DevOps Chat: Kubernetes Security with Aqua Security

It’s widely recognized that Kubernetes has become the de facto standard for container orchestration. Just look at all the technology companies that are supporting Kubernetes in one way or another. It’s pretty clear the decision has been made to embrace Kubernetes.

Aqua Security has thrown its hat into the ring with Kubernetes, through a series of partnerships and its technology for securing container environments. Rani Osnat and Andy Feit from Aqua Security both recently discussed what’s happening in the container space and Kubernetes, and the ways their company is working to ensure their security.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Transcript

Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, and you’re listening to another DevOps Chat. We’ve got a two-for-one for ya on DevOps Chat today, as we’re joined by the marketing braintrust at Aqua Security – none other than our good friend and frequent guest on DevOps Chat, Rani Osnat, and a first-timer, Andy Feit. Andy, Rani, welcome to DevOps Chat.

Rani Osnat: Hello. Thank you.

Andy Feit: Hi, Alan, great to be here.

Shimel: All right. And I should mention that, Rani, that was you with the first “Hello” and, Andy, that was you with the second, so our audience can tell who’s who a little bit. So, guys, let’s first talk about Aqua Security. You know, this whole container space, Kubernetes, Docker, microservices, serverless – it is accelerating and it’s in takeoff and accelerating, and Aqua was certainly one of the first – you wanna call it “container-native”? I don’t know if that’s a word yet; maybe that’s a term we should coin right now – container-native security companies that I knew of in the market. So I imagine it’s been some exciting times over there, yeah?

Osnat: Absolutely. It’s been a very fast train ride, amazing growth. You know, the enterprise market is adopting these technologies very rapidly, although I would say that we’re still in early stages of market, in terms of widespread adoption, right? So the companies we’re dealing with, it’s a growing number of large enterprises, but they are still – the teams we deal with within those enterprises are still kind of leading-edge, in most cases.

Shimel: Yeah, but you know what? We’re seeing container adoption at least in enterprises – I don’t know as much about the SMB market, but, in the enterprise market, container adoption is – I mean, the adoption rates are phenomenal. What I suspect, though, guys – and tell me if I’m wrong – is that it mirrors the cloud adoption, which was also on a similar path. So many of the Fortune 500 and the Global 2000 adopted cloud, but yet probably under ten percent of their critical infrastructure was in cloud. Right? It was more of a toe in the water than a headfirst dive.

Feit: Yeah, I think that’s a good point. You know, as Rani was saying, we’re definitely seeing accelerating usage. What we’re seeing is organizations more – on their next-generation application’s development, they’re moving to containers, potentially containers-as-a-server – you know, containers-as-a-service, and even beginning to experiment with some of the serverless technologies.

But, you know, there’s still a big bulk of their applications that are on old-school, legacy platforms. And, when they move to the cloud, they might just be going there in an infrastructure model. They’re putting it on a virtual machine, but they haven’t made the whole move over to cloud-native. But that’s changing. I mean, if you were developing a new application today, it’s most likely gonna be on one of these modern architectures.

Shimel: Sure. Sure, I don’t disagree at all.

Osnat: Yeah, I’ll add to that just one thing that, you know, you see – it’s true that, overall, if you look at the total number of workloads or applications that companies are running, even the early adopters in containers are still running a relatively low percentage of their applications on containers or serverless and other cloud-native technologies. But, in terms of mission criticality or whether it’s internal applications only or customer-facing applications, then we’re absolutely talking about a lot of mission-critical stuff.

You know, one of our customers, for example, is a very large and well-known brand in the entertainment industry. And they run applications that include things like revenue management and digital rights management and stuff like that, on their container infrastructure, which is on public cloud and VPCs, but still public cloud. So that’s an example of a very large company that’s not too shy about running these applications on containers, and, of course, they do their utmost to secure them properly.

Shimel: Sure. Sure. So, well, let me get right to it then, guys. Talk to me – what’s new at Aqua? We haven’t had you on the show in a while. We’ve run some stories on DevOps.com, Container Journal, Security Boulevard, but why don’t we give a quick update for the audience? Tell me what’s been happening. What is some of the new news at Aqua recently?

