Misconfigurations – The Most Common Security Incident Involving Your Containers and Kubernetes

Organizations continue to struggle with the ongoing challenge of securing their Kubernetes and container environments. Unfortunately, organizations don’t always emerge successful from that fight. That’s because even the best intentions sometimes don’t prevent organizations from suffering a security incident.

But this raises some important questions. Who’s experiencing these security incidents, for instance? And what are the driving factors behind these events?

StackRox sought to find this out in its State of Container and Kubernetes Security Report. This third edition of StaxRox’s report compiled the responses from more than 540 IT professionals. Those results provide crucial insight into the issues that continue to plague organizations in their efforts to protect their Kubernetes and container environments.

Kubernetes Security Incidents A-Plenty

As reported by TechRepublic, 94% of respondents told StackRox that their employer had suffered a security event in the past 12 months. Those events had a notable impact on organizations’ ability to enjoy the benefits of deploying containers and Kubernetes. Indeed, 39% of respondents said that they had decided to deploy containers and Kubernetes primarily to enjoy faster application development and release times.

Organizations had other reasons, too. As Sumo Logic noted on its blog, Kubernetes allows organizations to optimize the costs of managing a container-based IT environment. It lets organizations schedule and pack containers in a manner that takes available resources into account, thus sparing admins from wasted time and effort that comes from over-provisioning their environment. Organizations can thus use those saved resources to optimize their IT investments and to help support their migration to a multi-cloud or hybrid cloud strategy.

Security concerns have gotten in the way of organizations realizing those benefits, however. In StackRox’s study, 44% of respondents said that their employers had delayed deploying apps into production due to security concerns. Organizations therefore didn’t become as agile as they had hoped, a decision which no doubt held back their respective digital transformations.

The Sources of These Security Events

For a majority of respondents, the security incidents at their organizations traced back to a single source: misconfigurations. These events arise when a Kubernetes environment doesn’t have the proper security-minded settings in place. Take the Kubernetes administrative console, for instance. As Threat Stack explains on its blog, a failure to configure the console’s API properly or to use strong credentials can give attackers an opportunity to hide behind the DNS systems. They can then abuse that position to furtively initiate cryptomining malware or engage in malicious activity without fear of being spotted.

As the above example indicates, misconfiguration incidents can arise from a variety of issues. It’s therefore not surprising that these errors were the cause of security events for 69% of participants in StackRox’s study. As such, misconfigurations as a source of security incidents dwarfed events that occurred during runtime and instances in which organizations needed to remediate a vulnerability at 27% and 24%, respectively.

Some organizations didn’t just experience one type of security incident, either. Close to a fifth (18%) of IT professionals told StackRox that their employer had suffered at least one major security incident in addition to a misconfiguration event over the past 12 months. Meanwhile, five percent of survey respondents revealed that their employers had experienced all three types of security events over the same period of time.

Fighting the Good Fight…Sort of

Fortunately, there’s hope for the future. StackRox’s survey found that organizations’ container security strategies are maturing. Indeed, the number of respondents with an intermediate or advanced strategy jumped from 41% to 48% in the latest study—a growth rate of 17%. Concurrently, the percentage of respondents without any form of security strategy dropped by close to three quarters from 19% to six percent.

That’s the good news. The bad news is that organizations are still not investing enough in their container and Kubernetes security. In StackRox’s study, inadequate investment in security led a list of container strategy concerns at 37% of respondents. When combined with fears that their organizations weren’t taking threats to their containers seriously (14%), more than half of respondents identify security as their biggest source of their worries.

The Way Forward for Organizations

Clearly, organizations need to invest more in their container security. But how can they do that so that they can make meaningful progress in minimizing their container and Kubernetes security risks, especially misconfigurations?

Organizations can begin by taking container and Kubernetes security into consideration from the very beginning. As quoted by TechRepublic from StackRox’s survey:

With the prevalence of misconfigurations across organizations, security must shift left to be embedded into DevOps workflows instead of 'bolted on' when the application is about to be deployed into production. With nearly half of our respondents delaying going into production because of security concerns, clearly a lack of security is inhibiting business acceleration and innovation.

The work doesn’t end there. Organizations can complement their security-minded focus by following Kubernetes security best practices. Kubernetes notes on its blog that these guidelines should include updating Kubernetes to the latest version, continuously scanning the environment for security flaws and limiting direct access to nodes.

About the Author: David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.