Highlights of CNCF Cloud Native Security TAG Survey

Why the CNCF Cloud Native Security TAG Survey Matters

The CNCF Cloud Native Security TAG Survey provides a practitioner-driven view into how organizations are actually securing cloud-native environments today and where they are struggling. Rather than theoretical guidance, the survey reflects real adoption gaps around automation, visibility, open-source trust, and operational complexity.

The findings show a clear mismatch between how fast cloud-native platforms are evolving and how slowly security practices are adapting. While teams understand the need to modernize security, many still rely on manual policies, fragmented tools, and perimeter-based assumptions that don’t scale in Kubernetes, multi-cloud, or edge environments.

By highlighting these gaps, the survey helps organizations prioritize what matters most: secure-by-default controls, automated policy enforcement, runtime visibility, and open, interoperable security foundations. It also reinforces why Zero Trust–aligned, cloud-native security models are becoming essential not optional for modern workloads.

Here are the highlights of the CNCF Cloud Native Security Technical Advisory Group (TAG) Survey. The article directly quotes the whitepaper as a blockquote and adds commentary on how Accuknox can help address some of the challenges mentioned in the Microsurvey.

#1: Modernizing Security is really important

An overwhelming 85% of respondents indicated that modernizing security is very important to their organization’s cloud native deployment. Another 12% believe it is somewhat important, and 3% feel neutral. No one indicated that it is not important.

#2: Security policies are not fully automated and are driven by trial and error

Security Policy

Accuknox automates the policy lifecycle:

Accuknox makes it easy for organizations to adopt fully open source-based security components and automate the entire – policy auto-generation, policy auto-approval cycle with the following user personas and user journeys:

Policy Lifecycle

82% of respondents said it’s important that the security systems they implement are built using open source software. No one indicated that they felt open source was too risky to trust, a sign that Linus’ Law is well understood

Accuknox’s open-source solutions

Accuknox is built on open-source first foundations and our contributions include:

• Cilium with SPIRE / SPIFFE integration – available on this fork but being upstreamed into Cilium https://github.com/kubearmor/cilium
• KubeArmor runtime cloud security https://github.com/kubearmor/KubeArmor
• Open-source Policy Templates for Cilium and KubeArmor: https://github.com/kubearmor/policy-templates

#4 Key Challenges include

• A lack of technical expertise (58%). This is not surprising as talent shortages have been reported in many other areas of software development. Also, cloud native security is a broad field, so the demand for security professional talent is high.
• Trouble matching new methods and processes like DevOps and CI/CD with existing requirements, tools, or processes (51%).weight: bold; padding-top: 20px;”>This is a well-known gap in the community – existing compliance frameworks have yet to catch up. While necessary, it is not particularly an exciting area, as we’ve seen with the general limits of automated compliance tooling (OSCAL being an exception).
• Data Security (49%). Seeing this high-up on the list is actually a good thing. Organizations are considering shifting to a data-centric security model and might be positioning them- selves to begin looking into Zero Trust. It may become a more prolific area of focus in the coming years, so be sure to keep an eye out.
• The complexity of building, deploying, and management (46%). This likely ties back to the lack of technical expertise. Like all technology revolutions, modern security requires a cultural shift, and many organizations are still figuring out how to do this. There is no “easy out” on cloud native journeys, and there certainly isn’t one for cloud native security. Each organization will need to learn and transform its approaches and processes while considering the existing documentation and papers available in this space, another where TAG Security contributes.

#5: The biggest concerns in Cloud-Native Security

Cloud-native chart

No secure-by-default guarantees or options (53%). This could be due to a lack of certifications or conformance with existing practices. Projects adhering to CII and adding a badge to their repositories could help to alleviate this concern around how projects were developed securely. However, it does not express a project as secure-by-default. There have been several nominations and ideas around the growing attestation of secure-defaults, but this is still nascent.

Visibility into systems, networks, and traffic (50%). While cloud native monitoring tools like Prometheus exist, they are primarily used for tracking performance. Tools like Falco will help, but it is still in the early stages of adoption.

Lack of information or understanding of threats to third-party software and publicly available code (39%). This is a problem with open source software in that no one is charged with providing this information. Foundations and groups need to work together to fill this need.

The health of the open source projects used to build cloud native (35%). This is another area where adding a CII badge or other security label could help to ensure conformance with secure development.

Lack of documentation explaining projects’ security (35%). This is often missed by projects that are not designed for security. The Security TAG encourages projects to complete a self-assessment and submit a pull request to their repo (for independent storage) to help identify gaps in documentation.

#6: Concerns about edge adoption include:

Misconfiguration (31%). This is due to a lack of documentation and testing for secure configurations.

Unpatched vulnerabilities (18%). Organizations should increase their release and update cadence to help address this.

Backdoors into the corporate network (15%). This underscored the importance of having identity and access management tools available and ensuring they are being utilized correctly.

#7: Cloud-native projects addressing edge computing should have the following (security) capabilities

Detect and identify suspicious behavior (65%)

Secrets management (55%)

Data protection (55%)

Intrusion detection (53%)

Cloud computing Graph

#8: Vendor Lock-in Concerns

Organizations would like to have multiple open source alternatives for the following proprietary technologies

1. Key Vault, Vault (59%)
2. Splunk, ELK (53%)
3. AWS Key Management Service (30%) 4. HSM replacement (23%)

Cloud Secuity Graph

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

What These Findings Mean in Real-World Cloud-Native Environments

In real-world cloud-native environments, the survey findings translate into daily operational challenges for security and platform teams. As Kubernetes clusters, microservices, and edge workloads grow, security teams are expected to keep pace without slowing development yet many still depend on manual processes and disconnected tools.

The lack of automated, secure-by-default controls means teams often discover risks only after deployment. Limited runtime visibility makes it difficult to understand how workloads actually behave, while trial-and-error policy creation leads to over-permissioning and configuration drift. At the same time, increasing reliance on open-source components and third-party software expands the attack surface without clear ownership of risk.

For organizations running multi-cloud or edge environments, these gaps are amplified. Misconfigurations, unpatched workloads, and weak identity controls can quickly turn a single exposed service into a broader security incident. The survey underscores a clear need for cloud-native security approaches that are automated, observable at runtime, and built on open foundations so security scales as fast as the infrastructure itself.

FAQ

What is the CNCF Cloud Native Security TAG Survey?

It’s a survey conducted by the CNCF Cloud Native Security Technical Advisory Group (TAG) to understand trends, challenges, and priorities in cloud-native security across organizations worldwide.

Why is security policy automation a major concern in cloud-native environments?

Many teams still rely on manual or trial-and-error processes to enforce policies, which increases misconfigurations, inconsistent access controls, and security gaps across workloads.

Why do organizations prefer open source for cloud-native security?

Open source provides transparency, flexibility, and community-vetted solutions. Organizations can customize and automate security tools while relying on collective expertise to maintain robust protections.

What are the main security risks associated with edge computing?

Edge workloads face misconfigurations, unpatched vulnerabilities, and potential backdoors into the network, making identity management, monitoring, and runtime security critical.

How does AccuKnox help address the challenges highlighted in the survey?

AccuKnox automates policy lifecycle management, provides runtime workload visibility, enforces Zero Trust controls, and leverages open-source primitives like eBPF and KubeArmor to secure cloud-native and edge workloads efficiently.

Let us know if you are seeking additional guidance in planning your cloud security program.