Container Security Concerns Persist
Applications containers and other microservices are handling production workloads at an increasing rate, but several studies emphasize that container security lags. The latest concludes that risks around runtime attacks and misconfigurations highlight the reality that container security strategies remain “woefully low in maturity,” warns a survey released by container and Kubernetes security specialist StackRox.
Half of container adopters said their company either doesn’t adequately invest in container security (35 percent) or does not take threats to applications containers seriously (15 percent). Most respondents said their company lacks a workable container security strategy even as adoption surges.
“Companies should push to incorporate container security measures as early in their adoption as possible, especially given the opportunity for improved security that containers create,” said Mark Bouchard, an industry analyst with the consulting firm CyberEdge Group.
The leading container security concern (54 percent) is misconfigurations of Kubernetes cluster orchestrator deployments. For example, cloud security specialist RedLock reported last year that hackers exploited Kubernetes container orchestrators deployed on Amazon Web Services (NASDAQ: AMZN), Microsoft Azure (NASDAQ: MSFT) and Google Cloud Platform (NASDAQ: GOOGL). None were password protected.
The other major container security concern is runtime threats once applications and microservices are deployed. Given concerns about misconfigured containers, the survey authors said runtime threats were a surprise since misconfigurations happen during the “build” phase.
“Perhaps the take-away is that [microservices adopters will] lock down the environment as best they can but still feel the risk of the unknown in runtime,” the report concluded. “It's crucial that the security tooling for this infrastructure automatically flags the most well-known misconfigurations across the full ecosystem,” Bouchard added.
Along with growing security threats, the survey also provides new statistics on where companies are running containers in production. Likely reflecting those concerns, early are adopters are keeping application containers in-house, with more than 70 percent of survey respondents saying they are running containers in their datacenters.
Despite associating them with “infrastructure portability,” only 28 percent said they were running container only in the cloud while 40 percent reported hybrid deployments.
Of those, 53 percent were using AWS with Microsoft Azure (25 percent) and Google Cloud Platform (18 percent) far behind. The survey noted that Google’s leadership in container usage and its development of Kubernetes technology has not translated into success competing for enterprise cloud services. (Google announced last week that cloud CEO Diane Greene will step down, to be replaced by ex-Oracle executive Thomas Kurian.)
Amazon’s cloud dominance and the preference for hybrid deployment to help secure applications also translates into gains for the cloud leader when it comes to managing container services. The StackRox survey found that more than two-thirds of respondents are managing their own clusters while 48 percent are using either Amazon Elastic Container Service (ECS) or ECS for Kubernetes.
“The rapid adoption of Amazon’s EKS—Elastic Container Service for Kubernetes—is noteworthy, given many of these respondents took our survey within weeks of EKS going into general availability,” the container security survey noted.