Security is top of mind for IT leaders. In fact, it was the number-one IT technology funding priority among the over 1,300 IT decision-makers surveyed for Red Hat’s 2022 Global Tech Outlook report.
Kubernetes is important too: 70 percent of another approximately 1,300 IT decision-makers surveyed for Red Hat’s latest The State of Enterprise Open Source report use it as part of their IT infrastructure.
To better understand the key trends in Kubernetes and cloud-native security more broadly, we asked more than 300 DevOps, engineering, and security professionals and published the findings in the 2022 State of Kubernetes security report.
Here are four key findings.
1. Security responsibilities are becoming more decentralized
Describe what application security processes looked like historically and the narrative would go something like this: Developers wrote their code in ways that didn’t always adhere to the best security practices. Indeed, the top web application security risks – as captured by the OWASP Top 10 – haven’t seen the sort of improvements one would have hoped for over the years. It was then the job of the IT security specialist to keep any insecure code from going into production.
This back-loaded and bolted-on approach to security was a key element in play in the story told by The Phoenix Project, a sort of founding fable of the DevOps movement. (The DevSecOps term came later because most of those involved in DevOps thought it obvious that good security practices were inherent in DevOps – but that fact wasn’t always appreciated.)
[ Want more DevSecOps strategies? See DevSecOps: 4 guiding principles for CIOs. ]
The survey shows that genuine change is underway, however: 61 percent of respondents identified either DevOps or DevSecOps roles as most responsible for container and Kubernetes security. In contrast, only 16 percent said that it was primarily the responsibility of a dedicated security function and only 6 percent said that it was primarily something that traditional application developers had to handle.
Overall, this data tells a story of cooperative cross-functional responsibility for security rather than traditional siloed IT functions.
2. Security needs are multi-faceted
The data also shows that security is not a singular problem, although respondents worry more about some types of problems than others. Misconfigurations are a particular cause of concern. This probably isn’t surprising given that Kubernetes is both very configurable and relatively complex. While it’s natural to think of configuration management as primarily related to image building, it can easily lead to runtime concerns, which is to say Day 2 operations, as well.
In addition to runtime threat detection/response and configuration management, more than half of respondents said a variety of other Kubernetes security capabilities were “must-haves,” especially image scanning and vulnerability management. The overall story is clearly that security isn’t about any single capability but a whole bucket of them.
Respondents also used a variety of open source tools for Kubernetes security, most notably KubeLinter, a YAML and Helm linter for Kubernetes, and Open Policy Agent (OPA), which provides unified policy-based control for cloud-native environments.
3. More automation is needed
The importance of getting configurations right at scale highlights the importance of automation generally. In our 2022 Global Tech Outlook, we found that, like security overall, investments in automation were being prioritized across many areas going into 2022.
Automation brings many advantages. Speed is one that particularly resonated with interview subjects in other recent research we’ve conducted. Efficiency is another. However, maintaining consistency and repeatability across a production Kubernetes environment is simply not possible without a healthy dose of automation.
[ Learn how leaders are embracing enterprise-wide IT automation: Taking the lead on IT Automation. ]
Remember the traditional security professionals injecting themselves at the very end of the application development process? Automation is the key to codifying security knowledge and best practices in a way that developers, DevOps, DevSecOps, and others involved in application development and operations can access throughout the process starting at the very beginning.
4. Hybrid cloud approaches are generally preferred
A theme that consistently comes up in our research is the dominant use of hybrid clouds both as a strategy and as a deployment environment. In this survey, just under half, 42 percent, of larger (greater than 1,000-employee organizations) are running their containers on a mixture of on-prem and public clouds.
This isn’t a new trend. Indeed, it was clear to many that even as public clouds were just starting to arrive on the scene and there was much talk of the computing utility, IT infrastructures were going to mostly be fairly heterogeneous, just like they’ve essentially always been.
[ Build application environments for reliability, productivity, and change. Download the eBook, Cloud-native meets hybrid cloud: A strategy guide. ]
One of the latest drivers for hybrid clouds is edge computing in its various forms, which emphasizes extending compute capabilities and data analysis out to users and devices at the edge of the network.
While it’s not something we studied in this survey, edge computing also has important security implications. There are security advantages to providing a common platform and consistency across the entire computing infrastructure – and indeed we’re starting to see scaled-down Kubernetes clusters in edge environments.
Keeping data local can also be advantageous from a security perspective. At the same time, edge nodes often won’t have the same degree of physical security as a datacenter and the potentially very large number of nodes means that automation is even more important for security and other reasons.
In short, there is a lot happening in the cloud-native and Kubernetes space and many considerations for security. The good news is that there’s also a huge amount of community activity and attention being focused on security.
[ Kubernetes terminology, demystified: Read How to explain Kubernetes in plain English and get our Kubernetes glossary cheat sheet for IT and business leaders. ]