Armo on the state of Kubernetes open source security
According to a new report, most companies use at least one open source security tool to secure Kubernetes.
In a survey of The State of Kubernetes Open Source Security, published by cybersecurity company Armo, 55% of respondents claimed to use open source security tools.
If this sounds high, that’s because it overlaps with the 80% of organisations that are using at least some closed source proprietary security software.
About a third of all Kubernetes users say they do a bit of both.
Some 21% stick to pure open source for security, though this went up to a third when looking at European companies only.
The report also claims that using multiple one open source security offerings is common. Almost a quarter of respondents use five or more different open source security tools for Kubernetes. Armo suggests that this is because open source tools tend to be highly specialised, doing one thing very well, while proprietary security platforms try and do it all.
Too much tool trouble
Lots of tools means lots of problems, though, especially when it comes to integration, suggests the company.
The report says that users find open source security solutions tough to integrate with other DevOps tools (62%), manage (51%) and set up (45%). Overall, 69% struggle to integrate open source security tools into their stacks. The company thinks that [as a generalised statement suggestion] open source tools tend to be poorly documented and supported, meaning users have to do the work themselves.
When it comes to proprietary security solutions, survey respondents cited, perhaps unsurprisingly, financial aspects.
As many as 62% complained about the complex pricing models the security vendors use and 47% felt expense was a problem overall. On the technical side, 69% noted that proprietary security tools are “black boxes” that are tough to understand and modify.
Asked if Kubernetes security was its own discipline, only 3% of respondents thought it was; 97% disagreed and felt it was just a subdiscipline of broader cloud security.
Armo makes the open source Kubernetes security platform Kubescape.
Craig Box, VP open source at Armo, explained why he thought companies were using both open source and proprietary security tools together.
“Kubernetes and its community are rooted in open source, so naturally companies look to open source first when they need something like security,” said Box. “The move to a proprietary platform is typically triggered by a need for enterprise-level support or broader coverage. There are also areas where companies stick with their open source tools because the proprietary solutions are no better, especially for service meshes, CVE scanners and policy agents.”
This second point appears to be borne out by the report, which found that service meshes in particular were the most commonly used open source security tools for Kubernetes. The full report is available on Armo’s website.