With the help of the CNCF Security Technical Advisory Group (TAG), CNCF recently conducted a microsurvey of the community to see how organizations are managing cloud native security. 

Overall, the report shows that organizations recognize the differences between traditional and modern security in cloud native architectures, and see the value in modern, cloud native security. An overwhelming 85% of respondents indicated that modernizing security is very important to their organization’s cloud native deployment. No one indicated that it is not important.

However, only 9% had a fully documented set of procedures that are implemented automatically for their teams. So, while organizations recognize the importance of having these policies in place, there is still a very long way to go as a community to increase adoption and develop tooling to ease the burden of implementation.  

Even worse, 12% of organizations said their processes and policies for securing third-party software were non-existent. Many organizations are leaving themselves vulnerable. In these cases, employees are likely overworked, burned out, dealing with fires, and playing catch-up before another incident happens. They are much less likely to proactively improve security or innovate in that space.

The microsurvey received more than 125 responses.

See the full results of the microsurvey here. The report includes more details on organizations’ biggest concerns, challenges, and missteps, and the state of cloud native security at the edge.

The Security TAG also recently completed its own retrospective survey following the release of its Cloud Native Security Whitepaper.

The retrospective survey received more than 70 responses and found that:

  • Because of the recent focus on supply chain security, participants noted vulnerability management and secrets management as the top two cloud native security-related concerns .
  • 47% of participants preferred not to disclose security-related incidents. For those that were will, the top two incidents were vulnerabilities being exploited or cryptocurrency miners. Interestingly, only 4% of participants noted that they had witnessed a ransomware attack.
  • 85% of participants requested the community to focus on secure defaults, with 60% of participants requesting more focus on automated tooling and reference guides each.
  • Although participants are happy with the work community and CNCF is doing, Participants pointed out that Kubernetes defaults are “too open”, requiring effort and maturity to secure in production. Responses recommended that the cloud native security community should address this in 4 ways:
    • Work on providing production-ready recipes like network policies and OPA Gatekeeper constraint templates.
    • Push for more buttoned-up defaults like disabling auto-mounting service account tokens and enabling audit logging.
    • Introduce friendlier docs on how to increase observability and use OPA Gatekeeper.
    • New open source tools to identify image vulnerabilities effortlessly (both at runtime and in the registry).

Based on the responses of the survey and community-driven discussions, the Security TAG is working on several key efforts. 

The Cloud Native 8 is a first attempt to provide the community with clear guidance on secure defaults. There is currently a public comment open on the topic, closing on October 31st. 

The group is also working on a supply chain security reference architecture designed to show organizations how to stack cloud native projects to solve a growing problem space: supply chain security. It has also launched its first version of the Cloud Native Security Map (CNSMap) and have begun working on 2.0. The goal of the CNSMap is to provide more actionable information about how to secure an organization’s cloud native ecosystem.

You can read more about the retrospective survey findings here.