Aqua Container Security Platform 2.0 Introduces Container-Level Network Nano-Segmentation

February 2, 2017 – Ramat Gan, Israel – Aqua Security, provider of the leading platform for securing containerized applications, today announced the release of version 2.0 of its Container Security Platform (CSP). Aqua CSP Version 2.0 features automated nano-segmentation of container network traffic, cross-platform secrets management, and sensitive data discovery.  Other enhancements include management by labels, integration with Atlassian Jira, and large-scale vulnerability scanning.

Container Network Nano-Segmentation  

A key requirement for securing containerized applications is ensuring that containers can only communicate within their permitted network segment, limiting the “blast radius” in case of an attack. The challenge is to do so without hindering the container’s ability to perform legitimate application functions that require communication within the host or across hosts, on-premises or in the cloud.

“Traditional host-based security agents don’t understand containers and lack the context to enforce different policies on different containers in the same host.” notes Neil MacDonald, VP Distinguished Analyst at Gartner Research, “Depending on the network architecture used, container-to-container traffic within a physical host may not be visible to external network firewalls and intrusion detection and prevention systems.” *

Version 2.0 of the Aqua CSP automates the creation of network nano-segments that limit container network connectivity based on the application context and needs, regardless of physical location, IP address or other network properties.

Key features include:

  • Automatic discovery of containerized application network topology
  • Automated creation of network nano-segments based on the container’s activity
  • Context based container firewall that allows service-oriented rules
  • Detection or prevention mode, allowing to either alert on or prevent unauthorized network connections.

For a detailed description and video of Aqua’s nano-segmentation feature, visit Aqua’s blog.

Secrets Management and Discovery

Managing secrets such as passwords and security tokens is particularly challenging in container environments due to the dynamic and ephemeral nature of containers. Storing secrets inside a container image risks exposing them to anyone with access to that container, as well as to potential intruders. Providing secrets as an environment variable when running a container is also challenging, since it lacks the visibility and centralized control needed for handling sensitive information.

Aqua CSP 2.0 introduces a complete solution for securely managing and discovering secrets in the container pipeline, regardless of the choice of orchestrator or runtime environment.  Here are the highlights:

  • Central visibility and control over container secrets from the Aqua Management Console. Administrators can define access control policies to allow specific secrets to be accessible only to intended users and containers.
  • Integration with HashiCorp Vault, the leading solution for secrets management, allows customers to enjoy Vault’s highly secured secrets database and management features.
  • Secrets are injected into the container as it runs, where they remain in memory and stay invisible to the host. This removes the risk of placing the secret inside the container, where it may be exposed to unintended host users or intruders.
  • Aqua’s vulnerability scanner now also includes scanning for secrets discovery within container images, such as AWS tokens, SSH keys, and clear-text passwords. This allows organizations to remove secrets as part of their CI/CD process, and instead place them in the secrets vault, where they are protected.

“We’re excited about Aqua’s integration with HashiCorp Vault,” said Burzin Patel, VP Worldwide Alliances at HashiCorp. “Users can now securely inject secrets stored in Vault into containers as and when needed, extending the value customers get from Vault and ensuring that secrets are not stored or left exposed in the container runtime environment.”

For a detailed walkthrough and video of Aqua’s secrets management feature and Vault integration, visit our blog.

Additional Features in Aqua CSP 2.0:
Driven by enterprise customer requirements, Aqua CSP 2.0 includes many additional new features:

  • Management by Labels: Every entity (host, image, service, policy rule, users) in the Aqua console can now be labeled, making it easy to manage large-scale deployments and segment them according to applications, stages (e.g., dev/test/staging/production), trust level, tenancy, etc.
  • Atlassian Jira Integration: When vulnerabilities are discovered in container images during the development process, it is up to the dev team to fix them. With this new integration, Aqua closes the information loop by directly opening tickets in Jira with the specific image, package and CVE information, streamlining the process.
  • Vulnerability Scanning on a Large Scale: Aqua’s vulnerability scanner for Docker images has been revamped, and now scales automatically to handle thousands of image scans in minutes. For additional details and video of this feature, visit Aqua’s blog.
  • SAML Single Sign-On: Aqua’s Command Center now supports SAML for enterprise SSO, making deployment and user access control fast and easy.

“Aqua CSP 2.0 represents a leap in our ability to secure containerized applications in enterprise deployments,” said Amir Jerbi, Aqua’s CTO and co-founder. “With advanced features, such as nano-segmentation and secrets management, we address real customer pain points while adhering to our ‘automate everything’ credo to keep security simple and manageable.”