A new report from Red Hat indicates that Kubernetes continues to be a security nightmare because it is “very” complex to use and the people responsible for setting it up are having a hard time coping. The company surveyed 300 development, engineering, and security professionals for this document, and found that 55% of them postponed the launch of the application due to security issues. Almost everyone (93%) had experienced at least one security incident in their Kubernetes environment in the past 12 months, and a third (31%) had experienced a loss of revenue or customers.
Kubernetes, also known as K8s, is an open source system for running containerized applications on multiple hosts. It provides key mechanisms for deploying, maintaining, and scaling applications. Developed by Google, Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). Kubernetes is the de facto standard for orchestrating and managing size containers, but its use is only one part of Kubernetes ’approach. Security plays an important role in how companies use cloud-native technologies.
Security is usually more difficult to manage than setting up and operating containers. Red Hat’s “The State of Kubernetes Security for 2022” report examines the security challenges that cloud-native development businesses continue to face and how they address them to protect their applications and environment. It’s based on surveys by more than 300 DevOps, engineering, and security professionals, highlighting how companies embrace containers and K8 while balancing the security of those environments.
The report states that concerns about container security threats and lack of investment in container security were the most common concerns about container strategies for 31% of respondents. These concerns are reinforced by the fact that 93% of respondents have reported experiencing at least one security incident in their Kubernetes environments in the past 12 months, which sometimes results in loss of revenue. or customers.
More than half of the respondents (55%) also had to delay the launch of the application due to security issues last year. Furthermore, the report indicates that despite the huge media attention given to cyberattacks, it is in fact misconceptions that keep IT professionals up at night. Kubernetes is highly customizable, with a variety of configuration options that can affect the security posture of an application. Improper configuration can expose company data to malicious actors.
As a result, respondents were more concerned about exposures due to incorrect configurations in their container and Kubernetes environments (46%), nearly three times the level of concern about attacks ( 16%). Automating configuration management, where possible, helps reduce these issues, so that security tools – rather than people – provide safeguards that help developers and DevOps teams manage configure containers. and Kubernetes in a more secure way.
Kubernetes is so easy to use that a company focused solely on solving the problems it poses has raised $ 67 million, Corey Quinn, chief economist at IT consultancy The Duckbill Group, said in a tweet posted Monday, citing in investing in a startup called Commodore. The consequences of software complications can be seen in the difficulties reported by its users. Such complexity encourages human error and leads to many clumsy software implementations, to some extent.
The Red Hat report states that “human error is a factor contributing to 95% of violations”, citing the World Economic Forum report that “95% of cybersecurity issues can be attributed to error of man. ” The report cites an article from the World Economic Forum stating that “studies show that 95% of cybersecurity problems can be attributed to human error”-without mentioning specific studies. . Regardless of the associated number, people are involved at some point and they don’t quite handle the complexity.
So, according to Ajmal Kohgadai, Product Marketing Manager at Red Hat, Kubernetes users are more concerned about typos than hackers. Red Hat’s answer to this problem is to automate configuration management as much as possible to minimize the impact of human error. To this end, Red Hat is working on the “Advanced Cluster Security (ACS) tool for Kubernetes,” acquired last year by acquiring StackRox, and released the software as open source under the name of the company that produced it. . .
The StackRox project aims to help simplify DevSecOps by integrating security capabilities into the development and deployment lifecycle, effectively shifting application security “left” in software development, Red says Hat. The software scans container environments for hazards, displays alerts, and offers recommendations for improving security. But before companies can automate Kubernetes, they need people who know what they’re doing to write scripts and configuration files.
Cupboards and containers, although powerful, are designed for developer productivity, not security. “Pod’s default network settings, for example, allow open communication to get a cluster and run fast, at the expense of security hardening,” the report said. Finding the people who will do it is Kubernetes ’biggest pain point, cited by 30% of survey respondents:“ We don’t have the internal talent to use it to its full potential, ”said one user.
However, this does not harm the image or popularity of Kubernetes. According to a report by the Cloud Native Computing Foundation last year, open-source container orchestration software is used, or considered, by 96% of organizations.
Source: The State of Kubernetes Security in 2022
What is your opinion on the subject?
What do you think of Kubernetes? Do you find it complicated?
Are you using it? If so, how can you minimize configuration errors?
Lacework integrates Kubernetes features with the Polygraph data platform to enhance security in multi-cloud environments
Canonical Introduces High Availability Micro-Kubernetes, a Lightweight Kubernetes Cluster for Desktops, IoT Devices, and Edge Computing
Kubernetes developer adoption is on the rise and serverless is no more, according to a survey by the Cloud Native Computing Foundation
US NSA and CISA Release Guidelines for Hardening Cluster Cluster Security, to Help Businesses Make Their Infrastructures More Stable