#169 February 23, 2022

Sysdig Cloud Native Security and Usage Report, with Anna Belak

Hosts: Craig Box

Anna Belak learned about containers and security as a Gartner industry analyst. She is now the Director of Thought Leadership at Sysdig, who have just published their latest annual Cloud Native Security and Usage Report. Anna joins Craig to dicuss the report’s findings.

Do you have something cool to share? Some questions? Let us know:

News of the week

CRAIG BOX: Hi, and welcome to the Kubernetes Podcast from Google. I'm your host, Craig Box.

[MUSIC PLAYING]

CRAIG BOX: One of the side effects of having just moved between countries, and it having been the summer holidays here in New Zealand, is that I've stayed in a lot of Airbnbs lately. We are the kind of considerate Airbnb guests who like to leave a place better than we found it. And unfortunately, that hasn't been very hard. Today, I want to share a story about refrigerators.

The fridge in house number one is shiny, silver, and modern, but it beeps every time you open it, immediately, the whole time it's open, always. Unfortunately, due to the worldwide supply chain problems, the part required to fix it is apparently a few months away, so you're told. But at least it still keeps the food cold, until the last day of your stay, when all your ice cream turns to soup. It was replaced the day after we left.

Fridge number two just needs a new light bulb, which you know you could order on Amazon and have delivered overnight if you still lived in the UK. But it's New Year's in New Zealand, and so all of the shops are closed, until the 10th of January. You can either get your midnight snack in the dark, or you can wake the house by turning the light on. A replacement bulb was eventually ordered online by the owner and came before we left.

The third fridge also needs a new light bulb and vegetable drawers. Not a huge problem, except for the fact that the poor fridge can't keep up with the hot summer days. So it freezes water on the back and thaws it out again onto the bottom of the compartment where all the vegetables are sitting. Freeze, thaw, repeat. At that point, we thought we'd better tell them, and to the credit of the owner, we had a new fridge installed the next day.

Yet, none of these are the worst experiences you've had. The fourth fridge is the exact same model of fridge you've used every day for the last 10 years, except the door swings open to the left rather than to the right.

Let's get to the news.

[MUSIC PLAYING]

CRAIG BOX: Chaos Mesh has moved to the incubation phase in the CNCF. Originally built by PingCAP to test TiDB, we discussed it with its creator in episode 121. The project now has over 125 contributors from over 60 organizations. Chaos Mesh is one of 30 projects in incubation with 16 having graduated. Google's vulnerability reward program has increased its maximum Kubernetes payout to $91,337, being elite base payment of $31,337 with three possible bonuses of $20,000.

KCTF is a public-running GKE cluster with a flag file you capture by breaking through protections in the Linux kernel generally by using a zero-day vulnerability. In the last three months, Google received nine submissions to KCTF, including five zero days, and paid out over $175,000. Google awarded almost $9 million in vulnerability rewards in 2021 with researchers donating over $300,000 of those rewards to charities of their choice.

Security vendors Sysdig and Snyk announced a new partnership this week. Posts from both companies tout the benefit of combining Snyk's developer tools with Sysdig's runtime security, promising a security solution that spans the full dev and ops cycle. Finally, congratulations to the team at KubeCost who we spoke to in episode 124. The company, which now oversees over $2 billion of customers Kubernetes spend, has announced a $25 million series A finance round, led by Coatue management. A valuation was not announced.

And that's the news.

[MUSIC PLAYING]

CRAIG BOX: Anna Belak is the director of Thought Leadership at Sysdig and a former Gartner analyst focused on vulnerability management, security monitoring, and DevSecOps initiatives. Welcome to the show, Anna.

ANNA BELAK: Thank you, Craig. I'm very happy to be here.

CRAIG BOX: Last time, we had a materials engineer on the show. I asked him how we were doing at turning lead into gold. You have a PhD in the subject. Has anything changed since then?

ANNA BELAK: I'm going to guess not, because we're not that good at this, and we never will be. But we are pretty good at turning sand into computers. So that's something.

