strongly believe this indicates that your DevOps team needs to be involved in the container security process from the start too. This proactive move will improve your security posture and lower your attack surface by a significant margin, resulting in better cloud security as a whole for your company. 

References:

The State of Container and Kubernetes Security (2019). StackRox
The State of Container and Kubernetes Security (2020). StackRox


Stefan Thorpe
VP of Engineering @ Cherre ▻ Cloud Solutions Architect ▻ DevOps Evangelist 

Stefan is an IT professional with 20+ years management and hands-on experience providing technical and DevOps solutions to support strategic business objectives.