Kubernetes adoption creates new cybersecurity challenges

To maintain a competitive edge, modern organizations are evolving toward highly scalable, flexible and resilient applications – leading to the widespread adoption of cloud native technologies like Kubernetes, according to Venafi.

Security challenges in cloud native environments

In fact, 84% of security and IT leaders believe that Kubernetes will soon be the main platform used to develop all applications. However, amid the rush to transition to these modern environments, many development teams are putting security on the back burner, creating new risks and opportunities for nefarious cybercriminals.

Venafi’s survey found that organizations are grappling with the unique risks of cloud native environments when it comes to security – with three-quarters of survey respondents reporting that they believe we are heading towards a cloud reckoning in terms of costs and security.

“Balancing speed and security is no easy feat, but it’s a necessity for organizations today,” said Kevin Bocek, VP of ecosystem and community at Venafi. “It’s critical for security and platform teams to get cloud native security right – there is no perimeter, no pull-the-plug in the cloud. The foundation then of cloud native security is strong machine identity management. Without machine identities like TLS, SPIFFE and code signing certificates, we wouldn’t be able to authenticate one cloud from another or authorize one container from another. The findings from Venafi’s new survey indicate that organizations are not prepared for the demands and risks that these modern architectures bring.”

Security-related issues within Kubernetes

Organizations are moving to the cloud but are doing so blindly without prior consideration for cloud native security in mind. 87% of security and IT leaders have started moving legacy applications to the cloud; however, 59% of those leaders did not understand the associated security risks.

In fact, 59% of respondents admit to having experienced security-related issues within Kubernetes or container environments. Moreover, three-quarters of respondents acknowledged that the speed and complexity of Kubernetes and containers create new security blind spots.

For 33% of respondents, security issues delayed an application launch, while 32% experienced disruption to application services. Security and IT leaders cite the main causes of Kubernetes and container security issues as network breaches (42%), API vulnerabilities (41%) and certificate misconfiguration (39%).

Unclear ownership of cloud native security

Despite acknowledging these cloud-native security issues, there needs to be clear delineations around ownership from beginning to end. For example, 85% of security teams report setting the strategy for managing security risk and governance across cloud-native environments.

However, the actual implementation of security tools, governance, and policies are split among development, security, and platform teams, with a slight majority going to the development teams (41%).

What’s more, 74% of respondents worry that developers are challenged with several conflicting priorities, so security is not always top of mind. Finally, 90% believe security teams need to increase their understanding of cloud native environments to ensure applications are secure.

It’s clear that better management of machine identities can help solve for the tradeoff between speed and security. For example, 70% of security and IT leaders believe that software supply chain attacks are their biggest security blind spot.

Additionally, 85% believe that continuous security validation to the CI/CD pipeline is vital to reducing the risk of vulnerabilities going undetected during the software development lifecycle.

61% acknowledge they cannot issue certificates at the speed needed in Kubernetes and service mesh. Finally, 88% believe that machine identity management is essential to the success of zero-trust models.