CRAIG BOX: I've heard people say it's like we taught a rock to think.

ANNA BELAK: Absolutely, which is quite impressive, I would say.

CRAIG BOX: Why are all the physical sciences people doing all this digital stuff these days? Is this the software eating the world that we were told about?

ANNA BELAK: That is the romantic charming answer, but, actually, it's because it just pays better.

CRAIG BOX: There's been a little bit of a resurgence in hardware recently with the low-cost PCB manufacturing and so on. You don't think people will be more interested in going back into more physical stuff over time?

ANNA BELAK: I'm technically a computational scientist. So I can't help you with that.

CRAIG BOX: Is that a case of just-- that was the degree that was available to you at the time? Would you have done that a computer science thing if it was available?

ANNA BELAK: [CHUCKLES] It was totally available. I actually thought I wanted to be a physicist. And then, I decided that was too abstract. So I wanted to be an engineer. And then, that was too abstract. So I ended up in IT. [LAUGHS]

CRAIG BOX: And how is being an analyst any less abstract than any of those things?

ANNA BELAK: That's an impolite question that you shouldn't ask, because it's too late now. [LAUGHING]

CRAIG BOX: Well, I was going to say that, in 1966, a 24-year-old Paul Simon asked the question, can analysis be worthwhile? What does an analyst do, and how does one become one?

ANNA BELAK: That's actually a great question. What analysts do really is analysis. I am a lapsed analyst; I am, well, Anton says "a recovered analyst". So I guess it's the same thing. I do think analysis is worthwhile. Although, it certainly depends on what you think it means.

CRAIG BOX: I think he was perhaps referring to psychoanalysis at the time. So we'll give him a pass.

ANNA BELAK: Well, to be fair, I would argue that industry analysts do a decent amount of psychotherapy, for whatever that's worth, because man, things are bad out there. But ultimately, the goal is to essentially be an information broker. You collect information about how the industry is doing, and you try to help people do better. And that's the dream.

CRAIG BOX: Is that something that's best done by an independent party versus you going out and gathering your own information? Is the economies of scale to it?

ANNA BELAK: Absolutely. Yeah. And you actually do get a lot more exposure to different kinds of things. So the breadth of your understanding is much broader when you're an analyst. So you may not know anything super deeply, but you know many things very broadly. And that could be very useful to all kinds of people.

CRAIG BOX: Perhaps I've been an analyst all along, and I've never really known it.

ANNA BELAK: We all are on some level.

CRAIG BOX: What was your journey from your physics and material engineering background to end up as a Gartner analyst?

ANNA BELAK: It's actually a funny and dumb story. But like I said, I decided that I didn't really want to stick into science, because I am very low on patience and I'm in need of instant gratification. And science moves quite slowly. So I did consulting for a little bit, and then I didn't like it. So I quit. And I decided I would find the perfect job. So I went on LinkedIn. Like you do, I typed in things like--

CRAIG BOX: Perfect job.

ANNA BELAK: Perfect job, yeah. Energy storage, and lithium ion bat, whatever, all those things I worked on in grad school. One of the results that LinkedIn threw at me was about data storage, like hard drives. And I was like, eh, sounds technical. I'll throw a resume into the abyss, and, dot, dot, dot, Gartner hired me to cover containers. [LAUGHS]

CRAIG BOX: Excellent. And hard drives, they're made of rocks as well, I guess.

ANNA BELAK: Absolutely. And magnets.

CRAIG BOX: If you think back to your first few weeks on the job, how did that go for you?

ANNA BELAK: It was actually a lot of understanding what people really need to know. So as an analyst, your job is to answer lots of questions from end users mostly. The first thing is, what are the questions they're going to ask? And the second thing is, how do you answer that question in a useful way? It's fairly easy to answer a question in kind of a hand wavey way. But to answer it in an actionable way is actually incredibly hard. That was probably the hardest thing I had to learn in the first year of Gartner, is how do you give advice that is in fact actionable and useful.

