Kubernetes seems to be a security nightmare because it’s super complex to use, and people tasked with using it are struggling to cope, a report from Red Hat has found.
The company polled 300 DevOps, engineering, and security professionals for the paper, and found that 55% postponed launching an app because of security concerns.
Almost all (93%) have had at least one security incident in their Kubernetes environment in the last 12 months, with a third (31%) suffering either revenue loss, or customer loss.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
"Kubernetes and containers, while powerful, were designed for developer productivity (opens in new tab), not necessarily security," the report says. "Default pod-to-pod network settings, as an example, allow open communication to quickly get a cluster up and running, at the expense of security hardening."
Complex environments lead to misconfigurations, and misconfigurations lead to endpoint (opens in new tab) security incidents.
"Despite extensive media attention over cyberattacks, the report highlights that it's actually misconfigurations that keep IT professionals up at night," Ajmal Kohgadai, Red Hat product marketing manager, said.
"Kubernetes is highly customizable, with various configuration options that can affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46%) – nearly three times the level of concern over attacks (16%)."
It barely hurts Kubernetes’ image or popularity, though. The open-source container orchestration software is being used, or considered, by 96% of organizations, last year’s Cloud Native Computing Foundation report states.
Red Hat is looking to tackle the issue of human error by minimizing human interaction through automation, and has, to that end, acquired StackRox last year. "The StackRox project aims to help simplify DevSecOps by integrating security capabilities within the development and deployment lifecycle, effectively shifting application security "to the left" in software creation," the company said at the time.