A majority of organizations understand the importance of modern security in cloud native deployments, but few seem to be following through on that. 

According to a new survey from the Cloud Native Computing Foundation (CNCF), 85% of respondents consider modern security to be of the utmost importance. However, only 9% of those surveyed had a documented set of procedures that are implemented automatically for their teams. This shows that there is a disconnect in the industry between recognizing the importance of having these policies in place, and adopting and developing tooling to ease implementation. 

In addition, of those surveyed, 12% said that their policies and processes for securing third-party software were virtually non-existent, leaving these organizations vulnerable, which can lead to overworked and burned-out employees. When employees find themselves in this state, they are much less likely to improve security or innovate within the organization.

The survey received more than 125 responses from different organizations. The full report can be found here and includes more details on organizations’ biggest concerns, challenges, and missteps, as well as the state of cloud native security at the edge.

In addition to this, the Security Technical Advisory Group (TAG) also completed its own retrospective survey following the release of its Cloud Native Security Whitepaper. The survey received more than 70 responses; however, 47% of those surveyed preferred not to disclose security-related incidents. For those that were willing, the top two incidents were reported as vulnerabilities being exploited or cryptocurrency miners. Only 4% of participants responded that they had witnessed a ransomware attack.

The retrospective survey also showed that 85% of those surveyed requested that the community focus on secure defaults, with 60% of participants requesting more focus on automated tooling and reference guides. Participants also reported that Kubernetes defaults are “too open”, requiring effort and maturity to secure in production. 

According to respondents, there are four ways they believe this issue should be addressed. 

  1. Work on providing production-ready recipes such as network policies and OPA Gatekeeper constraint templates. 
  2. Push for more buttoned-up defaults like disabling auto-mounting service account tokens. 
  3. Introduce friendlier docs on how to increase observability and use OPA Gatekeeper
  4. Use new open source tools to identify image vulnerabilities both at runtime and in the registry.

Based on these responses, the Security TAG is working on key efforts. You can read more about the retrospective survey findings here. The Cloud Native 8 is the first attempt to offer the community clear guidance on secure defaults and there is currently a public comment open in regards to the topic that will be closing on Oct. 31.