Old habits that are especially bad don’t appear to be going away as organizations migrate to more modern IT platforms based on Kubernetes.
An analysis of scans conducted by Alcide, a provider of container security tools optimized for Kubernetes, finds a full 89% of deployment scans show that companies are not using the secrets resources made available in the core platform. Instead, application secrets such as credentials continue to be left in the open.
Those same scans also show that more than 75% of the scanned deployments continue to mount high-vulnerability host file systems. None of the surveyed environments were making use of segmentation enabled by the network policy engine embedded in Kubernetes.
Alcide CTO Gadi Naor says the results show that while organizations are embracing Kubernetes aggressively, there’s still a wide gap in terms of understanding how best to employ all the capabilities of a complex platform. In the case of cybersecurity specifically, that issue may prove especially problematic because secrets management has already been shown to be a painful topic on other platforms. The expectation is that once organizations embrace a platform that has built-in secrets management capabilities, there would be some improvement. Thus far, however, it appears many organizations have not yet fully explored all the capabilities of their Kubernetes platform, he says.
IT organizations, of course, rarely make use of all the capabilities provided within any platform. There are, however, several capabilities within Kubernetes that address cybersecurity issues that organizations previously would have had to acquire separate tools to address. In general, Naor says it’s clear there still lots of room for improvement when it comes to implementing best Kubernetes practices.
The hope is that with the arrival of Kubernetes, more organizations will first embrace best DevOps processes on their way to achieving DevSecOps nirvana. Most organizations today have adopted DevOps processes unevenly at best and are only beginning to discuss how to integrate their DevOps and cybersecurity teams. By unifying the management of compute, storage and networking on the same platform, there’s a general expectation that deploying and managing containerized applications will accelerate the rate at which organizations make that transition. In reality, some time may pass before IT organizations re-engineer processes that initially were designed for monolithic applications running on more disaggregated infrastructure.
Naturally, much of that intransigence is attributable to a lack of training. Far too many organizations still prefer on-the-job training over a more formal program. The challenge they face is that given the general lack of Kubernetes expertise, most organizations don’t have anybody on staff capable of showing the rest of the team the proverbial Kubernetes ropes. The result is going to be a gap in the time between tools become available and IT staff have the skills required to master them.
In the meantime, IT hope springs eternal. Modernization of IT environments and associated processes is now all but inevitable. Alas, no two organizations are likely to ever use the same path to complete that journey.