Organisations struggling to ensure container security, reveals study
10 January 2019
Over half of all organisations that have deployed containers have suffered container security incidents in the past year and almost half of such organisations have deployed containers without assessing where such containers have security vulnerabilities, a survey from Tripwire has revealed.
In December, Portworx’s 2018 Annual Container Adoption Survey revealed that the adoption of containers by organisations had become so rampant in 2018 that while only 58% of IT teams at enterprises were running containers in 2017, the figure rose to over 80% by the end of 2018.
The survey further revealed that the percentage of organisations investing in container solutions rose from 57% in 2017 to 91% in 2018, with 12% of all organisations spending in excess of $1 million annually on containers compared to just 4% in 2017.
Container adoption outpacing container security
However, the security of containers vis-a-vis existing challenges has not kept pace with the current rate of adoption. According to a new survey of over 300 IT security professionals carried out by Tripwire in partnership with Dimensional Research, 60% of organisations that have deployed containers suffered container security incidents in 2018.
What’s worrying is that many organisations (47%) have deployed containers even though their IT teams were aware of security vulnerabilities in certain containers prior to deployment. At the same time, 47% of IT professionals told Tripwire that their organisations adopted containers without assessing whether the containers featured security vulnerabilities or not.
The lack of attention paid to the security of containers or the emphasis of organisations on the efficiency offered by container technologies over their cyber vulnerabilities suggests that organisations will continue to suffer container security incidents in the coming years.
According to security firm Red Hat, in order to secure their container from cyber threats, organisations must secure the container pipeline and applications, secure container deployment environments and infrastructure, and integrate containers with enterprise security tools while enhancing existing security policies.
“Containers are popular because they make it easy to build, package, and promote an application or service, and all its dependencies, throughout its entire lifecycle and across different environments and deployment targets. But there are still some challenges to container security.
“Static security policies and checklists don’t scale for containers in the enterprise. The supply chain needs more security policy services. Teams need to balance the networking and governance needs of containers. Build and runtime tools and services need decoupling. By building security into the container pipeline and defending your infrastructure, you can make sure your containers are reliable, scalable, and trusted,” the firm says.
Despite risks, organisations rushing to deploy containers
The Tripwire survey also revealed that several organisations have deployed a large number of containers despite not being able to secure them properly. Of organisations that have deployed 100 or more containers, 75% have reported security incidents, and 98% of IT professionals believe they need additional security capabilities to secure containers, suggesting that existing security policies are not sufficient.
“It’s concerning, but not surprising, that nearly half of the respondents said they knowingly deploy vulnerable containers. With the increased growth and adoption of containers, organisations are feeling the pressure to speed their deployment,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“To keep up with the demand, teams are accepting risks by not securing containers. Based on what this study found, we can see that the result is a majority of organisations experiencing container security incidents.
“There’s a belief that you have to accept a significant amount of risk to take advantage of containers, but that’s not true. Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production,” he adds.