Security concerns slowing Kubernetes adoption

Despite Kubernetes still being a relatively young technology, adoption rates have soared over the past several years as the container orchestration platform has become the cornerstone for many digital transformation initiatives. Even as organisations settle in with their use of the technology in production, however, there still remains concern around the best ways to secure containerised workloads.

Investment doesn’t match adoption

In recent years, we’ve consistently seen that security remains one of the biggest concerns around container adoption. This year’s State of Kubernetes Security report proved no different, with 38% of respondents stating security isn’t taken seriously enough or security investment is inadequate — up 7% over just last year. What’s interesting here is that adoption rates continue to grow, yet that growth hasn’t always been followed by the same growth in security investments.

Cloud-native solutions require cloud-native security solutions, which can (and should) often include a DevSecOps approach. IT teams need to focus on selecting and implementing security tools that provide feedback and guardrails in the CI/CD application pipeline as well as the infrastructure pipeline. Organisations need to plan for this transition as part of their transformation initiatives and not just rely on existing solutions, which often require substantial tailoring or adjustment to meet the rigours of cloud-native computing.

One of the best ways to overcome the investment and adoption gap is by investing in cloud-native tools with security baked in, rather than it being an add-on. With security integrated into the solution — from the operation system foundation to the application level — organisations don’t have to find additional money in the budget for security solutions that align with their latest technologies.

Security concerns hinder business outcomes

One of the primary reasons for adopting cloud-native technologies is the agility they provide. Faster time to market, adaptability and reliability are all benefits of cloud-native technologies and key drivers for enterprises to digitally transform their IT infrastructure. But these benefits aren’t always realised — with the survey finding that 67% of respondents have had to delay or slow down application deployment due to security concerns. This isn’t too surprising given new technologies often create unforeseen security challenges, but security should be looked at as a component of successful technology adoption, not a blocker or detriment to cloud-native development.

Minor delays are often the least of an organisation’s concerns when it comes to cloud-native security incidents though, with the survey indicating even more severe business impacts are possible. Twenty-one per cent of respondents said that a security incident led to employee termination, and one in four (25%) said the organisation was fined. Beyond the obvious associated impact, this could result in a loss of valuable talent, knowledge and experience to the IT organisation at large. Beyond that, businesses that face regulatory fines due to compliance violations or data breaches face a significant financial burden, not to mention negative publicity.

Thirty-seven per cent of respondents identified revenue/customer loss as a result of a container and Kubernetes security incident. These incidents could result in the delay of critical projects or product releases, as businesses must prioritise security efforts to address the vulnerabilities that were missed in the development stage. This delay could have a ripple effect on the business, resulting in further lost revenue, customer dissatisfaction or even loss of market share to competitors. These types of occurrences can also erode customer trust in a business’s ability to protect sensitive data, potentially leading to fully fledged customer loss.

By prioritising security early in a cloud-native strategy, organisations are making an investment in protecting business assets, such as sensitive data, intellectual property and customer information. They are also able to better meet regulatory requirements, drive business continuity, maintain customer trust, and reduce the cost of remediating security issues later on.

Concerns over software supply chain security

Attention around software supply chain security is at an all-time high — and for good reason. Sonatype reported that there has been an astonishing 742% average annual increase in Software Supply Chain attacks over the past three years. To home in on the specific supply chain concerns that keep IT leaders up at night, we asked our survey respondents a variety of questions related to their software supply chain security in Kubernetes, including what incidents are most concerning and if they’ve experienced any over the past year.

The findings are in line with what would be expected from sprawling software supply chains that are emblematic of a containerised environment. The top three concerns are vulnerable application components (32%), insufficient access controls (30%), and a lack of software bill of materials (SBOM) or provenance (29%).

What is alarming however, is that more than half of the respondents have experienced virtually every issue that we identified in our question, with vulnerable application components and continuous integration/continuous delivery (CI/CD) pipeline weakness as the top two most cited issues that were experienced.

The good news is many organisations are making strides to help better secure their software supply chains. While software supply chain security is a complex and multifaceted field, having a comprehensive DevSecOps approach is an effective strategy. Nearly half of respondents have a DevSecOps initiative in advanced stages. Another 39% understand the value of DevSecOps and are in the early stage of adoption.

Additionally, by focusing on the security of software components and dependencies early in the software development lifecycle and using DevSecOps practices to automate the integration of security at every phase, organisations are able to move from inconsistent, manual processes to consistent, repeatable and automated operations.

The full report can be downloaded here.

Image credit: iStock.com/LuckyStep48