Containers, when utilised properly, can significantly improve an organisation’s efficiency through speeding up development and automating processes. Yet like with so many technologies before it, security was never quite at the top of the priority list.
StackRox and Skybox Security, two California-based cybersecurity providers, have issued reports over the past week which come to similar conclusions: organisations are struggling with the sprawl of major container and Kubernetes adoption, with security taking a hit as a result.
The industry figures reveal the extent of the concern. In May, this publication noted that the 2019 KubeCon event felt like a milestone for the industry. At the time of Kubernetes being upgraded as a ‘graduate’ of the Cloud Native Computing Foundation (CNCF) last March, Redmonk research found almost three quarters (71%) of the Fortune 100 were using containers in some form.
These are emphasised further by the current reports. StackRox found that, of the 390 IT professionals surveyed across industry, more than four in five had adopted Kubernetes. This 51% increase on just six months ago was described by the company as ‘staggering.’
It is worth noting at this juncture that, of course, container vendors take great care in securing their products in the first place. But this begets another discussion around where responsibility begins and ends.
This publication has variously reported on incidents where cloud infrastructure vendors explore the limits of how much they can guide their customers. Amazon Web Services (AWS), for instance, launched an offering in November which offered further protection to customers lest they launch a public S3 bucket by mistake. Previously, the company had revamped its design, giving public buckets bright orange warning indicators.
It is a similar theme here. With containers in particular, environments change frequently. Old container images, with known vulnerabilities, can be replicated and spread through various cloud infrastructures. Skybox found that vulnerabilities in cloud containers have increased by 46% year over year, and 240% compared to 2017. Despite this, less than 1% of newly published vulnerabilities were exploited in the wild.
The StackRox report focused more on general security trends. Two in three organisations polled had more than 10% of their applications containerised, yet two in five (40%) remained concerned their container strategy does not sufficiently invest in security. When it came to what organisations wanted, there were seven core capabilities respondents cited in a container security solution. These were, in order, vulnerability management, compliance, visibility, configuration management, runtime threat detection, network segmentation, and risk profiling and prioritisation.
“Organisations are putting the operational benefits of agility and flexibility at risk by not investing in security,” said Kamal Shah, StackRox CEO. “Containers and Kubernetes have moved well beyond the early adoption phase – security must be built-in from the start, not bolted-on after the fact, for organisations to securely realise the full potential of cloud-native technologies.”
Amrit Williams, Skybox VP products, added: “It’s critical that customers have a way to spot vulnerabilities even as their environment may be changing frequently. They also need to assess those vulnerabilities’ exploitability and exposure within the hybrid network and prioritise them alongside vulnerabilities from the rest of the environment – on-prem, virtual networks and other clouds.”
You can read the StackRox report here (email required) and the Skybox report here (email required).
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.