Aqua Security has extended its container security alliance with Pivotal Software to include containerized applications running on the distribution of the Cloud Foundry platform-as-a-service (PaaS) that Pivotal makes available.
The two companies already have a relationship involving Pivotal Container Service (PKS), a distribution of a Kubernetes platform that Pivotal curates in collaboration with sister company VMware. Aqua Security will now extend the reach of its container security platform to include both containers running on the core Cloud Foundry PaaS environment that are orchestrated using the Diego engine developed by the Cloud Foundry Foundation (CFF) and an alpha instance of the Cloud Foundry runtime environment for Kubernetes.
Rani Osnat, vice president of product marketing for Aqua Security, says Cloud Foundry and Kubernetes are similar from a cybersecurity perspective because they both are employed to build and deploy microservices-based applications using different types of containers. The CFF has signaled its intent to standardize the lower levels of the Cloud Foundry PaaS on Kubernetes. In the meantime, however, there are many containerized applications running on the Cloud Foundry distribution from Pivotal that need to be secured. The Aqua Security approach will make it possible to secure containerized applications running on top of Cloud Foundry and Kubernetes using the same security framework, he says.
Naturally, Pivotal is hoping organizations will elect to deploy PKS alongside its distribution of Cloud Foundry. PKS may have arrived later than other distributions of Kubernetes, but Osnat notes it is picking up momentum in VMware environments. However, many organizations may elect to employ a different distribution of Kubernetes. The Aqua Security platform makes it possible to secure the Cloud Foundry distribution from Pivotal Software alongside any combination of Kubernetes environments, Osnat notes.
Whatever path is chosen, more enterprises that have chosen to standardize on the Pivotal PaaS environment will be running applications across both Cloud Foundry and Kubernetes for many years to come. To facilitate the effort, the CFF has also launched Project Eirini, which enables Kubernetes to be employed as the orchestration engine in place of Diego in Cloud Foundry environments. That project is still in alpha.
In the meantime, the total cost of securing both environments could become lower as organizations adopt an Aqua Security platform capable of:
- Scanning applications for vulnerabilities during the continuous integration process.
- Provisioning policies to block unauthorized applications during the staging phase.
- Continuously scanning and monitor artifacts for vulnerabilities, malware and user activity.
- Applying host assurance policies; detecting and blocking unapproved changes to running application workloads.
- Monitoring and controlling application activity based on customized policies.
- Viewing application network connections and applying firewall rules to whitelist authorized connections.
- Accessing audit trails.
The challenge, of course, will be getting the developer and cybersecurity teams working in both environments to collaborate, at a time when sensitivities concerning whether Kubernetes may usurp Cloud Foundry PaaS environments are still running high within many enterprise IT organizations.