Feit: Yeah, I think one of the strengths of the company, having been an early leader in this space, has been our broad platform support, over time. You know, we were early, obviously, on Docker, but also one of the first recently to support CRI-O from Red Hat and we continue to expand our platforms. And there’re two interesting recent announcements that I think your audience might be interested in. And one was just a couple of weeks ago, late September. We had an announcement with Hitachi, where their enterprise cloud container platform and, basically, their cloud service for containers is, including Aqua, out-of-the-box.

So, when you subscribe to use this, you know, a lot of mid-sized-to-larger enterprises, where they want somebody providing a managed service for containers. They don’t wanna have to run it themselves; they’ll turn to somebody like Hitachi. And we made a big effort jointly with them to include multi-tenancy capability in our product – that was announced earlier this year – and it allows for these MSPs to host a number of customers, manage it all from one centralized console, keep all the data and policies separate, and it’s a significant new entry into the market.

And the other new news, just this week, was our support for the Pivotal Cloud Foundry system. And, basically, we had a few different pieces to that, but the press release was discussing – was launching our new capability – general availability of scanning capability for Pivotal droplets, if you will, and that’s their idea of container images. And so we have that on their Pivotal network, so you can download it and run that very, very easily. A lot of what’s happening in the space is “How do you make this more accessible and easier to implement?”

Osnat: Yeah, I think there’s a – I’d like to elaborate – there’s the bigger – the bigger picture is that, as Kubernetes specifically, as kind of the pivotal – no pun intended, but the pivotal component in the cloud-native space, the thing that everybody kind of hinges on, to orchestrate and manage their applications, Kubernetes is getting adopted as the de facto standard. But there are many ways to consume or build, using Kubernetes, and this is where the market – this is how the market is evolving. And I cannot emphasize enough how huge this market is going to be.

And so these modalities of how people use Kubernetes include cloud-based offerings, you know, from all the major cloud providers – GKE from Google, AKS from Azure, EKS from Amazon – that are all managed clusters of Kubernetes that you can run on those clouds. And the benefits there, of course, is that things are already kind of set up for you. They are more secure by default because they do take care of some of the aspects of authorization authentication, controlling access to the master node and the cluster, but, as it is with the shared-responsibility model in the cloud, they will not touch your actual workloads or what code you’re running there, how you network the applications in your clusters, et cetera. So that’s one mode.

Another mode is you can run things on-prem and use one of the management platforms, and they can be Pivotal with PKS or Red Hat with OpenShift or one of the dedicated pureplay players, like Rancher, who’re doing a fantastic job. And, of course – and there are many consulting firms that can help you set up your Kubernetes and, of course, you could also do it on your own. Although I would have to say that, in most cases that we see, you need a very good reason why you would build a vanilla Kubernetes environment on your own because it’s not easy to do; it’s not easy to do well. There’s a skills shortage out there. And it’s a pretty big undertaking to do that. So most people go into one of those or more than one of those managed offerings.

And so, when we look at it, as a security vendor, it’s our aim to support all these modalities and make the security component consumable in a very easy way, right? So that’s what we’re doing with Hitachi, where we’re embedded into their offering. That’s why we’re supporting things like PKS and Rancher and OpenShift that we’ve been supporting for a long time. And that’s also why we’ve announced, earlier this year, the availability of our software as an on-demand, consumption-based product, in the Kubernetes apps marketplace that Google launched. And this is something that allows people, basically, to run GKE nodes on demand and then have those nodes secured as part of that cluster and only pay for what they actually consume or what they actually run per minute – or, actually, it’s not per minute; it’s per – is it per – no, it’s per hour.

Feit: Per hour, yeah.

Osnat: So – it’s per hour, not per minute. Per hour. But, you know, still. And so the aim is really to  make this accessible to everyone and this is where you can see either applications groups within larger enterprises that don’t need to set up the whole infrastructure right now, and they’re happy to consume things on Google Cloud or other clouds. And you also see SMBs that are getting into Kubernetes, not small businesses but mid-sized businesses that are getting into Kubernetes. And then they can enjoy the same level of security as the enterprises.

