Aqua Security, platform provider for securing containerized applications, released Thursday version 2.0 of its Container Security Platform (CSP). Aqua CSP Version 2.0 features automated nano-segmentation of container network traffic, cross-platform secrets management, and sensitive data discovery.
Other enhancements include management by labels, integration with Atlassian Jira, and large-scale vulnerability scanning.
Version 2.0 of the Aqua CSP automates the creation of network nano-segments that limit container network connectivity based on the application context and needs, regardless of physical location, IP address or other network properties.
Its key features include automatic discovery of containerized application network topology; automated creation of network nano-segments based on the container’s activity; context based container firewall that allows service-oriented rules; and detection or prevention mode, allowing to either alert on or prevent unauthorized network connections.
Aqua creates nano-segments automatically based on container metadata and activity. Each container invoked by an orchestrator is automatically assigned to a logical service.
To define a nano-segment Aqua simply monitors the network activities of the service in a runtime environment – this could be a testing, staging, or product environment. This monitoring identifies inbound and outbound network connections of the containers within the service, including to/from other containers, services, IP addresses and public Internet access.
Once Aqua concludes that the network topology has been identified, with no new connections being formed, it automatically creates a security policy that captures all of those interactions, essentially whitelisting them as legitimate connections. This policy will follow the service where it goes, regardless of physical location, orchestration tools, or network overlays.
With nano-segmentation in place, containers will be prevented from accessing resources outside their respective nano-segments, and such attempts will also generate alerts and audit events.
Aqua CSP 2.0 introduces a complete solution for securely managing and discovering secrets in the container pipeline, regardless of the choice of orchestrator or runtime environment. It delivers central visibility and control over container secrets from the Aqua Management Console. Administrators can define access control policies to allow specific secrets to be accessible only to intended users and containers.
The offering integrates with HashiCorp Vault, an offering for secrets management, allows customers to enjoy Vault’s highly secured secrets database and management features. Secrets are injected into the container as it runs, where they remain in memory and stay invisible to the host. This removes the risk of placing the secret inside the container, where it may be exposed to unintended host users or intruders.
Aqua’s vulnerability scanner now also includes scanning for secrets discovery within container images, such as AWS tokens, SSH keys, and clear-text passwords. This allows organizations to remove secrets as part of their CI/CD process, and instead place them in the secrets vault, where they are protected.
“We’re excited about Aqua’s integration with HashiCorp Vault,” said Burzin Patel, VP Worldwide Alliances at HashiCorp. “Users can now securely inject secrets stored in Vault into containers as and when needed, extending the value customers get from Vault and ensuring that secrets are not stored or left exposed in the container runtime environment.”
Driven by enterprise customer requirements, Aqua CSP 2.0 includes management by labels with every entity (host, image, service, policy rule, users) in the Aqua console can now be labeled, making it easy to manage large-scale deployments and segment them according to applications, stages (e.g., dev/test/staging/production), trust level, and tenancy.
It also includes Atlassian Jira integration: When vulnerabilities are discovered in container images during the development process, it is up to the dev team to fix them. With this new integration, Aqua closes the information loop by directly opening tickets in Jira with the specific image, package and CVE information, streamlining the process.
It also delivers vulnerability scanning on a large scale. Aqua’s vulnerability scanner for Docker images has been revamped, and now scales automatically to handle thousands of image scans in minutes. Aqua’s Command Center now supports SAML for enterprise SSO, making deployment and user access control fast and easy.
“Aqua CSP 2.0 represents a leap in our ability to secure containerized applications in enterprise deployments,” said Amir Jerbi, Aqua’s CTO and co-founder. “With advanced features, such as nano-segmentation and secrets management, we address real customer pain points while adhering to our ‘automate everything’ credo to keep security simple and manageable.”
“Traditional host-based security agents don’t understand containers and lack the context to enforce different policies on different containers in the same host,” notes Neil MacDonald, VP Distinguished Analyst at Gartner Research, “Depending on the network architecture used, container-to-container traffic within a physical host may not be visible to external network firewalls and intrusion detection and prevention systems.”
