With the help of the CNCF Security Technical Advisory Group (TAG), CNCF recently conducted a microsurvey of the community to see how organizations are managing cloud native security. 

Overall, the report shows that organizations recognize the differences between traditional and modern security in cloud native architectures, and see the value in modern, cloud native security. An overwhelming 85% of respondents indicated that modernizing security is very important to their organization’s cloud native deployment. No one indicated that it is not important.

However, only 9% had a fully documented set of procedures that are implemented automatically for their teams. So, while organizations recognize the importance of having these policies in place, there is still a very long way to go as a community to increase adoption and develop tooling to ease the burden of implementation.  

Even worse, 12% of organizations said their processes and policies for securing third-party software were non-existent. Many organizations are leaving themselves vulnerable. In these cases, employees are likely overworked, burned out, dealing with fires, and playing catch-up before another incident happens. They are much less likely to proactively improve security or innovate in that space.

The microsurvey received more than 125 responses.

See the full results of the microsurvey here. The report includes more details on organizations’ biggest concerns, challenges, and missteps, and the state of cloud native security at the edge.

The Security TAG also recently completed its own retrospective survey following the release of its Cloud Native Security Whitepaper.

The retrospective survey received more than 70 responses and found that:

Based on the responses of the survey and community-driven discussions, the Security TAG is working on several key efforts. 

The Cloud Native 8 is a first attempt to provide the community with clear guidance on secure defaults. There is currently a public comment open on the topic, closing on October 31st. 

The group is also working on a supply chain security reference architecture designed to show organizations how to stack cloud native projects to solve a growing problem space: supply chain security. It has also launched its first version of the Cloud Native Security Map (CNSMap) and have begun working on 2.0. The goal of the CNSMap is to provide more actionable information about how to secure an organization’s cloud native ecosystem.

You can read more about the retrospective survey findings here.