Container and Kubernetes use ramps up, but security still a concern - report

A report by StackRox finds that while organizations are embracing Kubernetes and containers they have some security concerns. (Pixabay)

Despite the proliferation of containers and Kubernetes, organizations are still struggling with security, according to a report.

Following up on a report six months ago, container and security vendor StackRox today released its latest report, which found the adoption rate for containers had increased from 57% in the previous report to 86%.

RELATED: Report: Cloud-native app security is a concern, but it's a manageable challenge

Among the use cases, self-managed was the most popular (44%) form for running Kubernetes, followed by Amazon EKS (27%), Azure AKS (16%), Google GKE (12%) and IBM Red Hat OpenShift (12%.)

Kubernetes, which was developed internally by Google prior to Google putting it into open source, has emerged as the de facto orchestrator standard for the use of containers.

"The fact that it (Kubernetes adoption) grew from 57% of the organizations to 86% today is a massive jump," said StackRox CEO Kamal Shah. "We talk to customers and everybody is standardizing on Kubernetes including the large platform providers. I was certainly surprised to see it was at 86% today. This quantifies the trend we were seeing in the marketplace."

Shah said the big drivers for container usage included speed, agility and portability. 

Shah said the other notable item that emerged from today's report was the use of hybrid cloud for container deployments. The report findings highlighted the prevalence of on-premise deployments, most of which are in hybrid mode.

Close to three-quarters (70%) of the survey respondents are running containers on prem, with 53% running them in hybrid mode with containers deployed both on prem and in the public cloud. As a result of the move to hybrid cloud, only 17% of the respondents are running containers only on prem, which was down from 31% six months ago.

"A year ago people were talking about multicloud and hybrid clouds with the notion that not every workload will move to the cloud," Shah said. "Kubernetes and containers aren't just happening in the cloud. These on premise investments where people are running containers and Kubernetes in their own data centers, for example, that to me is very surprising. That surprised us for sure, and it just speaks to the prevalence of containers in organizations today."

Despite the rapid adoption of containers, organizations are still struggling with the security aspects, according to StackRox's report. While two-thirds of organizations have more than 10% of their applications containerized, 40% of them remain concerned about their container strategy. The survey of 390 professionals across various verticals also found 34% of the respondents felt their security strategies lacked sufficient detail.

The report results showed that 60%—up from 54% six months ago—of the respondents identified mis-configurations and accidental exposures as their biggest container security concerns. Runtime remains the container lifecycle phase that respondents worry the most about (43%), followed by deployment (35%) and build out (22%.)

Part of the problem in deploying containers and Kubernetes is that organizations' DevOps team and security teams aren't always on the same page, according to Shah. This friction has led to the development of DevSecOps groups by organizations. In the latest report, DevSecOps was the top group, with 31% of the respondents saying they should run the container and Kubernetes platforms, which was up from 24% six months ago.

Among a list of best practices for deployment Kubernetes and containers, Shah said to make sure organizations are using the latest version of Kubernetes to not only benefit from bug fixes but to also address vulnerabilities and add security features that harden the environment.

Companies should also be aware of who has access to the containers and they shouldn't grant cluster level administration privileges. Network polices for network segmentation are also important for Kubernetes and container security

StackRox is a member of the Linux Foundation's Cloud Native Computing Foundation, and it contributed a blog that provides more details on security measures for containers and Kubernetes.

Privately-held StackRox has about 55 employees and makes its headquarters in Mountain View, Calif. The company's customer roster includes cloud-native startups, Global 200 enterprises and government agencies such as the U.S. Department of Home Security. Shah said that StackRox also does business with government intelligence agencies, but he's not allowed to name them. StackRox's named customers include Looker, which was recently bought by Google, CableOne, SportsHub and the State of Michigan.