StackRox Report Reveals that Container and Kubernetes Security Concerns are Inhibiting Business Innovation

StackRox, a leader in Kubernetes and container security, today released the Winter 2020 edition of its State of Container and Kubernetes Security Report. Among its findings, the survey revealed that container security concerns have inhibited business innovation with nearly half (44 percent) of respondents delaying the deployment of cloud-native applications into production. These delays compromise the biggest benefit respondents cite as driving the movement to microservices and containers – the ability to develop and release applications faster. 

“One of the most consistent results we get on our own surveys of DevOps and cloud-native security technologies is how important security is for those environments,” said Fernando Montenegro, principal analyst at 451 Research. “It is interesting to see how this observation fits well with the StackRox study, highlighting the need for both engineering and security professionals to have visibility and then properly deploy security controls and practices for container and Kubernetes environments.”

Nearly all – 94 percent – of the respondents have experienced security incidents in their container environments in the past 12 months

Data breaches and exposures due to human error, such as misconfigured containers and Kubernetes deployments, have become alarmingly common. Among those reporting security incidents, the majority – 69 percent – experienced a misconfiguration incident, while 27 percent reported a security incident during runtime and 24 reported having had a major vulnerability to remediate (respondents could select as many responses as applied).

Exposures due to misconfigurations dwarf all other security concerns

In this third edition of the StackRox report, respondents once again identified exposures due to misconfigurations as the most worrisome security risk for their container and Kubernetes environments, with 61 percent citing this concern. Only 27 percent cited vulnerabilities as their main concern, and just 12 percent worry most about attacks at runtime. This data speaks to the importance of configuration management in securing container and Kubernetes environments – the flexibility of these powerful platforms brings its own challenges.

Managed Kubernetes services have enjoyed major growth

Of the respondents running containerized applications, Kubernetes is being used by 86 percent – the same as the Spring 2019 survey showed. However, the way Kubernetes is being used has changed dramatically. No longer is self-managed the most dominant way to run Kubernetes – 37 percent of respondents cited using Amazon EKS compared to 35 percent managing Kubernetes themselves, down from 44 percent in Spring 2019. Use of both Azure AKS and Google GKE also climbed, with each cited by 21 percent of respondents. 

Hybrid deployments dropped while cloud-only environments grew

Hybrid deployments remain more popular than cloud-only deployments, at 46 percent compared to 40 percent. But hybrid deployments saw a big drop from our survey six months ago, when they represented 53 percent of respondents. Of the cloud-only deployments, multi-cloud gained steam, increasing from 9 percent to 13 percent, but single-cloud use still dominates, at 27 percent for cloud only plus another 24 percent running on prem and in a single cloud provider. On-prem-only deployments have fallen dramatically since the first survey in Fall 2018, from 31 percent to just 14 percent today.

Skill shortages and a steep learning curve present the biggest Kubernetes challenges

Knowledge of Kubernetes is impacting more than 60 percent of respondents, with 33 percent citing an internal skills gap and another 28 percent identifying the steep learning curve as the most significant Kubernetes challenge their organization is facing. Only 15 percent cited executive understanding as their main difficulty, indicating that the business side of organizations understands and has bought into the benefits of Kubernetes.

Other key survey findings:

• For the third time in a row, security leads the list of top concerns users have about container strategies.
• Container security strategies continue to mature, with the percentage of respondents who lacked any form of security strategy dropping 68 percent, from 19 percent to just 6 percent.
• Despite misconfigurations topping the list of concerns and incidents, respondents remain most concerned about the runtime phase of the container life cycle (56 percent) vs. build and deploy.
• The percentage of organizations with fewer than 10 percent of their containers running in production fell from 39 percent to 28 percent.
  

“Our survey data affirms what we hear anecdotally from customers, that security has become a high priority as customers seek to deploy containers and Kubernetes applications in production,” said Kamal Shah, CEO of StackRox. “Organizations have executive buy in – the challenge is understanding the security and compliance requirements so that they can be addressed early in the application development life cycle and prevent delays to application deployment.”

Download the State of Container and Kubernetes Security Report today.