Kubernetes is hard, making it secure is harder; Sysdig can help without slowing you down.
As organizations explore how to modernize in what I think of as Cloud 2.0, they are doing so with containers and Kubernetes. In June, Gartner analysts found that more than 75% of global organizations will be running containerized applications in production by 2022. Today, we find that each company is at a different place in their journey.
It’s likely your team is either using containers for some applications or exploring their use. It’s hard to find a software company that has not taken an application and containerized it. If your company falls into this growing category, the question is, has it been done securely? How are you addressing compliance? Are you engaging your team to understand the strategy and posture they’ve taken? Or expecting your existing toolset to cover this emerging technology?
Security is a must-have for your business; however, it’s not a competitive differentiator. What impacts business is rapid delivery of new features. According to Puppet’s 2019 State of DevOps Report, “Firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61% are able to do so. Compare this with organizations that have not integrated security at all: Fewer than half (49%) can deploy on-demand.”
Being able to push features and revisions faster than competitors is a competitive differentiator. Deeply embedding security into your application lifecycle gives you a statistically significant advantage.
In general, security adopters fall into three categories:
- Early adopters: Generally, security team driven—policies and guidelines are defined at conception and integrated as the project evolves.
- Customer-driven: Companies push out an offering only to circle back to security after prospects require it.
- Compliance-focused: When targeting a vertical that demands specific compliance frameworks, companies dedicate resources to security.
Why Kubernetes security is different
Developers want less friction when deploying code, Kubernetes was born from that desire. However, making a developer’s life easier results in complexity for DevOps and platform teams. Being able to flag and alert on anomalous activity and events within your container and Kubernetes infrastructure is a requirement.
Sysdig’s (where I work) 2020 Container Security Snapshot found that 58% of containers run as root. If compromised, those containers can allow an attacker broad access across the environment. Furthermore, our 2019 Container Usage Report showed that over 50% of all containers live less than 5 minutes. Add those together and what does that mean forensically? If the root container is only alive for 5 minutes, how do you know what happened while that container was alive? Did it do only what it was supposed to, or was it compromised? Those are difficult questions to answer. Going back to the Puppet 2019 State of DevOps Report, only 38% of respondents who did not integrate security deeply into their application felt their policies and practices improved their security posture (for those who do deeply integrate, 82% felt they did).
Need more evidence?
- Per 2019 DORA and Google Cloud research, most teams, regardless of ability or performance, delay integrating automated security testing–less than one-third have integrated security testing into their DevOps toolchain.
- From Flexera’s 2020 State of the Cloud Report, 83% of enterprises indicate security is a challenge.
Containers and Kubernetes demand a new approach to security. Everyone knows security controls are important; however, security is often delayed. Often, people fear that introducing compliance controls or security procedures will just slow everyone down (if you still believe that, reference back to the 2019 State of DevOps Report). Speed is an easy scapegoat. Everyone is under pressure to deliver and adding security controls is often perceived as being a burden. Why?
- Your cloud team may not want to fight organizational inertia or take the time to educate other teams on security and compliance.
- Teams may be asked to “try to use” traditional security processes despite not being able to get the level of visibility into containers required for effective security.
- Cloud teams may need time to get up to speed on security in this rapidly evolving space.
But hope isn’t lost! Security and compliance don’t have to slow development. You can integrate image scanning into registries and your CI/CD toolchain. You can also enforce security policies and get alerts on potential threats without adding manual steps. You can trigger capture files for incident response and forensic investigations based on rules. You can feed alerts and event data directly into commonly used tools (spoiler: Sysdig can help here).
Most businesses run on software, and feature delivery speed is a key competitive lever. The cloud, containers and DevOps are rapidly becoming mainstream. Your team should be skilled at developing, deploying, and securing applications using this new approach, or you could be left behind. To help with that, we invite you to download this FREE book, Learn Kubernetes Security, written by Kaizhe Huang, our security research expert.