Aqua Security Provides Nano-Segmentation for Containers
Tue 21 Feb 2017
Container Security Platform 2.0 release aims to help further segment application container traffic and adds new support for secrets management.
Container technologies already provide multiple types of isolation to keep application workloads safe and segmented.
According to Aqua Security CTO and co-founder Amir Jerbi, additional segmentation is needed, which is what his company is now delivering with the 2.0 release of its Container Security Platform (CSP).
Aqua Security first debuted CSP in May 2016, with the promise of being able to scan containers for both known and unknown security issues. With the new 2.0, release, Aqua is debuting a capability it calls ‘nano-segmentation’ to improve container isolation and overall security.”
Nano-segmentation is the ability to create zones, where we can make sure that containers only communicate within the zone,” Jerbi told eWEEK.A zone can be defined as container-to-container communications, running on the same host system or on different machines.
The zone also extends to define services that are not container-based as well. For example, an application container workload that connects to an external database, which is not necessarily running in a container.
“We can automatically create dynamic zones that ensure that a container will only communicate with members of a specified zone,” Jerbi said.
Container technologies including Docker, already have various isolation capabilities, ranging from user namespaces control in Linux, to policy driven controls with (seccomp). Seccomp is a technology that is integrated into the mainline of the Linux kernel to provide granular security control. User namespaces provide visibility and control for individual applications and processes that run on Docker. Additionally, from a networking perspective, different groups of containers can be isolated from one another with Software Defined Networking (SDN) policies.
Jerbi commented that in an ideal world, all IT workloads will be delivered via a container, but that’s not the reality today. He added that the security isolation capabilities of containers today are mostly specific to the container deployment and not the other non-container elements that are still part of the application delivery process.
“We provide the necessary security controls to make sure that containers are only connecting to authorized services,” Jerbi said.From a networking perspective, Aqua CSP runs on the container host operating system and connects with the network bridge or network overlay.
Jerbi explained that with the network visibility, CSP examines all traffic going in and out of a container to make policy decisions. Policies are created in an automated approach based on observed container behavior.
“Our approach is zero touch, the user doesn’t need to create anything and there is no policy language that has to be defined,” Jerbi said. “Behind the scenes, we identify all of the container interactions and we can show them to the user.
“Among the potential security risks for containers is that a specific rogue container application can ‘escape’ from an isolated segment to attack other services on a system. Rather than just look for known vulnerabilities, Aqua’s technology maps the known good activity for a given container.
If a container does something that is considered to be unusual, CSP will block the action.
Also new in the CSP 2.0 release is integration with Hashicorp’s open-source Vault technology which provides secrets management. Secrets are defined in the Linux container context as items that should be kept private for security reasons such as passwords, security keys and access tokens.
The Vault project was first announced in May 2015 and has become a popular tool for secrets management.Docker itself has its own secrets management API, which was recently improved in the Docker 1.13 release that debuted on Jan. 20. Aqua’s technology does not currently integrate directly with Docker’s native secrets management technology.
The market for container security technologies has multiple vendors including Docker, CoreOS and Twistlock among others. Jerbi sees his company as differentiating from the others because of its broader focus, that now includes nano-segmentation. Looking forward, the plan for Aqua is to expand the Container Security Platform with better integration for container orchestration platforms like Kubernetes.
“The initial focus for container security was about scanning for vulnerabilities,” Jerbi said. “We are now seeing the need to secure the runtime and the workloads that people are deploying in an automated manner.”