Aqua Container Security Platform 2.0 Introduces Container-Level Network Nano-Segmentation

Container Network Nano-Segmentation  
A key requirement for securing containerized applications is ensuring that containers can only communicate within their permitted network segment, limiting the "blast radius" in case of an attack. The challenge is to do so without hindering the container's ability to perform legitimate application functions that require communication within the host or across hosts, on-premises or in the cloud.  

"Traditional host-based security agents don't understand containers and lack the context to enforce different policies on different containers in the same host," notes Neil MacDonald, VP Distinguished Analyst at Gartner Research, "Depending on the network architecture used, container-to-container traffic within a physical host may not be visible to external network firewalls and intrusion detection and prevention systems." *

Version 2.0 of the Aqua CSP automates the creation of network nano-segments that limit container network connectivity based on the application context and needs, regardless of physical location, IP address or other network properties.

Key features include:

• Automatic discovery of containerized application network topology
• Automated creation of network nano-segments based on the container's activity
• Context based container firewall that allows service-oriented rules
• Detection or prevention mode, allowing to either alert on or prevent unauthorized network connections.

For a detailed description and video of Aqua's nano-segmentation feature, visit Aqua's blog.

Secrets Management and Discovery
Managing secrets such as passwords and security tokens is particularly challenging in container environments due to the dynamic and ephemeral nature of containers. Storing secrets inside a container image risks exposing them to anyone with access to that container, as well as to potential intruders. Providing secrets as an environment variable when running a container is also challenging, since it lacks the visibility and centralized control needed for handling sensitive information.

Aqua CSP 2.0 introduces a complete solution for securely managing and discovering secrets in the container pipeline, regardless of the choice of orchestrator or runtime environment.  Here are the highlights:

• Central visibility and control over container secrets from the Aqua Management Console. Administrators can define access control policies to allow specific secrets to be accessible only to intended users and containers.
• Integration with HashiCorp Vault, the leading solution for secrets management, allows customers to enjoy Vault's highly secured secrets database and management features.
• Secrets are injected into the container as it runs, where they remain in memory and stay invisible to the host. This removes the risk of placing the secret inside the container, where it may be exposed to unintended host users or intruders.
• Aqua's vulnerability scanner now also includes scanning for secrets discovery within container images, such as AWS tokens, SSH keys, and clear-text passwords. This allows organizations to remove secrets as part of their CI/CD process, and instead place them in the secrets vault, where they are protected.

"We're excited about Aqua's integration with HashiCorp Vault," said Burzin Patel, VP Worldwide Alliances at HashiCorp. "Users can now securely inject secrets stored in Vault into containers as and when needed, extending the value customers get from Vault and ensuring that secrets are not stored or left exposed in the container runtime environment."

For a detailed walkthrough and video of Aqua's secrets management feature and Vault integration, visit our blog.

Additional Features in Aqua CSP 2.0:
Driven by enterprise customer requirements, Aqua CSP 2.0 includes many additional new features:

• Management by Labels: Every entity (host, image, service, policy rule, users) in the Aqua console can now be labeled, making it easy to manage large-scale deployments and segment them according to applications, stages (e.g., dev/test/staging/production), trust level, tenancy, etc.
• Atlassian Jira Integration: When vulnerabilities are discovered in container images during the development process, it is up to the dev team to fix them. With this new integration, Aqua closes the information loop by directly opening tickets in Jira with the specific image, package and CVE information, streamlining the process.
• Vulnerability Scanning on a Large Scale: Aqua's vulnerability scanner for Docker images has been revamped, and now scales automatically to handle thousands of image scans in minutes. For additional details and video of this feature, visit Aqua's blog.
• SAML Single Sign-On: Aqua's Command Center now supports SAML for enterprise SSO, making deployment and user access control fast and easy.

"Aqua CSP 2.0 represents a leap in our ability to secure containerized applications in enterprise deployments," said Amir Jerbi, Aqua's CTO and co-founder. "With advanced features, such as nano-segmentation and secrets management, we address real customer pain points while adhering to our 'automate everything' credo to keep security simple and manageable."

About Aqua Security
Aqua Security enables enterprises to secure their virtual container environments from development to production, accelerating container adoption and bridging the gap between DevOps and IT security. Aqua's Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance.  Aqua was founded in 2015 and is backed by TLV Partners, Microsoft Ventures, and IT security leaders, and is based in Israel and San Francisco, CA.  For more information, visit www.aquasec.com or follow us on twitter.com/AquaSecTeam.

* Gartner, Security Considerations and Best Practices for Securing Containers, 10 November 2016, Neil MacDonald

SOURCE Aqua Security

Related Links

http://www.aquasec.com