The report is quoted from: Sysdig 2023 Cloud-Native Security and Usage Report
Recently, Sysdig, a company in the field of cloud and container security, released the 2023 Cloud Native Security and Usage Report. This year's report focuses on two themes, revealing that supply chain risk and zero trust architecture readiness are the biggest unresolved security issues in cloud and container environments. The report also revealed tens of millions of dollars in wasted cloud spending due to over-allocated capacity.
Using actual data, the sixth annual report reveals how companies of all sizes and in all industries use and secure cloud and container environments around the world. The dataset covers billions of containers, thousands of cloud accounts and hundreds of thousands of applications that Sysdig customers have operated over the past year.
Report Highlights
87% of container images have high-severity or critical vulnerabilities: Due to the nature of modern design and the sharing of open-source images, security teams face a large number of container vulnerabilities . The reality is that teams can't fix all bugs, and they struggle to find the right parameters to prioritize bugs and shrink their workloads.
However , the report also found critical or high-severity vulnerabilities in only 15 percent of available fixes, which are loaded at runtime. By sifting through vulnerable software packages that are actually in use, organizational teams can focus on the smaller subset of fixable vulnerabilities that represent a real risk. Reducing the number of vulnerabilities by 85% to 15% provides cybersecurity teams with more actionable numbers.
90 % of authorized permissions are not used: Zero Trust Architecture principles emphasize that organizations should avoid granting overly broad access permissions. According to the report data, 90% of the permissions are not used. If an attacker grabs the credentials of an identity with privileged access or excessive permissions, they have the "keys to heaven" in cloud environments.
59% of containers had no defined CPU limit, and 69% of requested CPU resources were unused: With no utilization information in a Kubernetes environment, developers cannot determine where their cloud resources are over- or under-allocated . Organizations of all sizes can overspend by 40%, and for large-scale deployments, optimizing the environment can save an average of $10 million on cloud bills.
72% of containers live for less than five minutes: Gathering troubleshooting information after a container disappears is nearly impossible, and the lifespan of containers has decreased by 28% this year . This reduction reflects the maturity of organizations in their use of container orchestration, emphasizing the need for security that is commensurate with the ephemeral nature of the cloud.
"Looking back at last year's report, container adoption continues to mature, as evidenced by shortening container lifecycles. However, misconfigurations and vulnerabilities still plague cloud environments, while supply chains are amplifying security concerns. Privilege management is another area where I would like to see people be stricter," said Michael Isbitski, director of cybersecurity strategy at Sysdig. Adopting these practices in our reports, such as looking at actual risk exposures to understand real risk and prioritizing vulnerabilities that have a real impact on the business.”
in conclusion
Our research shows that, despite awareness of the tools needed and the benefits of a zero-trust approach, cloud security processes still lag behind the rapid pace of cloud adoption. From the real-world customer data we studied, there are several areas of security practice that need improvement to reduce risk:
Identity and Access Management : The wide discrepancy between granted and required permissions underscores the urgency of regularly measuring and managing permissions to reduce opportunities for attack.
Vulnerability management : Since most container images run in production with a risk of vulnerabilities, teams must address image bloat and focus their remediation efforts by prioritizing vulnerabilities based on actual runtime risk.
· Detection and Response : Privilege escalation and defense evasion attacks are at the top of our customer threat list. To keep up with the ever-changing threat landscape, threat detection rules should be regularly updated to spot malicious activity.
Security aside, this year's data shows that organizations can reduce cloud costs by disposing of unused Kubernetes resources. Investing time in capacity planning can pay off powerfully. By implementing proper container resource limits and continuous monitoring, organizations will be able to optimize costs without compromising application performance.
The key trends in our sixth annual report highlight the continued growth of container environments and the increasing reliance on open source solutions we need to stabilize and secure them. There is a growing market for automated and scalable tools designed for cloud and containers that can help teams spot threats and risks more effectively, avoid missed opportunities, focus on actions with the greatest impact, and avoid wasted time.
Shifting security to the left: Lingqueyun ACP's cloud-native security practice
In terms of cloud-native security strategies, Sysdig believes that the core of cloud-native security protection lies in rules. Both the definition and maintenance of rules require security personnel to define and maintain them based on their own security policy rules. Due to the customization of rules, rules may be bypassed. Only when they are integrated into the production environment with different specific conditions, the security operation team will continue to Only by using a variety of detection methods to cross-validate and form a closed loop can it really play a role effectively.
Lingqueyun also adheres to the same security strategy in cloud-native security practice. In order to better help enterprise users realize the smooth transition of cloud-native transformation and complete digital transformation, Lingqueyun always puts the security of products and services in the first place, follows the design principle of "shifting left" of security, and builds a strong network through the following points cloud-native security defense line:
· Perfect user security policy
In order to ensure user login security, Lingqueyun ACP supports setting user security policies, including password security, user ban, user lock, password notification, access control and other policies. Improve the security of platform users and reduce the risk of malicious attacks.
· Service-oriented IT security governance
Support multi-tenant management scenarios for small and medium-sized enterprises, realize fine-grained authority control and self-service IT governance; unify management and monitoring of resources in different infrastructure environments, and ensure system security through a security audit mechanism.
· DevSecOps of the whole life cycle
Ensure security throughout the entire life cycle of the application; automate security protection to protect the overall environment and data; at the same time, ensure security by configuring security policies (such as image vulnerability scanning policies and code security scanning policies) during the build/test/deployment process Application-wide security; ensures organizations deliver more secure software by automating uniform security quality standards; supports integration of security scanners for containers.
In terms of practice, take a large national bank as an example. The bank's full-stack cloud container platform is an important engine driving the construction of financial digital infrastructure. The DevSecOps concept realizes enterprise-level full-lifecycle adaptive security, intelligent IT system detection, reliable container security management, agile DevSecOps process, and zero-trust security risk assessment, greatly improving the security risk immunity of its business systems .
