Today, StackRox published its State of Kubernetes and Container Security Report, Winter 2020 edition (download your full copy here) - a first of its kind. Based on responses from more than 540 Kubernetes and container users across IT security, DevOps, engineering, and product roles, the report provides insights into how organizations are adopting containers and Kubernetes and its security impact.
Of all the survey responses, five findings stand out as the biggest surprises.
1) Nearly half the organizations have delayed deploying containerized apps into production due to security concerns.
Organizations are rapidly embracing cloud-native technologies for their advantages, from enabling faster development and deployment to quicker bug fixes and patches, leading to faster feature delivery that drives competitive differentiation. According to our survey results, faster application development and release is considered the biggest benefit of containerization, but 44% of the respondents have had to delay deploying an application due to security concerns. This result indicates that a lack of adequate security can directly compromise the core benefit of containerization and slow business innovation and growth.
2) Only 6% of organizations have avoided any security incident in their container and Kubernetes environments.
Security incidents are very common in container environments, with 94% experiencing some incident - 69% misconfiguration, 27% runtime threat, and 24% a major vulnerability (respondents could select multiple responses). The fact that nearly everyone has had a security problem helps explain the previous finding, that nearly half of respondents had delayed an application deployment because of security concerns.
3) Despite maturing container strategies, security remains the number one concern with container strategies.
For the third time in a row in this StackRox survey, inadequate investment in security leads the list of concerns users have about their company’s container strategy (37%). When combined with not taking the threats to containers seriously (14%), more than half of respondents identify security as their biggest source of concern.
On a positive note, only 6% of respondents said they have a non-existent container strategy, a drop from 19% just six months ago, while 14% said they have an advanced container strategy, up from 11% six months ago.
4) Multi-cloud deployments grew for the third time in a row, but continues to trail single-cloud strategies. Hybrid models continue to dominate.
The number of organizations deploying containers across multiple clouds grew slightly from 32% six months ago to 35% today. That number significantly trails the 51% who run containers in a single cloud provider.
Hybrid models have emerged as the most dominant architectural approach to deploying containers, with 46% running containers both in their on-premises data centers and in one or more public cloud provider’s data center, compared to 40% running in cloud-only and 14% running in on-premises alone.
5) Adoption of managed Kubernetes offerings from public cloud providers sees massive growth.
As expected, Kubernetes continues to dominate the container orchestration market. More surprising is the growth in popularity of managed Kubernetes offerings from the likes of AWS, Google Cloud, and Microsoft Azure. Six months ago, nearly half (43%) of respondents managed at least some of their containers using self-managed Kubernetes. Today, that number has dropped by 20% to just 35%.
Amazon’s Elastic Kubernetes Service (EKS) sits at the top with the highest adoption rate (37%). Google Kubernetes Engine (GKE) was the fastest growing managed Kubernetes service, achieving a 21% adoption rate at a growth rate of 75% over the last six months. Like GKE, Azure Kubernetes Service (AKS) also showed 21% adoption amongst respondents, marking a growth rate of 31% over the last six months.
Six of the top seven container orchestrators are Kubernetes, with Amazon’s Elastic Container Service (ECS) dropping two spots to third place and seeing a 7% decrease in adoption from six months ago.
Implications for container and Kubernetes security
The findings in this survey make clear that organizations are putting at risk the core benefit of faster application development and release by not ensuring their cloud-native assets are built, deployed, and running securely. With the prevalence of misconfigurations across organizations, security must shift left to be embedded into DevOps workflows instead of “bolted on” when an application is about to be deployed into production. With nearly half of our respondents delaying production rollouts because of security concerns, clearly a lack of security is inhibiting business acceleration and innovation. Download the full report to gain further insights into the state of Kubernetes and container adoption and security.