Gartner recently released a Technical Professional Advice report titled “Container Security — From Image Analysis to Network Segmentation, Options Are Maturing”* (by Joerg Fritsch and Michael Isbitski, 28 August 2018), with a detailed analysis of the space, including open source tools and commercial solutions.
We’re pleased to see Aqua mentioned in this report, both for our Aqua Container Security Platform capabilities, as well as our free offerings and open-source tools.
This report is the most in-depth technical report we’ve seen from Gartner on this space, and we believe the fact that Gartner has published such a report is, in and of itself, an indication of the level of interest and adoption that Gartner clients are showing.
One of the key recommendations in the report is to “Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. Focusing solely on runtime controls — as you would for software installed on VMs — will leave you vulnerable at many ends.”
This is very much in line with what we’ve been seeing in the field, and a great opportunity to review some of the trends and requirements that customers emphasize.
Integrating Security Into The CI/CD Pipeline
From the start, this is something we’ve been professing and practicing. There are two reasons why it’s such a prevalent part of any approach to container security.
First, it’s the right thing to/aqua-microscanner-free-image-vulnerability-scanning-plug-in-for-jenkins do from a security standpoint, since reducing the attack surface and using preventing controls to make sure no “rogue” images are allowed to run are very effective measures, that also make more advanced runtime controls more effective. It’s the difference between plugging a few holes, to trying to plug holes in a sieve…
The second reason is organizational, stemming from the way that containers are adopted in the enterprise. Mostly, containers are a groundswell that starts with application developers. They happen because developers like using them. Once an application is approaching production readiness, organizations start thinking about security — and better to do so then than after the application is already deployed in production. So having controls around this process early on is a natural first step.
Using and Enforcing Security Best Practices
As deep understanding of container security is still a rare commodity in this market — we’re all learning while running — the use of best practices such as the CIS benchmarks or the NIST guidelines is a way for organizations to get “secure by default” fast, and tend to the finer points of their idiosyncratic needs later. This is why at Aqua we’ve invested in both open-source tools and commercial features to make it easier to check Kubernetes against CIS benchmarks, and get out-of-the-box runtime security policies for NIST requirements, as an example.
Protecting Against Multiple Threat Vectors
One of the reasons why a holistic approach is required is that the use of containers opens the way to multiple threat vectors, and crucially ones that legacy security solutions have no visibility into, let alone the ability to mitigate.
These include threats to the development environment itself, vulnerabilities in the code inside container images, vulnerabilities in the host OS, lateral movement on the network, exposure of secrets, and more. As a container-native solution, Aqua provides the visibility and built-in protection against for all those vectors, and more.
Managing Secrets
Although it’s a very specific need, managing secrets often comes up as one of the most niggling issues with customers. The reason is, of course, that secrets are sensitive by nature. But containers can multiple the risk to secrets due to the quick potential proliferation of unsecured secrets, and the huge variety of ways in which secrets can be misused with containers — from embedding them in images (don’t do that…) to storing them unencrypted on disk.
That’s why we developed some time ago a comprehensive solution that solves the secrets delivery to containers, and it is still the most secure solution out there. Aqua Secrets integrate with common secrets vaults such as Hashicorp and CyberArk, but we ensure that the secret is delivered encrypted to the container that needs it, with no persistence on disk and without being visible outside the container. An additional bonus is that unlike other solutions, Aqua secrets can be updated and rotated with no container restart, and you also get visibility into which secrets are being used where.
Integration with Cloud Service Providers
Key drivers of container adoption include the ability to develop and deploy cloud-native applications, cloud migration of existing applications, and the adoption of a hybrid-cloud or multi-cloud strategy — because the portability of containers is one of their most attractive features.
So naturally, any container security solution must be interoperable with the key cloud-based container services, including those on AWS, Azure, Google and IBM. But at Aqua we go well beyond mere compatibility:
- We natively integrate with key components of the cloud provider offerings such as registries, orchestrators, and runtime engines, as well as with auxiliary services such as logging and monitoring.
- We make ourselves easy to deploy via the cloud providers’ marketplaces. Recently we were the first container security solution to be deployable as a Kubernetes App on the GCP Marketplace.
- We provide consistent, transparent security controls that are completely transferable between clouds. Want to run your app on Azure today and on AWS tomorrow? No problem, Aqua will provide the same controls across the different clouds and you won’t need to reconfigure or change anything as you move workloads.
Conclusion
While the container market is still evolving (fast), there are indeed maturing options for security around containers, Aqua included. Customer needs are anything but singular, covering a broad range of development lifecycle stages, deployment models, cloud environments, threat vectors and use cases. Only comprehensive, holistic solutions can address those needs and our commitment is to continue to do so.
* The full Technical Professional Advice report is available to Gartner clients with the appropriate subscription on the Gartner website.
Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.