Hundreds of millions of dollars are pouring in to companies that are building technology to keep Kubernetes cloud-software technology safe.
It’s a market that is likely to continue to accelerate in the months ahead as organizations increasingly rely on Kubernetes for day-to-day operations, and asthe risks of potential security exploits grow.
Kubernetes is an open source cloud-software project, first developed by Google five years ago as a way to help manage its own container infrastructure. In 2019, Kubernetes has moved far beyond Google and is now developed under the auspices of the Cloud Native Computing Foundation (CNCF), with support on Amazon’s and Microsoft’s public cloud platforms. Kubernetes is also widely used by organizations large and small including Tesla, Spotify, CERN, eBay, IBM, Oracle and both Uber and Lyft, among others. Even Apple is getting in on the game, announcing on June 11 that it has joined the CNCF as a platinum end user member.
Read more:Everything you need to know about Kubernetes, the Google-created open source software so popular even Microsoft and Amazon had to adopt it
Containers, as first popularized by Docker, provide a way for developers to compactly build and deliver applications. A “containerized” application is highly portable and runs on top of a container engine that an organization can choose to runs on-premises, or in the cloud. Kubernetes integrates a container engine, and provides a way for companies to run and deploy large volumes of containers in a coordinated and resilient way. As companies big and small use containers to deploy and run applications that are part of business operations, there is a need to make sure they stay secure. Simply put, a security issue in a company’s container and Kubernetes stack could put the company at risk from un-intentional data disclosure or even a full scale data breach.
One of the core promises of Kubernetes, and the container technology on which it relies, is that there is a certain degree of security control. As it turns out though, the built-in security that comes with a standard Kubernetes deployment is not always enough to deal with the modern threat landscape.
The emerging market for Kubernetes security solutions has grown as Kubernetes adoption has grown.
The need and the demand for Kubernetes security solutions was on display at the recent KubeCon conference in Barcelona last month, where security vendors exhibited and there were multiple co-located security focused events as interest in the topic expands. For most organizations, it is all about minimizing the risk around their cloud presence.
“Containers address some of the traditional shortcomings of security and at the same time, they have introduced new attack vectors,” Varun Badhwar, Senior Vice President of Products and Engineering, Public Cloud at Palo Alto Networks, told Business Insider. “Organizations will want to ensure that they have their bases covered and will want to have a container security strategy in place.”
A $410 million bet on container security
Palo Alto Networks, a $19 billion networking company, has a particular viewpoint on Kubernetes security that is backed by a big bet. At the end of May, Palo Alto Networks announced its intention to acquire privately-held container security vendor Twistlock in a deal valued at $410 million. Twistlock was founded in 2015 and had raised $63 million in venture funding.
Robert Ackerman, founder and a managing director of AllegisCyber Capital, a Silicon Valley early-stage cybersecurity venture capital firm, commented that he now sees container security as being “table stakes” for security vendors to have as a capability.
“The Twistlock valuation not only reflects the strength of the company’s technology, but also Palo Alto Networks conviction around the market opportunity,” Ackerman told Business Insider. “There is a tremendous amount of future growth factored into the purchase price.”
Twistlock is just one of many vendors that have emerged over the past five years, seeking to fill the security gaps in container and Kubernetes deployments. Rival vendor Aqua Security was also founded in 2015 and completed its $62 million Series C round of funding in April, with total funding to date of $100 million.
Amir Jerbi, co-founder and CTO of Aqua Security, told Business Insider that in his view, it’s likely that more acquisitions will occur in the container security space, though he’s not currently looking at his own company to be one of them.
Container security vendor StackRox got its start in 2014 and has raised $39 million in funding to date. Kamal Shah, president and CEO of StackRox, told Business Insider that as with any strategic market, he does expect additional merger and acquisition activity in the container security space.
“It’s clear from industry conversations we’re having that interest in the container security space keeps increasing,” Shah explained. “Organizations realize they need to address security and compliance requirements for cloud-native applications, and existing security vendors lack offerings in this area.”
