Security interest grows as cloud-native community gathers for KubeCon+CNCcon EU
May 20 2021
by Fernando Montenegro
As interest and adoption of cloud environments and cloud-native technologies grows, perhaps it's time to retire the notion – often repeated within security circles – that security is not important to the business.
The latest edition of the KubeCon + CloudNativeCon Europe provided ample evidence of the growth of interest in security, with swelling ranks not only in the cloud-native community itself, but also of security popping up in multiple places.
The 451 Take
The events organized by the Cloud Native Computing Foundation (CNCF) are well run – the foundation has found a good formula for mixing the enthusiasm of the cloud-native community with the growing interest in cloud-native technology – and this year's KubeCon + CloudNativeCon Europe, delivered virtually, was no exception. There was plenty of evidence of the interest and growth in adoption of cloud-native technologies, with Kubernetes being the anchor for many of the initiatives and conversations. It's also interesting to see yet more growth for security as a topic, both in terms of content and in offerings from many vendors and in several of the open source projects championed by the community.
This interest in cloud-native security also encompasses one of the key challenges for security vendors: how to engage with this community in a mutually beneficial way. The changes in organizational patterns and lines of responsibility means security is now, more than ever, 'everyone's responsibility,' but it also means stakeholders and vendors must find new ways of connecting given their different backgrounds, needs and capabilities.
Cloud-native community continues to grow
As the European edition of CNCF's KubeCon+CloudNativeCon moved back to its original early spring date, having had a summer date in 2020 due to the pandemic, the foundation announced continued growth across several dimensions. According to the CNCF, the number of member organizations grew from 518 in 2019 to 630, including 140 end-user organizations. Individual contributors grew from roughly 80,000 in 2019 to over 120,000. Education and certification initiatives were also highlighted, including the nearly 800 scholarships given to conference participants and the increased numbers of students enrolled in virtual courses (nearly 200,000) and those enrolled in certifications (53,000 for the core Kubernetes Administrator certification, 26,000 for Kubernetes Developer and 5,000 for the new Kubernetes Security certification).
Notably, the number of projects managed grew from 44 in 2019 to nearly 100, although some of this growth is directly attributable to the revamping of the program to more easily onboarded projects in the sandbox stage.
As a further sign of community growth, there were over 10 distinct pre-conference events focused on different aspects of cloud-native technology, including security, service mesh, WebAssembly and other topics.
Security remains a fundamental aspect of cloud native
Indeed, there's plenty of evidence of this in our research, as depicted in the chart below, which comes from 451 Research's 2020 study.
It's interesting to note that security interest within the community is moving in two complementary directions: on one hand, security is becoming even more firmly embedded into the core cloud-native technology stack; on the other, security is being explicitly taken into account on the very process of building cloud-native environments.
The deeper embedding of security can be seen in at least three different trends within the cloud-native community. First, there's increased interest in initiatives such as the Falco runtime security project, the Cilium networking plug-in and more broadly in eBPF as a key mechanism for kernel security and observability. These point to the community moving toward a technology stack where security functionality is readily available.
Following on these, it's worth noting that the CNCF has promoted the Open Policy Agent (OPA) project to 'Graduated' status and is looking at OPA and the Gatekeeper project as key components for policy enforcement in Kubernetes environments. The alternative Kyverno project is also seeing increased traction.
Last, there is increased interest in the SPIFFE/SPIRE efforts that aim to provide a framework and implementation for assigning workload identities, which serves the foundation for higher-level security functionality such as confidentiality and integrity mechanisms.
The aligning of security functionality with the broader developer experience and core service delivery can be seen in two dimensions. First, the increased interest in service mesh architectures, which can consume the lower-level security constructs as defined above to offer seamless confidentiality and integrity via encryption and mutual authentication. The Linkerd service mesh is in incubated status while several others are in the sandbox stage.
Finally, the topic of supply chain security – driven by numerous recent events in industry – was also top of mind, both in conceptual and practical terms. There were different presentations looking to raise awareness to the issue and to industry initiatives such as the 'software bill of materials' (SBOM). There is also increased interest in projects such as in-toto (an open metadata standard for signing artifacts), although it is still in sandbox stage, and the upcoming version update to Notary project and associated TheUpdateFramework (TUF) for secure software distribution.
Also worthy of note is the recent release of the latest community-driven 'CNCF technology radar,' which aims to document community consensus about the maturity and adoption of different technology components for a specific use case. The latest radar map focused on how to manage secrets, which are widely used in authentication. The radar pointed to broad adoption of Hashicorp's Vault and the native offerings from the larger cloud service providers as well as increased usage of the cert-manager project, currently in sandbox status.
Security a growing presence on (virtual) Expo Floor too
In aggregate, 2021 appears to show a mild recovery in the number of sponsors. The analysis below shows that this edition of the conference had 100 sponsors (certain categories such as media, end-user organizations and others were excluded from this list), showing some recovery in relation to the 2020 edition, which was severely affected by the pandemic.
Figure 2: Sponsors for KubeCon+CloudNativeCon Europe (Partial)
There's also solid further evidence of the growing presence of security in cloud-native technology. When compared with previous editions (2019 and 2020), the proportion of sponsors this year that either offer security as their primary portfolio ('pure') or, subjectively, as a significant part of a broader technology portfolio ('yes') grew again, growing from 29% in 2019 and 37% in 2020 to 43% in 2021.
Figure 3: Proportion of Vendors with Security Offerings for KubeCon + CloudNativeCon EU
Broader considerations adjacent to security include but are not limited to data protection and management platforms for multi-cluster deployments.
Relatively few security announcements
Despite the growth in proportion of vendors with security offerings, there were relatively few significant security-specific announcements at the conference. There are several factors that may have contributed to this, including a shift in release patterns where features are made available more often throughout the year and possibly the proximity of KubeConEU to this year's edition of the RSA conference, where more security vendors congregate.
In terms of security announcements at the conference, the list included:
Accurics announced support for integration with the Argo project for closer tie-in to GitOps patterns.
Bridgecrew, now part of Palo Alto Networks, publicized results from a study on the security of Helm charts.
Palo Alto Networks announced support for integration of intelligence from WildFire service for workload protection, as well as additional capabilities for Prisma Cloud.
NeuVector announced support for IBM Cloud and integration with IBM QRadar.
Nirmata indicated that it saw increased interest in its Nirmata Policy Manager for Kyverno, based on the growth in interest in the underlying project.
Red Hat announced a new upstream open source project based on the StackRox technology it acquired earlier in 2021.
Sysdig announced support for AWS Fargate workloads.
Tigera highlighted the newer observability features of its Calico Enterprise offering.
The next edition of the KubeCon + CloudNativeCon is scheduled to be a hybrid event, to be held in mid-October in Los Angeles.