Despite Kubernetes still being a relatively young technology, adoption rates have soared over the past several years as the container orchestration platform has become the cornerstone for many digital transformation initiatives.
Even as organisations settle in with their use of the technology in production, however, there still remains concern around the best ways to secure containerised workloads.
Red Hat’sThe State of Kubernetes Security for 2023 report looks at the specific security risks organisations face regarding cloud-native development, including risks to their software supply chain and how they mitigate these risks to protect their applications and IT environments.
The report is based on a survey of 600 DevOps, engineering, and security professionals from across the globe and uncovers some of the most common security challenges organisations face on their cloud-native adoption journey and their impact on the business. The report also provides best practices and guidance for application development and security teams that could lower their security risk.
Some notable findings from this year include:
- 38% of respondents state that security investment in containerised operations is inadequate, a 7% increase from 2022.
- 67% of respondents have had to slow down cloud-native adoption due to security concerns.
- More than half of respondents have experienced a software supply chain issue related to cloud-native and containerised development in the past 12 months.
Investment doesn’t match adoption
Over the past several years, we’ve consistently seen that security remains one of the biggest concerns around container adoption. This year’s survey proved no different, with 38% of respondents stating security isn’t taken seriously enough, or security investment is inadequate – up 7% over last year. What’s interesting here is that adoption rates continue to grow, yet that growth hasn’t always been followed by the same growth in security investments.
Cloud-native solutions require cloud-native security solutions, which can (and should) often include a DevSecOps approach. IT teams need to focus on selecting and implementing security tools that provide feedback and guardrails in the CI/CD application pipeline, as well as the infrastructure pipeline. Organisations need to plan for this transition as part of their transformation initiatives and not just rely on existing solutions which often require substantial tailoring or adjustment to meet the rigours of cloud-native computing.
One of the best ways to overcome the investment and adoption gap is by investing in cloud-native tools with security baked in rather than it being an add-on. With security integrated into the solution – from the operation system foundation to the application level – organisations don’t have to find additional money in the budget for security solutions that align with their latest technologies.
Security concerns hinder business outcomes
One of the primary reasons for adopting cloud-native technologies is the agility it provides. Faster time to market, adaptability, and reliability are all benefits of cloud-native technologies and key drivers for enterprises to digitally transform their IT infrastructure.
But these benefits aren’t always realised, with the survey finding that 67% of respondents have had to delay or slow down application deployment due to security concerns. This isn’t too surprising given new technologies often create unforeseen security challenges, but security should be looked at as a component of successful technology adoption, not a blocker or detriment to cloud-native development.
Minor delays are often the least of an organisation’s concerns when it comes to cloud-native security incidents, though, with the survey indicating even more severe business impacts are possible. Twenty one percent of respondents said that a security incident led to employee termination, and 25% said the organisation was fined. Beyond the obvious associate impact, this could result in a loss of valuable talent, knowledge and experience to the IT organisation at large. Beyond that, businesses that face regulatory fines due to compliance violations or data breaches face a significant financial burden, not to mention negative publicity.
Thirty seven percent of respondents identified revenue/customer loss as a result of a container and Kubernetes security incident. These incidents could result in the delay of critical projects or product releases as businesses must prioritise security efforts to address the vulnerabilities that were missed in the development stage. This delay could have a ripple effect on the business resulting in further lost revenue, customer dissatisfaction, or even loss of market share to competitors. These types of occurrences can also erode customer trust in a business’s ability to protect sensitive data, potentially leading to full-fledge customer loss.
By prioritising security early in a cloud-native strategy, organisations are making an investment in protecting business assets such as sensitive data, intellectual property, and customer information. They are also able to better meet regulatory requirements, drive business continuity, maintain customer trust, and reduce the cost of remediating security issues later on.
Concerns over software supply chain security
Attention around software supply chain security is at an all time high – and for good reason. Sonatype reported that there has been an astonishing 742% average annual increase in Software Supply Chain attacks over the past 3 years. To hone in on the specific supply chain concerns that keep IT leaders up at night, we asked our survey respondents a variety of questions related to their software supply chain security in Kubernetes, including what incidents are most concerning and if they’ve experienced any over the past year.
The findings are in line with what would be expected from sprawling software supply chains that are emblematic of a containerised environment. The top three concerns being vulnerable application components (32%), insufficient access controls (30%), and a lack of software bill of materials (SBOM) or provenance (29%).
What is alarming however, is that more than half of the respondents have experienced virtually every issue that we identified in our question, with vulnerable application components and continuous integration/continuous delivery (CI/CD) pipeline weakness as the top two most cited issues that were experienced.
The good news is many organisations are making strides to help better secure their software supply chains.
While software supply chain security is a complex and multifaceted field, having a comprehensive DevSecOps approach is an effective strategy. Nearly half of respondents have a DevSecOps initiative in advanced stages. Another 39% understand the value of DevSecOps and are in the early stage of adoption.
Additionally, by focusing on the security of software components and dependencies early in the software development lifecycle and using DevSecOps practices to automate the integration of security at every phase, organisations are able to move from inconsistent, manual processes to consistent, repeatable, and automated operations.