CRAIG BOX: You're coming at this perhaps without the background of having been someone who would have tried to action that advice. How do you cross that chasm?

ANNA BELAK: That is true and is actually quite hard. So what I did was the only thing I knew how to do, and I called people who know. And I asked them to show me their data center. So I made a lot of friends, actually, in the industry who were practitioners. And I would just shamelessly ask them questions and tried to run my ideas past them, so that I didn't say things that were dumb, basically.

CRAIG BOX: Are there a lot of data centers left?

ANNA BELAK: Yes.

CRAIG BOX: They're not at risk of going extinct?

ANNA BELAK: I don't know if they're going to go extinct, but I'll tell you that the one I visited is in fact extinct. So maybe I'm wrong.

CRAIG BOX: You were at Gartner for six years. As you mentioned, that's helping a lot of individual customers with a very broad approach looking at the entire container and security industry. Did you specialize in anything in particular over that time? You're obviously working in the security space now. Was that something that came about through a personal interest or through customer demand?

ANNA BELAK: Both. I actually have always had an interest in security, but security is known for being fairly difficult to break into, especially at entry level. So I never thought I would end up there. The thing I worked on first at Gartner was Docker and containers in Kubernetes, because what happened was I joined in 2015. This is when this became a topic that Gartner should talk about.

But because nobody was an expert in it, they were like, why don't you do it? And I was like, sure. So that's what I did for about three-ish years. And then, what happened was I got a chance to join the security team, because they had an opening. They needed someone to go work on that team. And I was like, I don't know anything about security. And they were like, that's fine. We'll teach you. So they did. And now, I'm an expert. That's how you become an expert.

CRAIG BOX: What kind of things did you learn?

ANNA BELAK: How much time do we have?

[LAUGHTER]

So on the security side, I joined the security operations team, which covers things like security monitoring, vulnerability management, as you mentioned. It's actually more traditional stuff than I covered on the container side. So the cool thing about that combination is that I think a lot about things that cross that chasm of modern workloads, modern application architecture, cloud native patterns. And then, how do we apply to them all of the security stuff that we've always had to do in a way that isn't going to make everyone sad?

CRAIG BOX: A lot of people talk about security as a continuum between secure and usable. Perhaps the most secure system is one where no one's able to touch it. Where is the right place for an industry to sit on that? Is it different for every user, or is there somewhere that you can say is a happy medium for everyone?

ANNA BELAK: I don't think there's a happy medium for everyone. It's probably a more organizational decision, like maybe by business unit or by some other same scope like that, because many times, you're just have to take measures that users don't like, because users don't necessarily care about security depending on what kind of users they are.

CRAIG BOX: I have a security key on my laptop, and a lot of people these days have little hardware tokens for VPN access or their bank, for example. Do you feel that there is a perception change in the average member of the public about security that makes it easier for organizations to implement it now?

ANNA BELAK: I want to believe that that's true. Although, the reason that I think it's becoming more true is sad, and it's that we just see a lot more public attacks that are successful and damaging, like ransomware and so on. So it's good and bad. At the end, it's a risk decision. So I actually don't have that much protection on my laptop, because I don't keep much of interest on my laptop. Don't come at me. It's not an invitation. But it depends on what you're trying to protect. So if it's not worth protecting, then don't protect it.

CRAIG BOX: This is a great time perhaps to bring up the concept of cryptocurrency and the fantastic-- I'm not even sure what the right way to describe exactly how fantastic the idea is that now there is a way for criminals to collect real-world money in a fashion that allows them to do these ransomware attacks has really changed the way that security needs to be enforced and also the kind of things that people are doing.

ANNA BELAK: I find the whole thing thoroughly depressing. But I do own a really cute Doge.

CRAIG BOX: I've seen its picture. We'll put that in the show notes. How, then, did you end up working at Sysdig?