Shimel: Sure. Sure. So, guys, listening to you talk, Rani, I’m kind of reminded, early on, before there was a cloud, I had helped start a company in what they called the “ASP” market, the application service provider. And what we found daunting was, though, is that you can’t support everybody’s platform. So you do a Hitachi and you do the next guy and the next guy and the next guy. What about the sixth one? The seventh one? At some point, there’s gotta be a – you know, this is why they invented APIs and stuff like that, _____ _____ standard connector that allows you to plug and play, without customizing for every one of these platforms, no?

Osnat: Well, the beauty of it is that Kubernetes itself is open-source.

Shimel: Right.

Osnat: So it’s standardized. So all the stuff we talked about are flavors of Kubernetes. There are some differences, but those differences are not at the core. They’re in the peripheral areas, like how you connect or how you authenticate. It’s not the actual, physical part of what the cluster looks like, how you run nodes. All the mechanics of these things are the same. People use the API server on the node, etcd, kubelets, and so forth. So it’s all – the internals are identical. And so there are some tweaks we need to make, for example, to make our stuff run on the cloud, the managed-cloud offerings, or on Pivotal or on OpenShift, but the core remains the same. So that’s the beauty of it.

And I think standardization is improving, as opposed to the other way around, so –

Feit: And I would add that we’re seeing more and more enterprise customers move towards a multicloud model. Very few of these bigger companies are saying, “Oh, I’m only gonna be on Azure. I’m only gonna be on AWS.” So they’re running things on premise, in platforms like Pivotal or VMware and PKS and they’re running things on multiple clouds because they want that flexibility and leverage frankly, on the pricing models, to use the right cloud for the right application. And so I don’t know that we’ll ever – you know, we will continue to add platforms, really, based on marketshare and demand from our customer base, but we’re definitely seeing there’s a big market out there and a lot of vendors are going there. So I think you will see more platforms from us – hey, we’re not ready to name names, but it probably doesn’t stop at six or seven. Over time, it probably grows to even more.

Shimel: I agree with you. You know, and remember when Microsoft said, “Lotus – ” “Well, Windows ain’t done till Lotus don’t run”? And they embraced and extended open-source. Not today’s Microsoft. This is the old Microsoft. But, still, it goes to show you, if every single person takes open-source and puts their own little twist on it, before you know it, you don’t have very much open source, right? And that, I think, is a danger that you need to watch, as a community, right? That it’s not embraced and extended to death here. Otherwise, you think of Unix and all the different _____ flavors, right?

Osnat: And, by the way, we ourselves also have some open-source offerings for Kubernetes users, that are very well-adopted now and are actually – we also get some contributions from the community, so it’s real open-source. And they are around security, but they’re tools that we felt we could provide that are not really tied to anything. They can operate independently, so that there’s no interdependency with anything that we do commercially. And those tools are Kube-Bench, which has been around for a while – it’s basically an implementation of the CIS benchmark tests, so it runs all the CIS benchmark, for Kubernetes, tests on your cluster and gives you a report.

And that’s very widely used. And, more recently, we open-sourced a tool called “Kube-Hunter,” which is a penetration-testing tool that simulates attacks, known attack vectors, on your cluster. There’s currently about two dozen attack scenarios that it employs, but members of the community are adding more. And it actually works in two modes: you can run it externally or remote, on your cluster, so it simulates an external attack and you can also run it within a pod in your cluster and then it simulates a situation where someone has already penetrated your cluster and is attacking it from within. And this has been also very well received. And both are available on GitHub-slash-Aqua-Security, so people are welcome to try them out.

Shimel: Excellent. Excellent. Excellent. Guys, let me – we’re running over where I wanted to be, but I wanted to discuss KubeCon, the upcoming KubeCon conference. December 10th or – yeah, I think it’s December 10th through the 12th or 13th, out in Seattle, is this year’s North American KubeCon. I know Aqua are teaming up with some folks and doing something special. Why don’t you tell our audience a little bit?

