Enterprises continue to adopt microservices architectures in pursuit of greater agility, accelerated application deployments, and reduced costs. They are also increasingly likely to prioritize container security as a component crucial to the success of their implementations. And unlike with traditional architectures, the dynamic nature of microservices environments require security strategies and technologies all their own.
To better understand current enterprise approaches and sentiments toward container security, we surveyed 156 enterprise DevOps professionals attending the recent KubeCon North America conference. The resulting survey results (available in full here) shed light on key trends in enterprise microservices adoption and security practices.
Among survey respondents, 80% currently manage active container deployments, and 87% had plans for new container deployments over the coming 6-12 months. Unsurprisingly, nearly 90% of those surveyed use Kubernetes to orchestrate their container environments. When it comes to CI/CD pipeline automation tools, a majority use Jenkins as their primary solution, followed by GitLab.
Enterprise DevOps teams increasingly understand the value of shifting left to implement security protections from the beginning of application development – and of embracing a collaborative DevOps culture and processes in order to spur continuous improvement and greater productivity. Three-quarters of respondents see container security as a clear priority within their organizations. That said, responses were far from on the same page when it came to naming the department responsible for container security within the organization. Respondents offered a similarly diverse – and concerning – range of answers when it came to the issue of balancing container security and CI/CD performance.
Here are four of the most surprising and interesting findings:
1. Container security is a priority, but responsibility for that security is up for grabs.
44% of respondents cited container security among their top priorities, with another third going as far as to say it’s the single most important priority within their organizations. However, enterprise DevOps professionals exhibit no uniformity in the ways they respond to and fulfill this essential need.
When asked what team within the organization ought to hold responsibility for container security, those surveyed were starkly divided: 42% named the security team, 30% the development team, and 28% pointed to operations. The question of who should be responsible for Kubernetes security received a similarly near-even spread of responses among those teams.
2. Sixty-three percent of DevOps professionals would sacrifice security for CI/CD performance.
For all of the prioritizing of security expressed in the earlier survey questions, respondents went on to state a rather worrying willingness to place CI/CD performance above the safety 
of their container ecosystems. When asked if it’s ever necessary to curtail or restrain security measures in order to maintain high CI/CD velocity, almost two-thirds of respondents said yes. The dangers of this approach must be acknowledged: enterprises that fail to properly prioritize security will risk putting their environments at the mercy of attackers able to exploit countless known and unknown vulnerabilities.
On the other hand, 61% of respondents have properly founded their container security protections atop Kubernetes Pod security policies and/or network security policies. Many then smartly bolster their native policies with additional security measures. The majority utilize vulnerability scanning, while significant numbers leverage network inspection and file access monitoring.
3. The broad variety of container security incident response functions in use speaks to an active solution landscape.
According to the survey, enterprises employ an impressive breadth of tools and strategies to safeguard their Kubernetes environments. While there is still no uniform security approach, many report they do have a range of reliable security incident response measures in place. Used by 32% of respondents, Layer 7 network blocking is the leading tactic. This is followed closely by Layer 3 and 4 network blocking, network packet capture, container process blocking, container file access monitoring and blocking, container quarantining, and others.
4. DevOps demand knowledge that can inform their Kubernetes and container security deployments.
Respondents signaled a need for clear information that could light their paths forward as they pursue Kubernetes and container security processes. When asked for their best sources of information on Kubernetes and container security, two-thirds of respondents pointed to the official Kubernetes documentation. 41% of respondents prefer information provided by Kubernetes security vendors, and 39% cited cloud vendor documentation as their source of choice.
Conclusion
Ultimately, the survey paints a picture of an industry where more enterprises than not are highly attentive to the security of their container and Kubernetes environments. That said, the idea that some organizations would clearly place their systems at risk for performance gains is simply a dangerous and ill-fated choice that will catch up with them. With the right security measures in place, an agile and performant pace of development can easily go hand in hand with effective safeguards.