ANNA BELAK: It's also an interesting story, because it totally wasn't planned, and it just happened. But it so happens that when I switched from DevOps and container stuff to security stuff at Gartner, Sysdig also made this pivot from being an observability company to being a security and observability company. And I didn't actually cover them as much in my new role, because my focus was more on SIEM and vuln management and those kinds of things.

But I kept track of them. And then, when I decided that it was time for me to depart Gartner and go do something real in the industry, they were on my short list. And it turns out they have a really awesome team that I fell for. So here I am.

CRAIG BOX: You mentioned there the change from Sysdig being a pure play observability company. I remember learning first about them as an open-source observability tool that the creator of Wireshark released in 2014. We talked with Leonardo Di Donato in episode 91 about the Falco project. But we haven't really talked so much about the commercial offering and what Sysdig is now. What is Sysdig in 2022?

ANNA BELAK: So Sysdig today has definitely come a long way. In fact, I actually met Sysdig-- I should have mentioned this. I met Sysdig for the first time at Tectonic Summit in 2015. And so I met Lourdes and the five other people at the time that cared about Kubernetes, and it was amazing.

CRAIG BOX: Was that the one at "The New York Times" building? Or was it the one--

ANNA BELAK: It was in a basement of some building in New York, yeah.

CRAIG BOX: All right. I might have been at that.

ANNA BELAK: Yeah. It's very possible that we actually have met before. So that was really cool. And these people were really nerdy. And so what actually was really clear to me at the time-- this was one of those stunning realizations that you get at Gartner. Gartner clients are very enterprisey. So they have these robust programs, and lots of enterprise features, and things. And Sysdig was part of this community of super early adopters of a brand new technology. And they built something very necessary for that moment in time, which was really cool.

But now, years later, I think what's happened is the industry has evolved. So all of those things that were just cool open-source tricks then now are real technology adopted by real companies at scale. And so Sysdig as well has grown as a company to meet those needs, including on the security side. So today, we offer cloud and container security throughout software development lifecycle. We will scan your stuff. We will detect bad things happening to your stuff. We will take care of you and help you help yourself.

CRAIG BOX: You had an announcement in December raising a $350 million series G round valuing the company at $2.5 billion. So clearly, you're doing something right.

ANNA BELAK: The industry sure seems to think so. And we are growing like crazy, and we're hiring.

CRAIG BOX: When you are a founder who wrote an open-source tool or many open-source tools and now finds themselves as the CTO of a $2.5 billion company, what do you do day to day?

ANNA BELAK: You write more open-source tools, actually, I think.

CRAIG BOX: He's still very happy in that role?

ANNA BELAK: He does many things. He does a lot of speaking. He does a lot of product direction, stuff, actually, he works very closely with our product engineering teams. But he is the kind of guy that is brilliant and loves to invent things. So he's always working on something new.

CRAIG BOX: Italian guys seem to love eBPF. That's my observation.

ANNA BELAK: No comment.

CRAIG BOX: You don't even need to subscribe to analysts to get that sort of insight from this podcast.

ANNA BELAK: Yes.

CRAIG BOX: One thing that Sysdig has been doing for many years now is publishing a report on usage of containers and now, obviously, container security. In episode 137, we talked to Michael Gerstenhaber from Datadog about their container report. And I remarked how you can see a trend in the industry about how it started as the Docker report. When Sysdig first published it, it was a Docker usage report. And then, let's say container usage report. Then, container security and usage. And now, it's cloud native security and usage. What should I read into the name changes over time?

ANNA BELAK: I'm going to say it's the same thing as I mentioned in that the company is evolving as the industry is evolving. But if I'm completely honest, we're trying to name it in a way that appeals to the people who might care. In 2017, or what have you, the people who might care were a much smaller group than nowadays when we address more features and we have more people who are interested in us. So hence, the scope creep, if you will.

CRAIG BOX: I did see that Docker as a runtime is still quite high in your usage stats.

ANNA BELAK: It is declining, though. And I believe it's down below 50% for the first time this year.

CRAIG BOX: Given that almost all the people you're tracking are running Kubernetes and given that Docker will not be supported as a runtime in Kubernetes from an upcoming release, it feels like it's on a slow path to its exit?

