Most of the attention paid thus far to container security has been focused on scanning images for potential vulnerabilities. But there’s a world of difference between identifying vulnerabilities and being able to enforce security policies across a nanosegmented network made up of thousands of containers.
To provide that latter capability, Aqua Security has launched an update to its Container Security Platform (CSP) that makes it possible to limit what containers can interact with one another across a network. Microsegmentation has been steadily gaining acceptance in virtual machine circles as a mechanism to better secure east-west traffic in a data center. Nanosecurity essentially applies that same concept to containers.
Aqua CTO Amir Jerbi says Aqua CSP 2.0 means that in addition to controlling who can access what containers, an IT organization can create zones to better isolate containers from one another. Isolation in general has been a significant issue that has held up deployment of containers on bare-metal servers. Without that capability, many IT organizations have opted to deploy containers on top of virtual machines regardless of how less-efficient that approach may be from a utilization perspective.
Other additions to Aqua CSP 2.0 include integration with “secrets” management tools provided by HashiCorp Vault. Secrets are injected into the container as it runs, where they remain in memory and stay invisible to the host. HashiCorp Vault removes the risk of placing a secret inside the container, where it may be exposed to unintended host users or intruders.
In addition, Aqua’s vulnerability scanner now can discover secrets within container images, including Amazon Web Services (AWS) tokens, SSH keys and clear-text passwords. Those secrets then can be placed in a digital vault to protect them from being exposed unintentionally.
Aqua CSP 2.0 also includes management by labels and integration with Atlassian Jira management framework for DevOps.
Collectively, Jerbi says these capabilities make it a lot easier for IT organizations to both protect data and identify dependencies on specific containers to enhance the security of a cloud-native computing environment.
The degree to which most IT security professionals are even cognizant of the implications of containers is debatable. There’s an unfortunate tradition of trying to address IT security issues after deployment, once a specific emerging technology starts to achieve critical mass. On the plus side, however, more developers in the age of DevOps are taking responsibility for applications on an end-to-end basis. It’s usually not too long before those developers focus not just on availability and performance, but also security.
Of course, it may still be quite some time before that depth of appreciation of DevOps permeates the entire application developer community. In the meantime, many IT security professionals are about to discover the joys of trying to secure containers that, by their definition, are a lot more ephemeral than any piece of code they are likely to have encountered. Assuming they don’t just give up outright, chances are high that a lot more of them will soon be adding nanosegmentation to their IT security vocabulary.