Review: How Aqua secures containers from development to production

The Aqua Cloud Native Security Platform uses an inherent advantage of containers, the fact that they are always highly specialized for their jobs, to create a cybersecurity structure based on whitelisting.

Containerization continues to gain popularity with many large enterprises, where thousands of new containers can be deployed every day. Containerization provides the benefits of cloud computing, like infinite expandability, but also individual control over each independent container, which can act as anything from tiny microservices to full-blown programs and operating systems. Yet, despite these advantages, and the increasing reliance on containers, security has been slow to catch up. Traditional security programs and their one-size-fits-all approach, even if created to work inside the cloud, often fare poorly trying to protect thousands of independent containers, which may all have different functions, components and hidden vulnerabilities.

Part of the challenge is the way containers are usually created. Developers will pull images from various places — including previously created containers and open-source repositories — and use them as the baseline for their new containers. The problem is that those images might harbor everything from unnecessary operating system components to vulnerabilities. None of that might be a problem, depending on where and how the new container is being deployed, or it might be just the opening that an enterprising attacker needs to compromise an entire network.

The Aqua Cloud Native Security Platform secures individual containers from the time they are first developed all the way through when they land in a production environment. It uses an inherent advantage of containers, the fact that they are always highly specialized for their jobs, to create a cybersecurity structure based on whitelisting.

aqua security enforce security policies John Breeden II

The Aqua Cloud Native Security Platform is able to enforce security policies while containers are being created, preventing any insecure or risky code from creeping into containers in the first place. Here it works with a Jenkins plugin.

The platform is embedded into the development process for containers, and can work with just about any platform, including Kubernetes, Rancher, Docker, Red Hat Openshift, Mesosphere and others. Pricing for the platform is an annual subscription model based on the number of nodes being protected, but there are also hourly pricing schemes available for cloud deployments like Google Cloud and Amazon Web Services.

Testing Aqua Security

Security administrators can set the policies regarding how containers operate and are helped in this process by an image scanner that can report on all known vulnerabilities for any image inside an organization’s repository. The reports are very detailed, so administrators can see when specific vulnerabilities might pose a problem. Rules can be set based on the type of host where the container will be deployed, the operating system, the kind of application it will be used for, or just generally applied in all instances. Images can also be ruled non-compliant, restricting their use.

Advertisement

aqua images scanned John Breeden II

Images that might be used by developers can be scanned by Aqua Security and given a detailed security report, so administrators can decide if they are worth the risk, or work on rules that restrict their behavior before deployment.

Rule creation relies on an extremely visual interface, with a list of possible rules running down the right side of the screen. Selecting a rule allows administrators to tightly configure them. However, a machine learning model can also be used to automatically learn and whitelist only the capabilities used by the running container, reducing the attack surface. The resulting profile can then be further edited. For example, clicking on the executable blacklist selection opens up a section where specific .exe files can be prevented from running within a container. Administrators will know which .exe files are included in an image and if those files create a vulnerability, based on the scan report.

aqua security forensics John Breeden II

Even though the Aqua Security Platform can restrict containers from doing anything dangerous, every attempt to manipulate them is recorded, with full forensics reports to back up the observations.

There is also an extremely powerful rule called Drift Prevention that, if enabled, blocks anything not originally included in the image from ever running within a container. This was tested with a code injection attack on a known vulnerability that was purposely left open in a test container. In that instance, the code injection attack was successful but the inserted bitcoin miner program still could not run because drift protection stopped it. It was not part of the original approved image, so it could never run inside the container.

Our test of drift prevention also showed the power that the Aqua Security platform brings to containers. Through tight controls implemented when a container is created, security can be enforced throughout the lifecycle of that container, whether it only exists for a few hours or for many years. In another case, a container was accessed by an administrator account, yet even then, the admin could not do anything outside of the originally defined scope for that container. That might really frustrate hackers who go to the trouble of elevating their privileges and gaining access to an asset only to find out that their actions within the compromised container are still highly restricted. If the Aqua Security Platform prevented actions during the container’s creation, then those actions will still be actively prevented within the production environment.

Back at the container creation side of things, developers working within a system protected by the Aqua Security Platform can choose images from among the authorized options available to them but can’t change those options or use anything that is not specifically allowed. This might seem restrictive, but there is no limit to the number of approved configurations that security administrators can set, so they should be able to cover every possible scenario for their environment and quickly configure more if needed.

aqua admin control John Breeden II

The security for containers can be configured to work with different hosts, users or applications. A non-compliant image might be perfectly acceptable if deployed in a different way or for a different purpose. That level of granular control is fully in the hands of platform administrators.

Of course, even in a highly protected system, attackers are still going to try and infiltrate it. Any time someone tries to access a protected container or force it to act outside of its defined ruleset, that action is going to be recorded. Aqua provides a full forensic trail for every event. It’s all recorded in a searchable format within the internal console and can be shared with event managers like Splunk.

In addition to fully protecting containers, Aqua Security can also protect container secrets like passwords. The platform is able to act as a key delivery mechanism, supplying the secret key stored in enterprise vaults such as HashiCorp or CyberArk to containers in real time as needed, without having them sitting around in any vulnerable locations for a skilled attacker to find. The platform also offers security controls for the hosts on which containers are run, certified by the Center for Internet Security, to ensure that the entire stack is secure.

aqua security whitelist John Breeden II

The platform can learn and whitelist any processes actually used by the container, creating a reduced attack surface profile. Administrators can further edit this profile. Thereafter, even if the container gets hacked by someone with administrator access, it still won’t be able to execute commands restricted by the Aqua Security Platform.

The bottom line

As containerization continues to gain popularity, those rely on the technology will require dedicated protection to defend their enterprise. The Aqua Cloud Native Security Platform fills that role well, locking down container environments of any size from development to deployment. It strikes a perfect balance of being an extremely powerful defense tool that is also extremely easy to use.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!