ANNA BELAK: Yeah. I think it served us well. It was amazing and beautiful. And now, it's time to perhaps move on.

CRAIG BOX: It lives on in the form of containerd.

ANNA BELAK: Absolutely.

CRAIG BOX: Is there anything that you still track longitudinally since that 2017 report?

ANNA BELAK: We do. So there is some data in the actual report that's exposed that we track over time. For example, the container density data, which is continuing to increase but is actually leveling off now. So we do see that the number of containers per node is growing year over year since then. But actually, we track a lot of data on the back end, that goes back a long time. We keep it for quite a while. So we don't expose all of it, but we do collect a lot of it and actually look through it.

CRAIG BOX: Now, it's very important to point out that what you're publishing here is a usage report as opposed to survey results. Not everyone understands the difference. How do you see the difference between the data you can get out of usage versus surveys?

ANNA BELAK: Absolutely. We didn't ask anyone any questions about their feelings. We just pulled the data out of our literal SaaS back end unless you opted out, because you are absolutely welcome to opt out for your privacy. And then, we looked at that data in hopefully interesting and meaningful ways. So some of that is just running queries. Some of that is looking at stats over time. And then, people like me and various other folks, Thought Leadership, various other folks in the company will come up with questions we can ask that data set. And we publish those. And if we find a question we can't answer, then we just create more data.

CRAIG BOX: How do you decide which questions you want to ask? You obviously have a giant data set. You can look for things that stand out in that. Or you can say, I have a theory or a hypothesis. And is that borne out by this data?

ANNA BELAK: All of the above, essentially. We surface things that we imagine everybody cares about or those trends over time, like, how many containers are on a node? Is Kubernetes the most popular? Et cetera. And then, we will also have some hypotheses, like, I thought that this vulnerability number of how many containers are actually vulnerable would be high. But I didn't know how high. So I wanted to know. That was just a question that we chose to ask. And it turns out I was right. It was high.

Another question is, why? How do we fix it? So some of it is just curiosity. Some of it is trying to identify things that might be indicative of patterns that aren't great or patterns that are great. So if we see things that we would like our customers to drive toward or away from, and we can find data to support that and then help them, that is also part of the process. But that's more of a continuous process in product development than just for the report.

CRAIG BOX: Let's, then, dig into some of the key findings from the report starting with, as you mentioned, 75% of containers have either high or critical patchable vulnerabilities. Why doesn't this bother people? And shouldn't they just have a machine fix it for them?

ANNA BELAK: I think it does bother people in that they lose sleep over it. But I'm not sure it's that simple to fix. I do, obviously, subscribe to this whole philosophy of CI/CD everything, and automated testing, and just kill the container, and release a new one, and all that. But I think the reality is that it's actually fairly difficult to operationalize that for every single user.

Here's an example. If you have a vulnerability in a database that is part of your application, and you need to fix it, you have to make sure that your application will still work when you update to the new version of the database. So somebody has to go and spend the time to apply the fix, to test everything again, then to re-release it to make sure everything is working fine. So it's not like automatically you're going to deploy this new image, and everything will be fine, because there's still dependencies and there's still things that can break.

So, at the end of the day, this is work you're prioritizing against releasing cool features faster, so you can make more money. And one of those is obviously more appealing.

CRAIG BOX: This is our secure versus usable continuum back again.

ANNA BELAK: Absolutely. Or secure versus profitable. I don't know.

CRAIG BOX: If I was a single organization and I was told 75% of my containers had higher critical vulnerabilities, I might perhaps be able to dig in and say, well, it turns out that I host all my things using the Apache web server, for example. And I can address 40% of those containers by volume simply by patching that. Is there something like that that's true here? Or is the distribution of what people run so much that there's no way of saying, hey, one or two simple things can pay that number down very quickly?

