Sysdig Adds gVisor Support to Falco Container Security Platform
Sysdig is adding support for gVisor, an open source alternative to virtual machines that provides a lightweight sandbox for isolating Docker containers running on Kubernetes clusters, to the Falco security tool for protecting container runtimes.
Edd Wilder-James, vice president of open source ecosystem at Sysdig, said gVisor needs to be integrated with platforms such as Falco to provide IT teams with observability into security events that would otherwise not be seen. It’s now possible to collect and analyze security events from gVisor, he says.
Created by Sysdig and contributed to the Cloud Native Computing Foundation (CNCF) in 2018, Falco makes it possible to assess risk and detect threats using a set of rules to trigger security alerts. It detects unexpected behavior, configuration changes, intrusions and thefts of data in real-time that enable IT teams to programmatically enforce security policies.
The Falco-gVisor integration means that gVisor users now only need to instrument each host rather than every application for monitoring, enabling Falco to monitor both containers and nodes.
Sysdig reports that 45 million instances of Falco have been downloaded. However, it’s not as clear how many instances of gVisor are in use. The gVisor container runtime provides a kernel that runs as a normal, unprivileged process capable of supporting most Linux system calls. Written in Go, each gVisor sandbox gets its own kernel and set of virtualized devices that are distinct from the host and other sandboxes.
That approach provides a level of isolation by intercepting application system calls and acting as the guest kernel while running in user-space. gVisor is designed to dynamically adjust to changing resource requirements by acting much like a paravirtualized operating system, unlike a virtual machine that requires a fixed amount of resources. However, compliance teams are not likely to approve using a sandbox that can’t be observed by a cybersecurity tool, notes Wilder-James. IT teams should also expect additional integrations via the plug-in architecture that Falco is based on, he adds.
Most containers today are deployed on virtual machines for two reasons. The first is simply a lack of tooling for deploying containers on a bare metal server. The second is concerns about the level of isolation that can be attained when deploying containers on a bare metal platform. Via gVisor, Google is providing an alternative approach to isolating containers that eliminates the need to rely on hypervisors within a virtual machine to isolate containers.
It still remains to be seen how that alternative approach will be received in enterprise IT organizations that have made massive investments in virtual machines over the last two decades. But as resource utilization continues to become a bigger issue for containerized applications deployed in production environments, it’s only a matter of time before the weight of the virtual machine itself becomes a more significant issue.
Additionally, some organizations may prefer gVisor as an alternative to licensing a commercial virtual machine platform such as VMware vSphere.
Regardless of approach, isolating containers improves the overall security posture of a containerized application environment. Too many developers assume that because a container only runs for a few seconds that a cybercriminal will not have the time to discover and exploit it. But as they become more familiar with containers as software artifacts, cybercriminals are now continuously scanning for vulnerabilities wherever they can be found.
