November 14, 2018

StackRox Report: Misconfigurations and Runtime Security Top Enterprise Concerns in Containers and Kubernetes Deployments

Written by

StackRox, a leader in security for containers and Kubernetes, today released its inaugural report, "The State of Container Security," which found that most organizations do not feel prepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes.

 

The StackRox report aimed to understand how container and Kubernetes adoption trends intersected with security concerns - how prepared organizations felt to handle security, how the environments in which they were running containers affected security, and who in the organization bore the greatest responsibility for container security. Notable findings from "The State of Container Security" report include:

  • More than a third of organizations with concerns about their container strategy worry that their strategies don't adequately address container security
  • An additional 15 percent believe their strategies don't take seriously enough the threat to containers and Kubernetes deployments
  • More than one-third of respondents haven't started or are just creating their security strategy plans

Digging into the sources of concern over container security, survey respondents focused on misconfigurations and runtime security as their primary sources of concern:

  • Fifty-four percent of respondents said risks driven by misconfigurations and accidental exposures is their primary concern
  • A near majority of respondents, 44 percent, indicated that runtime, vs. build and deploy, is the phase they are most concerned about from a security perspective

Despite the concerns over the runtime phase of the lifecycle, the dominance of concerns over misconfigurations is likely the result of a number of recent high-profile attacks and exposures on Kubernetes deployments, such as the cryptomining attack on Tesla's deployment on Amazon Web Services and Shopify's publishing of the risk of Kubernetes metadata exposure.

Infrastructure portability is often cited as one of the top reasons to run containers and Kubernetes, and the StackRox report highlights the dominance of hybrid deployment. A surprising percentage of respondents are running their containerized applications only on premise, however:

  • Seventy percent of respondents overall are running containers on premise, with 32 percent running only on premise
  • About 40 percent of respondents are running containers in hybrid environments, both on premise and in the cloud
  • Just under 30 percent of respondents are running only in the cloud

As for who in the organization should take lead running container security, DevOps and DevSecOps top the list.

"The DevOps-induced ‘shift left' approach enabled by containerization is fundamentally changing how developers and security teams are interacting in the enterprise, forcing alignment and collaboration like never before," said Mark Bouchard, Vice President of Research and COO, CyberEdge Group. "For organizations to realize more of the technical advantages of microservices, containers and Kubernetes, they will need container security technologies that integrate increasingly early into the software development life cycle."

The report demonstrates that containers provide an impetus and an opportunity to build a stronger bridge between DevOps and security. Results reveal that deeper container security planning, further integration among DevOps and security teams, and the more widespread adoption of key security technologies are necessary to increase the holistic security of containers and Kubernetes deployments. The complete report provides a number of conclusions that outline key implications for organizations in need of a stronger container security strategy and the specific security elements they need to meet enterprise objectives.

"The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprises' container strategies," said Kamal Shah, StackRox CEO. "Containers provide a natural bridge for collaboration between DevOps and security teams but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise."

To download a full copy of the StackRox report, The State of Container Security, click here.

Last modified on November 14, 2018
Brian Ducharme

Brian is an event reporter for VMBlog.com and an expert in virtualization/cloud techonlogies.  In his 15+ years of experience in the virtualization/cloud field he has interviewed hundreds of companies, users and executives.  Brian has been an active member of the NEVMUG (NEVTUG) since 2006 and attends both vmworld and Citrix Synergy every year.  Brian works full time as a Senior Software Engineer for Liquidware Labs.

Brian also spent 5 years as the managing editor of Virtual Strategy Magazine, an online magazine focused on the virtualization industry and has been with vmblog since 2011. He has a background in Computer Graphics, Marketing, Programming, Web Design, Mobile App Development, Linux Administration and is an active member of the NHJS group. 

 

Sponsors

logo anaconda 600

logo binaras 600

logo chef 600

logo hedvig 600

logo kublr 600

 logo lacework 600

 logo platform9 600

 logo pulumi 600

 logo rancher stacked 600

 logo snaproute 600

 logo stackrox 600

 logo sysdig 600

Latest Videos