ANNA BELAK: It's hard to say for sure. These are all containers that anyone runs. So if you broke this down by org, which we can do but we haven't exposed, you can probably see how certain orgs perform. One thing we do notice is that there are orgs that actually have this number down very low. They have this number down to 4% or 5%, which means it's feasible to fix these things. So I do imagine that a lot of them are just neglected work that hasn't been done. But in many cases, it may also be a vulnerability that's just mitigated. Maybe you've accepted that risk, and you have mitigations in place. So you don't actually care that much that it's there.

CRAIG BOX: If I'm, again, as an individual user perhaps looking at my Sysdig dashboard, am I able to say, yes, there is a vulnerability on this service that's running on port 1, 2, 3, but that port's firewalled, and I know, and, therefore, I'm fine?

ANNA BELAK: So yes. The tool allows you to see which assets of vulnerability these are attached to and some of the context about them. So you can reason about the service that they're part of. You can reason about the network connectivity of that system, and so on. But, if I'm honest, it's fairly difficult to actually tell when a mitigating control is in place or is performing. So I can never say, for sure, you're mitigated. That's a decision your business has to make.

CRAIG BOX: Another security-related finding is that 48% of accounts don't have multifactor auth enabled, and that 27% of users have unnecessary root access - and most of those also don't have multifactor auth. Is that referring to provider accounts like the AWS console versus the Kubernetes service underneath it?

ANNA BELAK: Yeah. So this data comes from essentially an CIS benchmark compliance point of view. And so this is about the user account. And the best practice, if you will, is that you shouldn't use that account for willy nilly random tasks, and you should definitely have MFA enabled on that account. And, as you can see, that's not necessarily the case. My theory is it's, again, to that security versus usability story of, look, it's just faster to use that account, because it's like pseudo and it's wonderful. But unfortunately, that's opening you up to some security risks.

CRAIG BOX: Would you advise organizations that they should give people kubectl or CI tooling and not actually let them near the keys to the cloud console?

ANNA BELAK: I absolutely strongly believe in at least privilege forever. So I think as far as you can go into at least privilege is as far as you should go.

CRAIG BOX: The report says that large organizations could be overspending by as much as $20,000 per cluster. Is that just because they're not running on GKE?

ANNA BELAK: I don't know. [LAUGHS] Probably. This data is about Amazon. So that's numbers that we-- [LAUGHS]

CRAIG BOX: The way you actually calculated that number is to say that 50% of containers have no limit defined and that, then, 34% of them have unused CPU. We have GKE Autopilot. Other clouds have similar services. We are able to basically just throw the workloads there and say, use only the resource that they require. Is that something that more people should be using?

ANNA BELAK: Yeah. And I think with that kind of approach there's always a trade-off. If you don't know any better or you don't want to think about it, you should absolutely use something like that that will do it for you. If you require precise control over your workloads, then you should probably roll your own. And we do see, in fact, that the folks that use the Sysdig dashboards that show them this kind of data have much better capacity utilization, metrics than people who don't track it.

CRAIG BOX: I think that's fair enough. And people for whom it's coming out of their own pocket might care a bit more than people for whom it's coming out of some corporate budget. Another finding here is that 73% of cloud accounts exposed S3 buckets. Is that an Amazon S3 thing? Or is it generic to all cloud provider storage?

ANNA BELAK: So this data in particular is about Amazon. And it's about S3 buckets specifically, because that's where most of this data happens to have been pulled from. I suspect that this is true across the board. So I don't think this is an issue of which provider you're using. I think it's more of an issue of people just have poor security hygiene in the cloud. But there's a caveat, of course. Maybe I'm ruining your next question of some buckets deserve to be open.

CRAIG BOX: Yeah, of course. This podcast is hosted on a Google Cloud Storage bucket. It's a very convenient way of making data available to people. And I think a lot of people will use it like that. Should we worry about the fact that that number is so high? Or is that just indicative of the fact that it's doing what it's meant to do?

