Earlier this month, Red Hat released its The State of Kubernetes Security for 2023 report. This annual report explores the specific security risks organizations face regarding cloud-native development, including risks to their software supply chain, and how they mitigate these risks to protect their applications and IT environments.
Despite Kubernetes still being a relatively young technology, adoption rates have soared over the past several years as the container orchestration platform has become the cornerstone for many digital transformation initiatives. Even as organizations settle in with their use of the technology in production, however, concerns still remain around the best ways to secure containerized workloads.
The report is based on a survey of 600 DevOps, engineering and security professionals from across the globe and uncovers some of the most common security challenges organizations face on their cloud-native adoption journey and their impact on the business. The report also provides best practices and guidance for application development and security teams that could lower their security risk.
Some notable findings from this year include:
- 38 percent of respondents state that security investment in containerized operations is inadequate, a 7 percent increase from 2022.
- 67 percent of respondents have had to slow down cloud-native adoption due to security concerns.
- More than half of the respondents have experienced a software supply chain issue related to cloud-native and containerized development in the past 12 months.
Investment doesn’t match adoption
Over the past several years, we’ve consistently seen that security remains one of the biggest concerns around container adoption. This year’s survey proved no different, with 38 percent of respondents stating security isn’t taken seriously enough or security investment is inadequate – up 7 percent over just last year. What’s interesting here is that adoption rates continue to grow, yet that growth hasn’t always been followed by the same growth in security investments.
Cloud-native solutions require cloud-native security solutions, which can (and should) often include a DevSecOps approach. IT teams need to focus on selecting and implementing security tools that provide feedback and guardrails in the CI/CD application pipeline as well as the infrastructure pipeline. Organizations need to plan for this transition as part of their transformation initiatives and not just rely on existing solutions, which often require substantial tailoring or adjustment to meet the rigors of cloud-native computing.
67 percent of respondents have had to slow down cloud-native adoption due to security concerns.
One of the best ways to overcome the investment and adoption gap is by investing in cloud-native tools with security baked in, rather than it being an add-on. With security integrated into the solution – from the operation system foundation to the application level – organizations don’t have to find additional money in the budget for security solutions that align with their latest technologies.
Security concerns hinder business outcomes
One of the primary reasons for adopting cloud-native technologies is the agility it provides. Faster time to market, adaptability and reliability are all benefits of cloud-native technologies and key drivers for enterprises to digitally transform their IT infrastructure. But these benefits aren’t always realized — with the survey finding that 67 percent of respondents have had to delay or slow down application deployment due to security concerns. This isn’t too surprising given new technologies often create unforeseen security challenges, but security should be looked at as a component of successful technology adoption, not a blocker or detriment to cloud-native development.
Minor delays are often the least of an organization’s concerns when it comes to cloud-native security incidents though, with the survey indicating even more severe business impacts are possible. 21 percent of respondents said that a security incident led to employee termination, and 25 percent said the organization was fined. Beyond the obvious associated impact, this could result in a loss of valuable talent, knowledge, and experience to the IT organization at large. Beyond that, businesses that face regulatory fines due to compliance violations or data breaches face a significant financial burden, not to mention negative publicity.
More than half of the respondents have experienced a software supply chain issue related to cloud-native and containerized development in the past 12 months.
37 percent of respondents identified revenue/customer loss as a result of a container and Kubernetes security incident. These incidents could result in the delay of critical projects or product releases, as businesses must prioritize security efforts to address the vulnerabilities that were missed in the development stage. This delay could have a ripple effect on the business, resulting in further lost revenue, customer dissatisfaction, or even loss of market share to competitors. These types of occurrences can also erode customer trust in a business’s ability to protect sensitive data, potentially leading to full-fledged customer loss.
By prioritizing security early in a cloud-native strategy, organizations are making an investment in protecting business assets, such as sensitive data, intellectual property, and customer information. They are also able to better meet regulatory requirements, drive business continuity, maintain customer trust, and reduce the cost of remediating security issues later on.
Concerns over software supply chain security
Attention around software supply chain security is at an all-time high – and for good reason. Sonatype reported that there has been an astonishing 742 percent average annual increase in Software Supply Chain attacks over the past 3 years. To hone in on the specific supply chain concerns that keep IT leaders up at night, we asked our survey respondents a variety of questions related to their software supply chain security in Kubernetes, including what incidents are most concerning and if they’ve experienced any over the past year.
The findings are in line with what would be expected from sprawling software supply chains that are emblematic of a containerized environment. The top three concerns are vulnerable application components (32 percent), insufficient access controls (30 percent), and a lack of software bill of materials (SBOM) or provenance (29 percent).
38 percent of respondents state that security investment in containerized operations is inadequate, a 7 percent increase from 2022.
What is alarming, however, is that more than half of the respondents have experienced virtually every issue that we identified in our question, with vulnerable application components and continuous integration/continuous delivery (CI/CD) pipeline weakness as the top two most cited issues that were experienced.
The good news is many organizations are making strides to help better secure their software supply chains. While software supply chain security is a complex and multifaceted field, having a comprehensive DevSecOps approach is an effective strategy. Nearly half of the respondents have a DevSecOps initiative in advanced stages. Another 39 percent understand the value of DevSecOps and are in the early stage of adoption.
Additionally, by focusing on the security of software components and dependencies early in the software development lifecycle and using DevSecOps practices to automate the integration of security at every phase, organizations are able to move from inconsistent, manual processes to consistent, repeatable, and automated operations.