Kubernetes seems to be a security nightmare because it’s super complex to use, and people tasked with using it are struggling to cope, a report from Red Hat has found.
The company polled 300 DevOps, engineering, and security professionals for the paper, and found that 55% postponed launching an app because of security concerns.
Almost all (93%) have had at least one security incident in their Kubernetes environment in the last 12 months, with a third (31%) suffering either revenue loss, or customer loss.
Misconfigurations
"Kubernetes and containers, while powerful, were designed for developer productivity (opens in new tab), not necessarily security," the report says. "Default pod-to-pod network settings, as an example, allow open communication to quickly get a cluster up and running, at the expense of security hardening."
Complex environments lead to misconfigurations, and misconfigurations lead to endpoint (opens in new tab) security incidents.
"Despite extensive media attention over cyberattacks, the report highlights that it's actually misconfigurations that keep IT professionals up at night," Ajmal Kohgadai, Red Hat product marketing manager, said.
"Kubernetes is highly customizable, with various configuration options that can affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46%) – nearly three times the level of concern over attacks (16%)."
> Microsoft is working on a whole new kind of Kubernetes (opens in new tab)
> Hackers have found yet another way to attack Kubernetes clusters (opens in new tab)
> NSA, CISA: Here's how we can properly secure Kubernetes (opens in new tab)
It barely hurts Kubernetes’ image or popularity, though. The open-source container orchestration software is being used, or considered, by 96% of organizations, last year’s Cloud Native Computing Foundation report states.
Red Hat is looking to tackle the issue of human error by minimizing human interaction through automation, and has, to that end, acquired StackRox last year. "The StackRox project aims to help simplify DevSecOps by integrating security capabilities within the development and deployment lifecycle, effectively shifting application security "to the left" in software creation," the company said at the time.
- Prevent security incidents with the best firewalls around (opens in new tab)
Via: The Register (opens in new tab)