Sysdig is another vendor that is active in the container security space, and has raised $121 million in funding for its platforms, which have a strong focus on application visibility. Sysdig CEO Suresh Vasudevan told Business Insider that one of the best signs of an emerging market is when an incumbent places a huge bet of several hundreds of millions of dollars to acquire a startup focused on securing containers – which is to say, what Palo Alto Networks did with Twistlock.
What’s wrong with plain-old Kubernetes?
The need to provide additional security controls for Kubernetes isn’t just hype from these companies, either. There have been multiple publicly reported incidents involving containers in recent years that have raised concerns.
The concerns involve both the configuration of Kubernetes, as well as the applications that run on top of it. The risk to organizations is straightforward: if Kubernetes is somehow compromised, an attacker could gain access to information and corporate resources.
One very public incident occurred in 2018, when electric car vendor Tesla was foundto be running a Kubernetes cluster with an unsecured dashboard to power its cloud services. At the time, the default Kubernetes installation didn’t require the use of a username and password to set up the dashboard, which provided access to running Kubernetes resources. Attackers were reportedly able to discover the unsecured dashboard and used the resources to run an cryptocurrency mining operation, until it was discovered and shut down.
It wasn’t just Tesla, either. Security firm Lacework reported that it discovered 300 entirely open Kubernetes dashboards on the public internet, that didn’t have any basic username/password protection. The lack of dashboard security by default is just one of a myriad of details that companies need to consider when deploying Kubernetes.
Looking beyond just potential gaps in Kubernetes itself are concerns about applications. Kubernetes is infrastructure software that enables applications to run in a highly agile and resilient manner. It’s entirely possible that an organization could end up running insecure or malicious software on top of a seemingly secure infrastructure platform.
An obvious market opportunity
Properly configuring and tuning Kubernetes to be secure is not an easy task. It’s also an obvious market opportunity for security vendors that are racing to help organizations.
StackRox’s Shah commented that while containers and Kubernetes do have native security capabilities, there is also a need to ensure that these technologies are properly configured during before they’re formally rolled out. Additionally, Shah said that it’s critical that organizations put controls in place to detect and stop bad actors who still manage to find ways to break in, even once everything is up and running.
Like other forms of modern application deployment, there is also a need for visibility into what’s running to help ensure compliance with different policies. Regulatory compliance is a hot button issue for many companies, whether it’s compliance with PCI-DSS for payment card security, HIPAA for sensitive health information, or data privacy with the GDPR and other emerging efforts.
M&A is coming
Though Kubernetes is only five years old, it’s clear at this point that it is a technology that is here to stay for the foreseeable future.
“Containers and Kubernetes are the foundation of a generational shift in infrastructure, and every significant IT vendor will need a product strategy aimed at being relevant in the cloud-native market,” Vasudevan said.
Chenxi Wang has a unique viewpoint on the emerging landscape for Kubernetes security. From 2015 to 2017, she worked as the Chief Strategy Officer at Twistlock, and in 2018 became the managing general partner of Rain Capital, which has investments in several security vendors. In her view, container and Kubernetes security is a “must have” for both end users and security vendors.
“In 2015 and 2016, when I was with Twistlock, people were asking ‘is this container thing going to take off? Is this market going to be around in a few years?’ and now it is hard to find a single company that does not have some kind of container workloads running in their environment,” Wang said. “If you are running apps in containers but do not have sufficient capabilities to protect them, you are exposing your company to threats.”
While Kubernetes is here to stay, for Steve Herrod, Managing Director at venture capitalist firm General Catalyst, it’s still early days for the container security market. Herrod is no stranger to emerging categories, as prior to becoming a venture capitalist he helped to lead VMware as the company’s CTO.
“I think the demand is generally following the movement of the most mission-critical applications and data into containers, which continues to ramp,” Herrod told Business Insider.
Containers and Kubernetes however are not the only concern that companies have from a security perspective. Most enterprises that Herrod meets are looking for solutions that tie into non-container pieces of a workload protection approach.
“Enterprises are looking for vendors that will be good today and tomorrow, so as many of them are making buying decisions, they’re looking for at least a story about how Kubernetes will fit into the product plans moving forward,” Herrod said. “So the bigger vendors will continue to buy the new vendors for the foreseeable future.”