Container security is a priority, but who’s responsibility is it?
NeuVector released a survey that identifies current trends and challenges enterprises are grappling with as they increasingly turn to microservices architectures.
Among respondents, 80% currently manage active container deployments and 87% are planning new container deployments over the next 6-12 months.
Close to 90% of respondents utilize Kubernetes for container orchestration, and the majority name Jenkins their primary CI/CD pipeline automation tool (GitLab is second most-popular, with no other tool garnering more than 10%).
When it comes to the role that security plays as more enterprises shift left to protect applications from the beginning of development, implement DevOps processes and cultures, and accelerate workflow productivity, 76% of respondents report that container security is a clear priority at their organization.
However, questions over container security responsibilities within enterprises, how to balance security with performance, and how to respond to security incidents are far from settled.
There is little consensus on who owns the responsibility for container security: Among respondents, 32% consider container security their organization’s single most important priority as they roll out containers and Kubernetes initiatives; another 44% report it as among their top priorities. That said, enterprises are mixed in how they are addressing security.
In questions asking which team should be responsible for securing container environments and Kubernetes, respondents split their answers among security (42%), development (30%), and operations (28%) roles.
Nearly two-thirds of respondents would curtail security to maintain high CI/CD velocity: Somewhat contrary to respondents’ stated prioritization of security, 63% of respondents acknowledge that they would curtail or restrain security measures in order to maintain high velocity production. This risky proposition increases the potential that enterprises will face repercussions from known and unknown vulnerabilities.
On a positive note, 61% of respondents do use Kubernetes Pod security and/or network security policies, and many supplement those native policies with vulnerability scanning, along with network inspection and blocking.
Security incident response functions used in Kubernetes environments are all over the map: To protect critical applications and data when incidents do occur, enterprises are leveraging a broad range of tools and strategies.
While Layer 7 network blocking leads the way as a tactic employed by 32% of respondents, nearly as many have adopted Layer 3 and 4 network blocking, network packet capture, container process blocking, file access monitoring, or container quarantining.
Container security responsibility: Additional findings
Interestingly, DevOps respondents indicated a crucial need for information as they deploy Kubernetes and pursue container security measures. Two-thirds report relying on official Kubernetes documentation as their best source of information, while 41% leverage information from Kubernetes security vendors, and 39% turn to documentation from cloud vendors.
“As container security breaches continue to make headlines, we are pleased that a majority of enterprises leveraging containerized environments name security among their highest priorities,” said Fei Huang, Chief Strategy Officer at NeuVector.
“At the same time, the fact that a disproportionate number of enterprises would sacrifice security for productivity is both troubling and misguided. We advise organizations to recognize security as essential to the success of their container and Kubernetes implementations, and to select security capabilities that can enable development agility while still achieving fully reliable protection.”