Vulnerabilities and misconfigurations on Kubernetes are leading to a significant amount of security issues for organizations.
Container orchestration system Kubernetes has seen huge growth in adoption over the past five years, as organizations look to integrate cloud-native technologies into their workflow. However, while the implementation of containerized solutions were built for ease of use, many businesses are experiencing security issues which have led to delays in application deployment.
According to this year’s edition of Red Hat’s State of Kubernetes security report, over two thirds of organizations surveyed have had to delay deployment of an application due to security concerns related to Kubernetes. Part of this is due to unfamiliarity with the new technology, which can lead to unforeseen security challenges. Organizations that aren’t prioritizing security early are the least likely to see the improvements brought about by containerization, such as faster release cycles, bug fixes, and flexibility.
Alongside a majority of organizations having to delay due to security concerns, 90 percent also experienced a security incident in the preceding 12 months. Most of the security incidents occurred during the runtime phase, while a further 45 percent of incidents were detected misconfigurations.
According to Red Hat, security controls for Kubernetes are difficult to customize and integration into operational environment, which has led some organizations to bypass them entirely, leaving an application more vulnerable to attack. This is apparent on every layer of Kubernetes implementation, with organizations bypassing the implementation of SELinux and pod-to-pod communication security mechanisms through network policies and role-based access controls.
“Because Kubernetes security also extends into application security, container security, identity management, and zero trust, security professionals must have basic familiarity with all of them and be able to collaborate across the team,” said Sandy Carielli, a principal analyst at Forrester, to ITPro. “Kubernetes is a Venn diagram over security disciplines and organizations can’t confine their discussion of Kubernetes security to just the Kubernetes settings.”
Despite the high levels of security incidents and delays to application deployment, developers are worried that Kubernetes security is not taken seriously enough. About a quarter of respondents are worried that their organizations container strategy is being implemented too slow, while 14 percent say it does not take into account compliance needs.
Security incidents have real-life impacts on employees and organizations, with 20 percent of respondents stating that an incident led to an employee termination and 33 percent experiencing a loss of revenue or customer due to an incident. A further 39 percent of respondents said a security incident had a negative impact to product success post launch.
Even with all of the security worries, there hasn’t been a slow down in Kubernetes adoption, although organizations on the whole are getting better at implementing a security strategy pre-deployment and retaining that strategy throughout the deployment of Kubernetes. The Cloud Native Computing Foundation has also, over the past half decade, added more security features to Kubernetes as standard, although organizations are still having some trouble configuring them, and quite a few turn them off by default.
In its summary, Red Hat said that organizations should start security strategies early and extend them across the full life cycle, use Kubernetes-native security architectures and controls, and build a bridge between DevOps and SecOps to enable a more cohesive security ecosystem.