ANNA BELAK: I think it is worth worrying about that number being high, because the question is, how many of them do you think should be open? And my guess is less than 73%. Obviously, for your organization, you should think about what data is in that bucket and how much protection you need to provide for that data. And if it's not very much. That's totally fine as long as you have the visibility, and you've actually made that decision, and you didn't just accidentally into some business decision.

CRAIG BOX: 62% of customers detected shell-in-container events. Is that just an indication that they are debugging in that fashion and treating containers like VMs, or is that some kind of crypto mining thing running we should be worried about?

ANNA BELAK: Unfortunately, it's very hard to tell. This is very frustrating, because, realistically, if people didn't shell into containers for sport, or admin purposes, or debugging, or other legitimate non-scary reasons, it would be much easier to notice when scary things are being done via shell-in-container. But because people still do treat them like VMs and do shell into them at their whim, it is actually harder to notice malicious activity of this nature, because it's difficult to discern legitimate from malicious shells.

CRAIG BOX: And that's where something that would look at your system calls, for example, and see what you're actually doing with that shell might come in very useful.

ANNA BELAK: Exactly. Yeah. So the more context you can gather about what's actually going on around that specific shell, the more likely you are to provide a, let's say, enriched event that can say how much you should care, if you will.

CRAIG BOX: Speaking of people treating containers like their VMs, 76% of containers run as root. If I have a single-user machine, then running a thing as root on that machine is theoretically OK, because I'm the only thing on it. Should containers just protect me from this? Or should I just disallow running privilege containers across the board, for example?

ANNA BELAK: As an analyst, I have to say it depends. But I think we're back in the object storage bucket situation. Some things deserve to run as root, because they have to or because they can't function, otherwise, and so on. But most things likely don't deserve to run as root.

So this number, 76%, seems incredibly high. I would like to see it be much less than 50% actually. That would be my guess. So yeah, you have to be very deliberate, I think, about not running things as root. But again, at least privilege wins. So if you are using something like autopilot that will prevent you from doing silly things, then you'll probably be better off.

CRAIG BOX: And the last finding that we want to talk about here, 88% of cloud roles are non-human. Are those the ones that are dancer?

ANNA BELAK: They may be the ones that are dancer in that if you're an admin dancing through multiple rules, you have to assume you're going to be a dancer. But that's the situation. You're supposed to create these narrowly sculpt roles that allow you to perform very specific tasks. And then, your admins are supposed to assume them to perform those tasks, and nothing else.

In reality, that's probably frustrating and difficult, especially when you have this beautiful super user account you can just use for whatever you want. So they're probably choosing not to dance when they really should be dancing.

CRAIG BOX: That said, 88% is quite a high number. That was obviously one you'd rather drive up than drive down. Are you happy with that?

ANNA BELAK: I don't know if I have a strong opinion about what this number should be in terms of human versus non-human.

CRAIG BOX: You're an analyst. It depends!

ANNA BELAK: It does depend. What I'm much more concerned about is the permissions of those roles. Probably, most of those roles are over promised. And I care more about the permission status of any given role than I do about the number of roles or the ratio of roles.

CRAIG BOX: How can people use the information from this report? We're talking here, for example, about permissions on roles that there are tools provided by Kubernetes ecosystem and by the cloud vendors themselves to look at permissions on roles. Is this something that people should be reporting on or perhaps plugging into their alerting system to keep track of how many users have roles that have too broad permission scope, for example?

ANNA BELAK: My short answer is put it under your pillow and cry at night. But realistically, yeah, you should keep track on the permission status of your roles. You should be trying to enforce at least privilege. And for all of the rest of these data points, too. Some of it is just fun, interesting, state-of-the-industry information about how we're doing.

And there are interesting takeaways there too. We notice when we look at the container density trends and the container lifetime trends that, not only are people becoming more mature, but we also are seeing more broad adoption of this technology. So that's really cool. But those folks who are just coming onto this now probably have a lot of learning curve to climb. So if you can look at this data and check yourself against how you're doing, if you can use it as motivation for your teams to be more cloud native, then I hope that's great.

