Security Experts:

Security a Top Concern as Containerization Gathers Pace

Within the increasing adoption of container technology, two things stand out: hybrid on-prem and cloud configurations are growing, and Kubernetes dominates. At the same time, concern over investment in security remains high.

StackRox has repeated a survey (PDF) on container and Kubernetes security just six months after a previous survey. In the latest survey, 390 IT and security professionals across a range of industry sectors and enterprise sizes, took part.

Comparing the results from the two surveys shows the volatility of the market and highlights the fundamental concerns and difficulties of those concerned with container implementation. For example, companies with an intermediate or advanced security strategy have increased from 30% to 41%, demonstrating that progress in securing containers is progressing.

At the same time, however, companies with a non-existent security strategy have increased from 15% to 19%. The implication is that companies are adopting containers first, and considering their security second. This is confirmed by the respondents' primary concerns over their companies' security strategy: 40% (up from 35%) believe there is insufficient investment in security, while 34% (up from 25%) believe the strategy is not sufficiently detailed.

Mark Bouchard of AimPoint (the research firm that conducted the survey for StackRox) points out, "Organizations run a big risk by continuing to move forward with container adoption without making the needed investments in strategies and tooling to protect that critical application infrastructure."

Cloud adoption for containers is increasing rapidly. Six months ago, 31% ran containers on-prem only. This has dropped to just 17%. The biggest single growth has been a hybrid mix of on-prem and multiple clouds, up from 14% to 23%. It's too early to say whether this indicates a slow migration to a multi cloud-only solution: use of a single cloud provider has dropped from 22% to 21%, while use of multiple clouds only has risen by just 2% (7% to 9%).

AWS still dominates public cloud usage with 78% of firms using it. Azure is second at 40%, with Google Cloud Platform use growing fast -- from 18% to 28% over the last six months. StackRox conjectures that companies are beginning to view Google "as a particularly attractive cloud partner given the company's deep expertise in containers and Kubernetes."

Kubernetes is increasingly the container orchestrator of choice. Six months ago, 57% of companies used Kubernetes in one form or another -- this has now grown to 86% of companies. Thirty-one percent of these use nothing but a single managed service, while 17% of respondents running Kubernetes use it in a managed form across two or more managed services. 

While Kubernetes dominates as the orchestrator, the runtime engine is even more pronouncedly Docker at 91%. The only alternative used by more than 5% of the respondents is containerd.

Security is clearly a concern for the respondents. Vulnerability management (75%), compliance (72%), visibility (71%) and configuration management (66%) are the top four 'must have' capabilities. It is not surprising that configuration management figures highly, given that misconfigurations and exposures are by far the single greatest worries (60%, up from 54%). Attacks (11%, down from 17%) and vulnerabilities (steady at 29%) lag far behind.

The following three 'must have' security capabilities are runtime threat detection (63%), network segmentation (60%) and risk profiling and prioritization (55%). "Organizations are demanding comprehensive security controls across the full stack and the full software development life cycle," comments Bouchard. "That users deem so many security capabilities as 'must have' features demonstrates how critical they view this app dev stack."

The clear impression from this survey is that companies have recognized the advantages of containerization, and appear to be focusing on hybrid cloud/on-prem implementations around Kubernetes and Docker -- but are not yet sufficiently considering security implications from the outset.

"DevOps, containers, and Kubernetes are the backbone of digital transformation initiatives in every organization today, but security still needs to catch up," comments Kamal Shah, StackRox CEO. "Organizations are putting the operational benefits of agility and flexibility at risk by not investing in security. Containers and Kubernetes have moved well beyond the early adoption phase -- security must be built-in from the start, not bolted-on after the fact, for organizations to securely realize the full potential of cloud-native technologies."

Mountain View, California-based container security firm StackRox raised $25 million in a Series B round in April 2018, bringing the total raised to date to $39 million.

Related: Misconfiguration a Top Security Concern for Containers 

Related: Many New Security Features, Services Added to Google Cloud 

Related: Container Security Firm Aqua Raises $62 Million 

Related: Kubernetes Security Firm Tigera Raises $30 Million

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.