‘DevOps isn’t working’: security and cost issues hamper Kubernetes

Kubernetes has become a platform almost universally loved by developers with 84% of IT and security professionals believing it will soon be the de facto system used to develop all applications.

However, a new report by security firm Venafi reveals that developers are set for a reckoning as they deal with unforeseen costs and security risks.

Kubernetes is a portable, extensible, open-source platform for managing containerised workloads and services across cloud environments. Many firms are now using it to facilitate the automation and scaling of software deployment.

However, Venafi’s report — detailing the findings of a global survey of 800 security and IT leaders from large organisations across the US, UK, France and Germany — has found that its users are unprepared for the challenges associated with moving to the open-source platform.

According to the report’s findings, almost 60% of respondents who completed a cloud migration admitted that they didn’t understand the security risks involved.

While most respondents (almost 90%) have started to move legacy apps to the cloud, over half of those that have done so admit that they failed to refactor them using cloud native technologies.

As a result, over half of respondents that have migrated apps without refactoring have suffered from bill shock and cloud sprawl. This has led 77% to reconsider their move to cloud entirely, with almost the same number believing that the industry is heading for a cloud reckoning in terms of costs and security.

And their instincts may be right: more than half (59%) of respondents report experiencing security incidents within Kubernetes or container environments — with network breaches, API vulnerabilities and certificate misconfigurations being the leading causes.

Data breach

The report added that approximately 30% of organisations that experienced a Kubernetes or container security incident said it led to a data breach or network compromise. These security incidents have impacted productivity, with 33% reported having to delay an application launch, 32% experiencing disruption to their application service, while 27% suffered a compliance violation.

Perhaps because of these experiences most respondents (90%) thought security teams needed to increase their understanding of cloud native environments to ensure applications are secure.

These security concerns have led to 68% of respondents believing that DevOps isn’t working in practice because security was still a speed bump: Over half developers lack the ability to automate security, the report found, leading to difficulties in managing security across multiple clusters.

“Cloud native is the way of the future,” said Matt Barker, global head of cloud native services at Venafi. “But amid the rush to transition to these modern environments, many organisations are underestimating the work needed to deliver efficiency and security.

“As organisations continue to move more critical workloads into cloud native environments, they need to ensure they close these gaps, or we will see even more breaches and outages,” he added.

According to Venafi, one of the key challenges highlighted by its research is the issue of responsibility and control.

85% of respondents agree that continuous security validation to the CI/CD pipeline is vital to reducing the risk of vulnerabilities going undetected during the software development lifecycle.

But while security teams still control the overall strategy for cloud native security, the implementation of those controls within cloud native environments often rests with development and platform teams, that may have conflicting priorities, meaning that security is not always a priority.

“Balancing speed and security is no easy feat, but it’s a necessity for organisations today,” said Kevin Bocek, VP of ecosystem and community at Venafi.

“It’s critical for security and platform teams to get cloud native security right – there is no perimeter, no pull-the-plug in the cloud,” he added.

To read more DevOps stories click here