CRAIG BOX: As Sysdig has changed from an observability to a security company, are there any product changes that the analysis done for these reports or the reports themselves and the perception that the public have caused product changes or directional changes in the work Sysdig is doing?

ANNA BELAK: I'll say that the report itself doesn't usually inform product decisions. But what often happens is the type of data that we gather that does inform product decisions may end up in the report ultimately, because it is interesting or it points to a specific industry trend or something like that. You will also see as we roll out new features, the data that we gather about those features will appear in the report. And so you'll see new things every year that are just reflective of what we're doing that's different.

CRAIG BOX: Is there a way for external parties to get access to data sets like this in an anonymized fashion to be able to ask questions of it that perhaps you and your team didn't think of?

ANNA BELAK: I think that's probably incredibly difficult, because there are huge, huge data protection and privacy concerns with that. We certainly would never share our raw data with anybody, because we have to protect our customers. If you have a question that you would like answered with our data set, I would love to hear about it, and we could try to make something happen if it's feasible. But that's about the best I can do.

CRAIG BOX: It's very hard, I guess. When you look at things like the recently published CNCF survey, there is an evolution over time in the questions that are asked. But there are a lot of things that would be great to answer with an anonymized selection of things versus the self-selecting people who are willing to fill in the survey. Do you think there is scope for some kind of industry-wide, for example, like an agent that you can choose to run in your cluster which uploads data that's pseudonymized or so on to give a central place where we can get usage data rather than survey data?

ANNA BELAK: You mean like a cryptominer?

CRAIG BOX: Well, I'm thinking more about a little helper agent that gets installed.

ANNA BELAK: Oh, gosh. First of all, I don't think anyone will agree to run another agent on their system. But--

CRAIG BOX: Fair enough.

ANNA BELAK: --yeah. That would be cool, actually, if it were possible. I don't know if we could ever get that to happen. But it would be pretty cool.

CRAIG BOX: I know it was something that was talked about in the early days of Kubernetes but I think was probably put in the too-hard basket. As has been made clear throughout, obviously, it depends, but is it fair to say that for each organization there is one impactful thing that they can do and that's perhaps different for everyone? Is there a spray of things that need to be worried about? Certainly, your organization will need to do one of these things is the lowest hanging fruit.

ANNA BELAK: In my attempts to be analyst-level helpful, I'm going to try, but it's going to hurt, because there's so many things you really should do. I'm going to say the first thing is boring, but it's true. And you should take care of your basic security hygiene first. If you don't really understand how to even assess the security of your environment, you can't really worry about all this advanced stuff. So you get the basics right. That's like vulnerability scanning, configuration assessment, those kinds of things. Just make sure that you're doing your best to prevent bad things from happening.

But ultimately, what you need to think about is a holistic view, if you're writing code. We're assuming you're writing code. From the code you create, to its testing, to its pre-prod, to its production, and ultimately after we release it into the wild to let it run forever and live its beautiful life, or, as the case may be, run for 10 seconds until it's re-released, to make sure that you're watching what's actually happening to it and not just believing that because you checked beforehand you're going to be OK forever, because new villains get disclosed. Attacks come at you. Prevention fails, et cetera, et cetera. So get that stuff on the left done first, but don't forget to actually monitor your thing for security.

CRAIG BOX: Great advice. And thank you very much for joining us, Anna.

ANNA BELAK: It's been an absolute pleasure.

CRAIG BOX: You can find Anna on Twitter at @aabelak, and you can find the Sysdig cloud native security and usage report at sysdig.com.

[MUSIC PLAYING]

CRAIG BOX: That brings us to the end of another episode. If you've enjoyed the show, please help us spread the word and tell a friend. If you have any feedback, you can find us on Twitter @kubernetespod or reach us by email at kubernetespodcast@google.com. You can also check out the website at kubernetespodcast.com, where you will find transcripts and show notes as well as links to subscribe.

Please consider rating us in your podcast player, so we can help more people find and enjoy the show. Thanks for listening, and I'll see you next week.

[MUSIC PLAYING]