Feit: You bet. Yeah, thanks for bringing that one up, Alan. We are planning the very first, what we’re calling, “KubeSec Enterprise summit,” so Kubernetes security for enterprises. And the idea here is, obviously, a lot of people been going to KubeCon for a couple of years now and there’ve been sessions there about securing it. But the focus here is on people who are actually deploying in production or looking to deploy in production and are dealing with things like compliance issues and the challenge of making sure that they’re fully protected. And so this is aimed at mid-sized and larger companies. People are really talking about rolling out these cloud-native applications in production and how you do that securely. And we’ve got a great agenda planned, so we’re doing this along with the CNCF. We’re colocated in Seattle at the convention center the day before KubeCon opens. So our event is on the 10th and you can actually register for it right on the KubeCon + CloudNativeCon website – you can add the KubeSec Enterprise summit to your badge and registration. And we’ll be doing an event.

The focus of this is – and we’re doing it in conjunction, first of all, with Amazon Web Services and also with Red Hat, so it’s three of us hosting this event. But it really isn’t a vendor event. We’re striving – right now, we’ve got an open call for papers and presentations going on. We’re striving to get the voice of the customer here. We’ve got a number of committed customers at this point. You can see our agenda live on – it’s linked from the CNCF site. But those customers are talking about their experiences in the real world, implementing Kubernetes in a secure manner. And everything from best practices, integration with other applications, cultural shifts – I mean, the whole move to DevSecOps and “How do you structure your organization in order to deal with security around these new tools?” And everything in between.

We’ll be having some panel conversations and bringing in third-party speakers, industry analysts, so it’s gonna be a great event. It’s an all-day event on that Monday before the show officially kicks off, but, for those people who are going to KubeCon, it’s a great way to get an enterprise perspective on security. And I’d love to have your listeners join us for that.

Shimel: Absolutely. I think you may have me join you for that.

Feit: Absolutely welcome, Alan.

Shimel: _____ sounds great and I’m looking forward to _____ –

Osnat: We’d love that, Alan.

Shimel: Yeah, we’ll talk more about it between now and then. And, again, that’s December 10th, Monday of KubeCon week, out in Seattle. Guys, we’re on over time here a little bit, but I just wanted to kind of wrap things up. Another big story or trend that I’m seeing is a lot of people raising a lot of money in this DevOps, modern software space, if you will – modern software development space. We saw JFrog raise $165 million. _____ GitHub, couple weeks ago, $100 million. Companies are getting bought around the mobile application. Perforce bought a mobile app –

Osnat: Perfecto.

Shimel: Sorry, Perfecto Mobile _____ _____ day. I know you couldn’t talk about it, even if you could, but, a rising tide does lift all boats. Where’s this leave Aqua?

Osnat: So, at the moment – we had a very nice B round last year of $25 million, and we’re currently not looking for additional funding. We are in a space that’s a bit crazy right now, in terms of the investment. We know that. And, you know, if we feel that we need to raise more cash, I’m sure we’ll be able to, at some point. But, right now, we’ve grown very nicely organically, without burning too much cash, so we’re on track as far as we’re concerned.

Shimel: Good for you. You know, a smarter man than me once told me the time to raise cash is when you don’t need it. But –

Osnat: That’s true.

Shimel: Anyway. Rani Osnat and I just – Mr. Feit, I drew a blank on your first name.

Feit: “Andy.” Come on, Alan.

Shimel: Andy Feit.

Feit: That’s all right.

Shimel: Starts with an “A” like me and I forgot, but I’m old. You have to excuse me. Andy Feit, Rani Osnat of Aqua Security here with us on DevOps Chats. Guys, thanks so much for joining us. Let’s do another catchup, certainly, before KubeCon and KubeSec Con, and we’ll talk more about that. And continued success with Aqua Security.

Osnat: Thank you very much, Alan.

Feit: Yeah, thanks, Alan.

Shimel: All right.

Feit: Thanks.

Shimel: Rani, Andy, have a great day. This is Alan Shimel for DevOps.com. You’ve just listened to another DevOps Chat.

Alan Shimel

As Editor-in-chief of DevOps.com and Container Journal, Alan Shimel is attuned to the world of technology. Alan has founded and helped several technology ventures, including StillSecure, where he guided the company in bringing innovative and effective networking and security solutions to the marketplace. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events. In addition to his writing on DevOps.com and Network World, his commentary about the state of technology is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Alan Shimel has 28 posts and counting. See all posts by Alan Shimel