Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
While it’s come a long way over the past year, Kubernetes security has not yet reached maturity. But judging from the level of investment in 2021 into technologies for securing Kubernetes—the now-dominant container orchestration platform—enterprises can expect major advancements in the area during the coming year.
Originally launched as an open source project by Google in 2014 and now under the domain of the Cloud Native Computing Foundation, Kubernetes automates numerous processes involved in management and deployment of containerized applications. Developers have increasingly gravitated to the platform, which helps to support a modern approach to application development using a microservices architecture.
Still, when it comes to securing Kubernetes, a new set of challenges emerge. With Kubernetes, “it’s really difficult to divorce the code development and the application development from the underlying architecture,” said Frank Dickson, program vice president for security and trust at IDC.
In other words, the best way to secure Kubernetes is by going back and fixing base code when vulnerabilities are detected. This is a big part of why the concept of “shift left“—or moving security to the start of the application development process—has become such a theme in the application security space, Dickson said.
The fact that “shift left” has caught on suggests that big strides can now be made in terms of Kubernetes security, he told VentureBeat. Getting companies to grasp that securing containerized apps will involve bringing security earlier into the app development lifecycle is a crucial step.
“We don’t yet know all the answers to the problem,” Dickson said. “But we’ve finally started to understand the questions.”
A survey by the Cloud Native Computing Foundation found that 83% of respondents were using Kubernetes in production in 2020, up from 78% the previous year and 58% in 2018. But that’s made the platform a tempting target for cyber attackers: A survey by Red Hat in June found that 94% of respondents had suffered a Kubernetes security incident over the previous 12 months.
“When we ran everything on a Windows box or a Linux box, we could get into the machine and do whatever we needed to do. Containers don’t work like that,” said George Burns, senior consultant for cloud operations at SPR. “If we don’t give them instructions for security, they don’t have any. Kubernetes itself is an amazing tool. But the way it handles some security is not the best.”
Thus, in many ways, the innovation engines around Kubernetes security are just getting revved up now.
While securing traditional applications follows “very established processes, securing containers does not,” Burns said. “A lot of the innovation that we will see over the next several cycles will be regarding container security.”
At Aqua Security, a vendor that has specialized in container security since its launch in 2015, the past year has seen both increased Kubernetes security adoption as well as “a shift in the scale of the projects that are being deployed into Kubernetes,” said CEO Dror Davidoff.
The company is one of many in the Kubernetes security space that raised major rounds of funding in 2021, with its $135 million series E round at a $1 billion valuation in March.
Others include Snyk, which raised a $530 million series F round at an $8.5 billion valuation in September; Wiz, which raised a $250 million series C round at a $6 billion valuation in October; Orca Security, which extended its series C round to $550 million at a $1.8 billion valuation in October; Lacework, which raised $1.3 billion in November at an $8.3 billion valuation; and Sysdig, which raised a $350 million series G round at a $2.5 billion valuation in December.
Earlier-stage companies working in the Kubernetes security space include Armo, which has seen more than 20,000 downloads for its open-source tool Kubescape. The tool enables developers to instantly scan Kubernetes environments for misconfigurations and vulnerabilities. Armo came out of stealth with $4.5 million in seed funding in January.
In Kubernetes security, “we’ve got a number of companies that are coming to bring new and innovative technologies,” Dickson said. “So we’re not just doing what we once did. We’re now starting to use some really elegant new approaches.”
Companies such as Orca Security and Wiz are leveraging block storage in the cloud to be able to take a snapshot of Kubernetes clusters and then analyze them, without the need for an agent, he said. Other examples include a Linux technology called eBPF, which enables the Linux kernel to be more programmable, enhancing security for Kubernetes environments, he said.
“What we’re starting to see is a host of new technologies being applied to securing Kubernetes,” Dickson said.
Meanwhile, publicly traded security firms including Check Point, Palo Alto Networks, and Qualys told VentureBeat they’ve been doubling down on the addition of Kubernetes security capabilities in 2021. In June, for instance, Check Point announced the expansion of its CloudGuard workload protection platform to include container security, with capabilities including a “shift-left” tool to secure container and serverless functions prior to deployment.
A big opportunity
Despite the new challenges with securing Kubernetes, since deployment of containers does have potential security advantages thanks to its “code-based” approach, said Qualys CEO Sumedh Thakar. That affords companies “opportunities to do security better than in a traditional environment” through techniques such as infrastructure as code (IaC) scanning, Thakar said.
“That’s really the exciting part of cloud and container—that we have opportunities to reduce our risk earlier and earlier in the ‘shift left’ environment,” he said.
The bottom line with Kubernetes security, Dickson said, is that “we’re not necessarily mature. You could say that we’re in our adolescence.”
“As these new technologies are coming into our Kubernetes security solutions, we have to figure out what they are, and then we have to integrate them into our application development processes,” he said. “And so it’s going to take some time to figure out how we integrate all those into a workflow that doesn’t slow down application development.”