The fifth annual
Sysdig 2022 Cloud-Native Security and Usage Report
...digs into how Sysdig customers of all sizes and industries are using and securing cloud and container environments. We examined the data and found some interesting trends this year that may help as you work to develop best practices for securing and monitoring your cloud-native environments.
Based on data from billions of containers!
This year’s report has new data on cloud security, container vulnerabilities, and Kubernetes capacity planning. Read on to see how you stack up then download the full report for more insights!
Dig into the data
Container Usage
How many clusters are organizations operating? How many Pods run per node? How much capacity does a cluster use?
We looked at a range of details about what organizations are doing with Kubernetes and here are a few of the things you can find in the report.
containers have no limits defined
MORE
INFO
INFO
We found that at least 50% of containers have no limits defined which could impact performance and costs.
In an ephemeral, dynamic environment like Kubernetes, capacity management and planning are inherently difficult. Environments that allow developers to choose their own capacity could be over-allocated. Since these are rarely audited/rightsized, poor capacity planning can lead to performance problems and wasteful spending.
unused CPU resources
MORE
INFO
INFO
On average, 34% of CPU cores in Kubernetes clusters were unused.
Of those clusters that did have CPU limits, an average of 34% of CPU cores were unused. Without knowing the utilization of their clusters, organizations could be wasting money due to overallocation or causing performance issues by running out of resources.
custom metrics are Prometheus
MORE
INFO
INFO
Year-over-year, Prometheus metric use increased to 83% across our customers — compared to 62% last year.
Custom metric solutions give developers and DevOps teams a way to instrument code to collect unique metrics for their applications. It is clear that with the strong connection between Prometheus and Kubernetes more organizations are adopting Prometheus metrics as a standard, open source way to support cloud-native architectures.
Best Practices
Based on the cloud-native security and usage findings in this year's report, organizations should start implementing these best practices.
1
Organizations should manage access based on data sensitivity and specific use case, while abiding by the principle of least privilege.
2
As organizations mature their cloud-native capabilities, they should strive to eliminate or reduce the insecure behaviors that lead to excessive alerts.
3
Organizations should remember to set limits on their containers where appropriate and monitor Kubernetes resources carefully.
4
Use Prometheus for custom metrics to avoid vendor lock-in.
Cloud-Native Security
As organizations move more container workloads to production, they are recognizing the need to integrate security and compliance into the DevOps workflow.
Scanning for vulnerabilities is a critical component, but our data also highlight the need for stringent runtime policies and continuous workload re-assessment. Here are a few of the many things we found in the report.
containers running with high or critical vulnerabilities
MORE
INFO
INFO
Looking at our data we found that 75% of images contain patchable vulnerabilities of “high” or “critical” severity.
Tens of thousands of vulnerabilities are discovered by Sysdig in customer environments every day. It’s impossible to fix every single one. However, organizations must consider the tradeoff between delaying deployments to fix the problems or accepting security risks to release the software faster.
cloud accounts have public S3 buckets
MORE
INFO
INFO
We found that 73% of cloud accounts contained exposed S3 buckets which could be putting data at risk.
Configuration mistakes appear not only at the cloud account level, but also with respect to the specific resources that are provisioned. The amount of risk associated with an open bucket varies according to what kind of data is stored there, but this is something to watch out for.
customers detect shell in container events
MORE
INFO
INFO
Our data shows that 62% of customers detected a terminal shell in a container, indicating that these workloads are not being treated as immutable and increasing the risk of tampering.
Security monitoring of containerized workloads aims to discover and impede malicious actors, as well as to identify risky exposures and reduce the attack surface. Sysdig customers regularly receive Falco security alerts indicative of poor security hygiene in these environments.
containers running as root
MORE
INFO
INFO
What we see is that 76% of images ultimately run as root, allowing for privileged containers that can be compromised.
While teams understand the need to scan for vulnerabilities, they may not be scanning for common configuration mistakes. Part of the problem could be simply that developers did not remember to configure permissions correctly before the image was pushed to production.
Best Practices
Based on the cloud-native security and usage findings in this year's report, organizations should start implementing these best practices.
1
Organizations should manage access based on data sensitivity and specific use case, while abiding by the principle of least privilege.
2
As organizations mature their cloud-native capabilities, they should strive to eliminate or reduce the insecure behaviors that lead to excessive alerts.
3
Organizations should remember to set limits on their containers where appropriate and monitor Kubernetes resources carefully.
4
Use Prometheus for custom metrics to avoid vendor lock-in.
