Last week, thousands convened virtually for Cloud Native Computing Foundation’s (CNCF’s) Kubecon + CloudNativeCon NA. Security was featured prominently at the conference, with a security keynote, two capture the flag sessions, and many sessions focused on security. CNCF also hosted the Cloud Native Security Day to bring the community together. CNCF will be posting the recordings of all sessions in December.
During the conference, the CNCF released its 2020 survey results, showing the increased adoption of cloud native tools and technologies – which has only accelerated due to increased pressures for digital transformation due to the pandemic.
The CNCF Security Special Interest Group (SIG) also released its Cloud Native Security Whitepaper – a guide to best practices for securing cloud native deployments. It covers core security concepts in cloud native architectures to apply while designing, developing, and deploying new capabilities.
In this blog post, I’ll recap key survey results and top takeaways from the whitepaper. As we head into the holidays, I hope you have a chance to delve further into the reports, and of course, feel free to ping us to see how we may be able to help you with your cloud native security needs.
CNCF Survey 2020: Organizations Increasingly Going Cloud Native to Increase Productivity
This year’s CNCF 2020 Survey, conducted in May and June, recorded 1,324 responses showing continued growth of cloud native tools and technologies, particularly with increased demand for resources driven by the pandemic.
- Two-thirds of respondents were from organizations with more than 100 employees, and 30% were from organizations with more than 5,000 employees.
- The majority of respondents (56%) came from Software/Technology organizations. Other industries included Financial Services (9%), Consulting (6%) and Telecommunications (5%)
- Top job functions were SRE/DevOps engineer (43%), software architect (35%), and backend developer (23%)
- 92% of respondents use containers in production, compared to 84% las year, and 73% in 2018
- 91% of respondents report using Kubernetes, 83% of them in production, compared to 78% last year and 58% in 2018.
- 82% of respondents use CI/CD pipelines in production, with 10% evaluating and 4% planning to run CI/CD in the next 12 months
The survey also sheds light on release cycle trends – noting that release cycles are speeding up, while automation has dropped.
"Several factors are driving this trend. As the use of cloud native technologies grows in production, organizations build more advanced infrastructures. Also, the coronavirus pandemic has increased digital consumption, forcing organizations to adapt to keep up with demand."
- The percentage of those who release software daily, or even multiple times a day, has increased to 29% from 27% last year.
- Weekly release cycles are still the most common (26%), but more than half of respondents (55%) release weekly or more frequently.
- The majority of respondents (53%) check in code multiple times a day, and 80% check in code at least a few times a week, which is in line with last year’s results.
- Hybrid is the most popular approach for release cycles as chosen by 46% of respondents, up from 41% last year and just 25% in 2018.
- There is a shift away from fully-automated cycles, which dropped to 33% from 40% in 2019.
"This could mean that many organizations are not ready to jump to fully automated cycles because of the complexity of setting them up, or they wish to retain control over certain aspects of application deployment. It will be interesting to see what happens with this trend in the next survey."
At Soluble, we are closely tracking these trends to see how we can help reduce complexity for our customers who need security and reliability for developers quickly releasing code.
CNCF Security Whitepaper: Helping Technical Leaders Address Security for Cloud Native
Last year, the CNCF created the Security SIG with the mission to reduce risk that cloud native applications expose end user data or allow other unauthorized access. Last week, in conjunction with the Kubecon + CloudNativeCon event, it released the Cloud Native Security Whitepaper as a guide for CISOs and other technical leadership roles navigating the changes needed with the adoption of modern development workflows that require integrated security.
This paper is excellent in describing the need to move away from traditional perimeter security approaches to methods that inject security throughout the software development lifecycle. This moves security closer to dynamic workloads to scale with modern cloud native application development – dealing with the ephemerality, distribution, and immutability of modern development.
Here are some summaries and excerpts that stand out to us, and that we are addressing with the Soluble Fusion platform to inject security into CI/CD pipelines.
Security testing early in development – identifying compliance violations and misconfigurations – injects security early in the lifecycle. This is an opportunity to shorten feedback cycles for continuous improvement, where security failures can follow familiar workflows raised for other issues in the pipeline (e.g. bug fixes or CI failures), which already require resolution prior to moving software further in the pipeline.
The report also mentions the importance of development of code that adheres to recommended design patterns, mentioning the use of Infrastructure as Code (IaC) practices to ensure controls are operating as intended with early security check integrations.
"These controls and integrations identify misconfigurations and implement best practices in IaC and orchestration manifests as early to reduce long term cost and increase security value."
The report also describes the need to verify the integrity of workloads, the process for workload creation, and means of operation, noting that this is complicated by use of open source software and third party runtime images. Artifacts (e.g container images) present in the lifecycle pipeline require continual automated scanning and updates to ensure safety from vulnerabilities, malware, insecure coding practices, and other malfeasance.
At deployment, it is also important for real-time continuous validation of candidate workload attributes (such as signed artifacts, container image and runtime security policies in place, and host suitability). It is useful to have observability of workloads, with logs and metrics that can be monitored.
The report also describes how at runtime, cloud native environments should also provide policy enforcement and resource restrictive capabilities by design.
"...organizations need to adopt approaches and methodologies that shift security left, amplify DevOps, and reach beyond to the next technology horizon so continued, proper checks of all components before, within, and after the pipeline are verified with any innovation brought into the lifecycle."
We heartily agree! We hope you enjoyed our recap of the CNCF 2020 Survey and the Cloud Native Security Whitepaper. Don't hesitate to reach out with any questions, and of course, contact us to learn more about what we're building.