Container Security Concerns Impacting Deployments
A survey of 540 IT and security professionals conducted by 451 Research on behalf of StackRox, a provider of a container security platform, finds nearly half the respondents (44%) admit to delaying or halting the deployment of a containerized application in a production environment because of cybersecurity concerns.
In addition, the survey notes 94% of respondents deal with some type of container security issues in the last 12 months. However, less than a third of those respondents (27%) said those issues involved a container runtime environment. In comparison, less than a quarter (24%) said they needed to remediate a major vulnerability, while 64% said they had discovered a misconfiguration issue.
Only 21% of respondents said they had experienced two or more types of these security incidents, but only 5% had experienced all three. It’s not clear whether the number of container security incidents is any more than what organizations may be experiencing across the rest of their application portfolio. However, it’s clear that based on the survey results, cybersecurity concerns have become a cause for pause.
In fact, survey respondents identified vulnerability management (76%), visibility (75%), configuration management (68%), compliance (68%) and runtime threat protection (64%) as being the most important cybersecurity capabilities required for containers.
Michelle McLean, vice president of marketing for StackRox, says those cybersecurity concerns also may be pushing more organizations toward managed instances of Kubernetes. The survey finds 37% of respondents now rely on Amazon Kubernetes Service (EKS), while 35% have deployed a self-managed instance of Kubernetes. Among organizations that have deployed Kubernetes on a public cloud, more than three-quarters (78%) are on Amazon Web Services (AWS) platforms, while 39% are on Azure and 35% on Google Cloud Platform.
Since the same survey was conducted in Spring 2019, usage of EKS climbed 37% while adoption of Microsoft Azure Kubernetes Service (AKS) increased 31% and Google Kubernetes Engine (EKS) grew 75% year over year. The number of respondents who have deployed self-managed instances of Kubernetes dropped 20% year over year.
Overall, 86% of respondents said they have deployed Kubernetes in one form or another. McLean says Kubernetes is on the cusp of mainstream adoption. However, the single largest concern cited by survey respondents is the lack of adequate investment in container security (37%). Many developers are pushing ahead with deploying containerized applications on Kubernetes because the perceived benefits outweigh the potential risk. The primary benefits of Kubernetes cited by survey respondents are faster application development and deployments (39%), application stability (32%) and environmental portability (19%). In fact, 29% of respondents said that more than 50% of their applications are already containerized.
It’s not clear how much or even whether a lack of expertise is holding back Kubernetes adoption. One-third (33%) of respondents cited internal skills shortage and a steep learning curve (28%) as the two biggest inhibitors of Kubernetes adoption within their organization. Less clear is who is responsible for container security, with 81% believing it is the DevOps team’s responsibility while 51% believing it is the responsibility of the IT security team. Nearly two-thirds (61%) said developers and cybersecurity teams will need to work more closely together. How that goal will be achieved, however, is an ongoing negotiation within most IT organizations.
