Sysdig today announced it intends to acquire Apolicy to add an ability to automate remediation of container infrastructure misconfigurations provisioned using tools such as Terraform. Terms of the deal were not disclosed.
Suresh Vasudevan, CEO of Sysdig, says Apolicy employs the Open Policy Agent (OPA) to first discover misconfigurations, which it can then automatically remediate based on policies defined by an IT team and enforced via the Kubernetes admission controller.
Cloud infrastructure—provisioned using tools such as Terraform or CloudFormation from Amazon Web Services (AWS)—are often rife with misconfigurations because the developers that employ these tools lack cybersecurity experience. As a result, it’s not uncommon for cybercriminals to exploit vulnerabilities like open ports through which they can exfiltrate data.
Now being advanced under the auspices of the Cloud Native Computing Foundation (CNCF), OPA provides a means to enforce compliance as code. Vasudevan says that while OPA is designed for containerized applications, an effort to extend the reach of OPA to legacy platforms is being discussed.
In the meantime, as more new applications are built using containers, the Remedy platform makes it possible to shift more responsibility for compliance and security further left toward developers, says Vasudevan. As developers write code, the Remedy platform will identify misconfigurations and suggest a remediation, he says. Those recommendations can be applied within the context of a pull request made as part of a GitOps workflow or surfaced via a job ticket within Atlassian’s popular Jira project management application that is widely employed by software development teams, he adds.
In the longer term, Sysdig also plans to integrate Apolicy’s remediation capabilities with the rest of the Sysdig monitoring portfolio to, for example, address overprovisioning of Kubernetes infrastructure resources. In general, IT organizations are increasingly asking providers of IT monitoring and security tools to not only surfaces issues but also provide the ability to fix those issues once they are discovered within the same platform, notes Vasudevan.
It’s not clear if better security might accelerate the rate at which cloud-native applications based on containers are built and deployed. In the wake of a series of high-profile cybersecurity breaches, many organizations are now reevaluating their software supply chain processes with an eye toward enabling developers to better secure DevOps workflows and pipelines. That becomes easier to achieve using tools that explain to developers where and how misconfigurations are likely to result in a security issue, says Vasudevan.
Of course, there may come a day when automation simply renders the misconfiguration issue moot. In the meantime, cloud service providers, as part of a shared responsibility approach to cybersecurity, will continue to hold IT organizations accountable for both how they provision cloud infrastructure and secure the software they deploy on it. The challenge IT organizations still encounter is that developers still don’t understand what that shared responsibility actually requires them to do every time they deploy or update their software.