Kubernetes complexity creating “new security blind spots”
Kubernetes “still holds stock” among IT and security leaders despite lingering concerns
Kubernetes growth is creating a confluence of new “security blind spots” that could be placing organizations at risk, according to new research.
Analysis from cyber security firm Venafi shows that while IT and security leaders believe Kubernetes will soon become the main platform used to develop applications, a significant portion worry that speed and complexity raise serious security concerns.
Three-quarters (75%) of respondents to Venafi’s survey said they were worried about complexity, with more than half (59%) revealing they have already experienced security incidents within Kubernetes or container environments.
Network breaches, API vulnerabilities, and certificate misconfigurations were identified as the leading causes of Kubernetes-related security blunders, the study found.
Additionally, nearly one-third (30%) of organizations that experienced a Kubernetes or container security incident said it led to a data breach or network compromise.
Security-related issues also meant that one-third were forced to delay an application launch, while 32% experienced significant disruption to application services.
Matt Barker, global head of cloud native services at Venafi said lingering concerns around Kubernetes security highlights the need for greater understanding of cloud native development approaches.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
“Cloud native is the way of the future, enabling highly scalable, flexible and resilient applications that can deliver a competitive edge – in a few years, almost everything will be running on cloud native architecture,” he said.
“But amid the rush to transition to these modern environments, many organizations are underestimating the work needed to deliver efficiency and security. As organizations continue to move more critical workloads into cloud native environments, they need to ensure they close these gaps, or we will see even more breaches and outages.”
More than half of respondents (59%) that have completed a cloud migration admitted they didn’t understand or accommodate for security risks when doing so.
The study also found that organizations shifting workloads to the cloud failed to refactor or modernize applications using cloud native technologies.
“While most respondents (87%) have started to move legacy apps to the cloud, over half of those that have done so failed to refactor them using cloud native technologies.”
Improve operations for Kubernetes at scale
DOWNLOAD NOW
Security teams have become increasingly concerned about this lack of understanding in recent months, the study warned.
90% of security and IT practitioners said security teams need to increase their proficiency in cloud native environments to ensure applications are secure.
“This is particularly urgent given that 85% confirmed that security teams set the strategy for managing security risk and governance across cloud native,” Venafi said.
Enabling “fast and secure” Kubernetes development
A key challenge highlighted in the study centered around the issue of responsibility and control, Venafi said.
85% of respondents agreed that “continuous security validation” to the CI/CD pipeline is critical to reduce the likelihood of vulnerabilities going undetected during the software development lifecycle.
Despite this, the implementation of controls within cloud native environments is typically the responsibility of development and platform teams.
This is creating a divide with regard to secure development, the study warned. Over two-thirds (68%) of respondents said that while DevOps is a “great idea”, security creates “speed bumps” within the lifecycle.
“Balancing speed and security is no easy feat, but it’s a necessity for organizations today,” said Kevin Bocek, VP of ecosystem and community at Venafi.
“It’s critical for security and platform teams to get cloud native security right – there is no perimeter, no pull-the-plug in the cloud.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.