Now that containers are starting to proliferate across the enterprise, there is a greater appreciation for the associated cybersecurity implications.
A survey of 230 IT and security executives conducted by CyberEdge Group on behalf of StackRox, a provider of container security software, finds more than half the respondents (54 percent) say container misconfigurations and accidental exposures are their primary cybersecurity concerns when it comes to deploying containers, followed by vulnerabilities and malware, at 29 percent and 17 percent, respectively.
Specifically, 44 percent identified container runtime as the phase of the container development and deployment process that is most concerning, followed by deployment (30 percent) and build (26 percent).
The survey also finds more than a third of organizations with concerns about their container strategy worry that their existing strategies don’t adequately address container security. Another 15 percent say they don’t believe their strategies take the threats to containers and Kubernetes deployments seriously enough. More than one-third of respondents also admit they haven’t started or are just creating their security strategy plans, the report finds.
StackRox CEO Kamal Shah says misconfigurations are especially problematic when it comes to deploying Kubernetes clusters. On one hand, Kubernetes is one of the most powerful platforms to come down the IT pike in a long time. On the other hand, there a lot of knobs on a Kubernetes cluster that make it easy to misconfigure, he says.
Overall, the report finds container deployments are already widespread. A full 70 percent of respondents are running containers on-premises, with 32 percent running only on-premises. About 40 percent are running containers both on-premises and in the cloud. Just less than 30 percent are running containers in the cloud only. The report notes that the respondents were equally split between those managing containers on their own and those relying on a managed service.
Shah says another challenge an IT organization will face when it comes to container security is making sure any potential blast radius involving a container-related breach remains contained. Because containers are widely employed to build microservices, a breach can result in malware being injected into a highly integrated IT environment. Before anyone has time to act, that malware can spread laterally through the IT environment, making the cleanup effort that much more complex and expensive.
Given all those issues, Shah says it’s not surprising that more of the responsibility for implementing security controls is being shifted left to developers as part of an evolving set of best DevSecOps processes. Cybersecurity teams are still responsible for defining security policies, but developers are starting to make up for a chronic shortage of cybersecurity personnel as they are held more accountable for security breaches. In fact, the survey finds container security is being managed most by DevOps teams (31 percent), followed by security and DevSecOps teams, at 28 percent and 24 percent respectively.
The upside is nearly all respondents report containers have fundamentally changed to varying degrees the relationship between cybersecurity teams and the rest of the IT organizations. Those changes span everything from workflows to embedding security teams within DevOps processes. The challenge now is making those changes stick.