Today, we are pleased to announce that Aqua Security has achieved the Security Competency in the Compliance and Privacy category in the relaunch of the Amazon Web Services (AWS) Security Competency. This designation recognizes that the Aqua Cloud Native Protection Platform (CNAPP) has demonstrated proven technology and deep expertise in helping customers achieve their cloud security goals. The Compliance and Privacy category includes use cases for CSPM (Cloud Security Posture Management) and CWPP (Cloud Workload Protection).
The introduction of the CWPP and CSPM categories is part of the next evolution of the Security Competency program that takes the more use-case based approach.
Aqua initially achieved AWS Container Competency in 2018, marking our longstanding focus on helping customers securely build, deploy, and automate their cloud native applications in AWS with AWS services and security tools. Aqua’s distinctions in these newly introduced categories further reflect our ongoing investment in integration and innovation in tackling the security, risk, and compliance concerns that may stand in the way of broader and deeper adoption.
Responding to the evolution of cloud native security
Just as AWS has worked with experts on which new tools, processes, and frameworks to cover in the updated Competency program, industry analysts like Gartner have also been keeping an eye on the coalescence of new security categories.
Towards the end of last year, Gartner formalized the Cloud Native Application Protection Platform (CNAPP) category that combines “shift left” DevSecOps, intelligent automation, CSPM (cloud security posture management), and CWPPs (cloud workload protection platforms).
According to the Gartner innovation insight report “Optimal security of cloud-native applications requires an integrated approach that starts in development and extends to runtime protection. SRM leaders should evaluate emerging cloud-native application protection platforms that provide a complete lifecycle approach for security.”
The significance of a unified platform extends beyond having the ability to prevent bad things before they happen and stop them when they do by extending visibility and controls across the cloud native application lifecycle. A unified platform is also important for addressing the critical dynamic between those building, deploying, and managing cloud native applications and those responsible for securing them.
To both address the deepening adoption of AWS services and the increasing complexity of this critical dynamic between DevOps, security, and emerging DevSecOps teams, Aqua will continue to build on the work it’s already done to achieve the Competency distinction in areas like cloud risk management for CSPM, AWS Fargate and AWS Lambda runtime protection for CWPP, and hybrid architecture assurance and security.
What’s next for Aqua and the AWS Competency Program?
1. Automated AWS EC2 cloud workload scanning that integrates ‘contextual visibility’
Based on research done by our newly created Incident Response team, Aqua provides logic to make more granular assessments of image vulnerabilities on a per component basis. When a zero-day vulnerability like Log4J or Spring4Shell is discovered, security teams must spring into action to scan potentially hundreds of thousands of images to identify all instances of the new CVE.
Because of the volume of images and the urgency to quickly lower the risk of an attack, vulnerability management teams want to pinpoint the highest risk scenarios as fast as possible – notably where containers with the easily exploitable vulnerability are running in production. At the same time, teams want to ensure that they are not spending time on relatively low-risk instances of the vulnerability. By applying the ‘contextual visibility’ logic to cloud workload scanning that digs deeper to evaluate where the image includes the component that is the target of the vulnerability exploit, customers can choose to suppress those findings.
The ability to identify all instances of a zero-day vulnerability more quickly and accurately for running cloud workloads, and then further evaluate the relative risk based on contextual visibility, enables security teams to tackle these high-pressure scenarios collaboratively with their development teams.
2. AWS Fargate and AWS Lambda runtime protection advances
Many of Aqua’s customers have embraced Fargate to build, deploy, and manage large, complex applications that can operate at a global scale. As the service becomes more mainstream, development teams often find themselves racing ahead to adopt Fargate without having formalized security best practices. As a Container as a Service offering, though developers no longer have to worry about securing the infrastructure, they can still deploy untrusted images and expose their company to runtime risks.
To address Fargate’s unique delivery and security requirements, Aqua delivers technology purpose-built for Fargate that can as a lightweight Kubernetes pod component, within the container, or in a sidecar architecture. In addition to Fargate running on Amazon EKS, Aqua can also secure Fargate on Amazon ECS as well as Fargate on Graviton2.
The PodEnforcer injection is integrated with the Aqua Kubernetes mutating admission controller KubeEnforcer component, allowing it to modify the pod manifest based on predefined assurance policies. This approach allows developers to make use of a deployment methodology that is consistent with their processes, and allows security teams to maintain guard rails, enforce image assurance policies, and detect and stop run-time threats.
Similarly, we have seen growing use of containerized Lambda services. Security teams can deliver a consistent security experience across container and serverless workloads using Aqua’s NanoEnforcer, which is injected automatically as a Lambda Layer with no modifications to the function code or its runtime. Teams can also apply DevSecOps tools, processes, and promotion gates for serverless functions by identifying vulnerabilities through CI integration as well as scanning for overprovisioned Lambda access permissions.
3. Secure and Assure Kubernetes Hybrid Architectures
Aqua was a launch partner for the recent EKS Anywhere Bare Metal launch that expands the options for customers who either want to take advantage of a managed Kubernetes service for on-premise deployment or who are looking to maintain a hybrid architecture for business, regulatory, or data protection reasons.
At the same time, Aqua is working with Red Hat OpenShift customers who want to take advantage of the economics of Red Hat OpenShift on AWS (ROSA) managed service and move their workloads from on-premise Kubernetes deployment to the cloud.
For both scenarios, Aqua addresses the need for consolidated visibility and consistent enforcement of assurance and security policies, regardless of where the infrastructure and the workload is running. Aqua has worked to ensure that as customers adopt hybrid architectures, they can secure the software supply chain, detect and manage risk across their clusters, and enforce consistent Kubernetes-native security and assurance policies.
Looking ahead
Achieving the distinctions of CSPM and CWPP under the Security Competency is a milestone for Aqua – and is one we intend to build on.
Over the coming months, our plan is to extend the work we have completed to help customers take full advantage of AWS services and tools through shifting security left, better understanding of risk, and protecting against attacks at runtime. We start with providing more context and visualization into where the risks are most urgent for their AWS security posture by connecting the dots in tandem with DevOps.
We have also simplified and automated the processes for deploying runtime monitoring and protection, setting the stage for tighter orchestration with incident response and remediation workflows for cloud native incidents through our Security Response policies.