The swift adoption of container technology, DevOps practices, and microservices application architectures are 3 of the key drivers of recent digital transformation. Containerization has proved to be significantly more advantageous in terms of scalability, portability, and continuous development and improvement, whether built in the cloud, on-premises, or in hybrid environments.
In the past few years, organizations have begun to standardize on Kubernetes as their Container Orchestration. Tinder recently announced that corporate is moving its infrastructure to Kubernetes. This decision came soon after Twitter declared its migration from Mesos to Kubernetes.
While the explanations behind such a fast adoption of Kubernetes has been well documented but still security problems stays number one amongst the most critical issues for organizations working with Kubernetes. When you ignore your Container and Kubernetes security, you would possibly end up within the headlines for all the wrong reasons— just ask Tesla.
To better perceive the trends in container and Kubernetes’ security and adoption, StackRox surveyed over 200 IT security and operations decision-makers in November 2018. To measure the impact of Kubernetes adoption rates, they did a similar study across nearly 400 people in security, DevOps; and product team to realize extra insights into how organizations square measure adopting container technologies and the way their security considerations have evolved.
By 2022, over three-fourth of global organizations will be running containerized applications in production. The results are similar to the prediction from Gartner – a significant increase from fewer than 30% nowadays.
Kubernetes adoption grows by 50% in the first half of 2019
Originally engineered by Google—based on the lessons learned from the Borg and Omega projects—Kubernetes was open-sourced in 2014 as a platform for automating scaling, deployment; and management of container-based applications. Google partnered with the LINUX Foundation to form the Cloud Native Computing Foundation (CNCF) to manage the Kubernetes open-source project.
In 2017, cloud giant AWS and Azure were asserting their versions of managed Kubernetes services. Microsoft proclaimed the planned release of Azure Kubernetes Service (AKS); then AWS followed a month later with the pronouncement of Amazon Elastic Container Service for Kubernetes.
Since then, Kubernetes usage has sky-rocketed. In the original survey conducted in November 2018, 57% of respondents aforementioned, they used Kubernetes to orchestrate their containers; which were already more significant than any other orchestrator in the market. The survey was conducted in July 2019 again, the percentage of survey respondents using Kubernetes grew dramatically; from 57% to 86% – a 50% increase.
And despite the very fact that every major cloud providers supply their versions of managed Kubernetes service—with an original price prop for more comfortable use—a sizeable portion of Kubernetes users choose self-managing their clusters. This is because the self-managed Kubernetes; provides greater flexibility to porting existing Kubernetes application to a different atmosphere that’s using Kubernetes.
The rapid adoption of Kubernetes raising security concerns
Security considerations still are one of the critical constraints for using containers and Kubernetes. 2019 saw the discoveries of much high-severity containers and Kubernetes vulnerabilities, as well as the runC vuln (vulnerability); a k8s privilege step-up flaw, a DoS vuln, and a number of other vulnerabilities that were declared earlier this month as half of a CNCF audit.
Most respondents identify an inadequate investment in security as their biggest concern regarding their company’s container strategy. Moving to a containerised/microservices design introduces many new containers and Kubernetes security concerns, and existing security tools aren’t appropriate to deal with them.
Organizations require dedicated security controls dedicated to containers, Kubernetes, and microservices, to fulfill their security and compliance obligations.
Once again, respondents identified runtime because the life cycle phase that organizations are most disturbed about; but, most organizations perceive that runtime failures are a function of lost security best practices throughout the build and deploy phases.
Organizations are constantly worried about the runtime that continues to be the life cycle phase of a container. But most of the organizations perceive that runtime failures occur due to refrained security best practices throughout the build and deploy phases.
Not surprisingly, more than 57% of respondents were worried concerning what happens throughout the build and implement steps. In other words, users realize they must “shift left” in their application of security best practices to build it right the first time.
People are going crazy over Containers and Kubernetes
One of the key findings of the survey report was how diverse containers and Kubernetes environments tend to be. 70% of respondents run a minimum number of their containers on-premises, but 75% of these on-premises containers are also running them on the cloud, which implies that any viable security solution should be adaptable to each environment.
Today, around 53% of respondents running in hybrid mode as compared to 40% at the end of 2018. As a result, the proportion of organizations running containers solely on-premises has dropped nearly in half(from 31% to just 17%); whereas cloud-only deployments have remained steady.
As expected, AWS continues its market dominance in container deployments, followed by Azure. Google comes in third; however, it has gained substantial market share, growing from 18% to 28% over six months.
DevSecOps – not just a catchy term
Traditional security processes will become a barrier once building software using DevOps principals. The increasing complexity of security threats facing enterprises is resulting in DevSecOps playing a vital role.
Across all operation roles, the allocation of management responsibility by role remained consistent; however, the jump in those citing DevSecOps as the accountable operator for container security has become vital.
When analyzing those survey respondents solely in security or compliance role, there’s an even larger jump in the allocation of responsibility to DevSecOps – 42% of respondents in a security or compliance role view DevSecOps; the right organization to run container security programs.
Conclusion
While container security remains a major concern, containerization is here to remain. The advantage of leveraging containers and Kubernetes—allowing the development team to maneuver quickly; deploy software with efficiency, and operate at an unprecedented scale—is clearly outpacing the concern of security vulnerabilities.
Organizations shouldn’t afford to treat security as an afterthought. Unlocking the advantages of cloud-native technologies; whereas maintaining sturdy security for mission-critical application development infrastructure needs protecting the total container life cycle – across build, deploy, and runtime phases.