Red Hat Kubernetes security report finds people are the problem
Puny human brains baffled by K8s complexity, leading to blunder fears
Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.
The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.
Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.
According to Red Hat's State of Kubernetes security for 2022 report [PDF], the majority of 300 DevOps, engineering, and security professionals survey respondents (55 per cent) said they had to delay the debut of an application in the past 12 months because of security concerns.
Fully 93 per cent of respondents reported at least one security incident in their Kubernetes environment in the past 12 months, with 31 per cent saying this led to revenue or customer loss. The report from IBM's Red Hat lays the blame on Kubernetes' focus on productivity rather than security.
"Kubernetes and containers, while powerful, were designed for developer productivity, not necessarily security," the report says. "Default pod-to-pod network settings, as an example, allow open communication to quickly get a cluster up and running, at the expense of security hardening."
The Layer Eight problem
Such complexity contributes to human error and leads to a lot of fumbled implementations of the software, to some degree.
Red Hat's report says "human error was a major contributing factor in 95 per cent of breaches," citing a World Economic Forum report [PDF] that says "95 per cent of cybersecurity issues can be traced to human error." That report in turn points to a World Economic post that says "studies show that 95 per cent of cybersecurity issues can be traced to human error" – without citing any specific studies.
Whatever the relevant figure, people are involved somewhere along the line and they don't handle complexity all that well. So, says Ajmal Kohgadai, Red Hat product marketing manager, Kubernetes users tend to be more worried about typos than hackers.
"Despite extensive media attention over cyberattacks, the report highlights that it's actually misconfigurations that keep IT professionals up at night," he said in a blog post. "Kubernetes is highly customizable, with various configuration options that can affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46 per cent) – nearly three times the level of concern over attacks (16 per cent)."
- Red Hat makes OpenShift a key part of its edge initiative
- Dockershim deprecated with release of Kubernetes 1.24
- Containers may be more effective than VMs for hybrid apps – Gartner
- Open-source leaders' reputations as jerks is undeserved
Red Hat's answer to this is to automate configuration management as much as possible to reduce the impact of human error.
Toward this end, Red Hat has taken its Advanced Cluster Security (ACS) for Kubernetes, acquired last year via its purchase of StackRox, and released the software as open source under the name of the company that made it.
"The StackRox project aims to help simplify DevSecOps by integrating security capabilities within the development and deployment lifecycle, effectively shifting application security "to the left" in software creation," said Red Hat in its announcement.
The software analyzes container environments for risks, presents alerts, and offers security improvement recommendations.
But before companies can automate Kubernetes, they need people who know what they're doing to write the scripts and configuration files. And finding folks to do that turns out to be the top Kubernetes pain point, cited by 30 per cent survey respondents: "We lack internal talent to use it to its full potential." ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Cloud native
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- Trusted Platform Module
- Zero trust