Our core mission at Alice&Bob is to help customers embark on the most secure, fast, and successful cloud journey there is. As a result of this, we are frequently investigating the best ways to secure application workloads. Today, our customers face the challenge of delivering the highest levels of traditional IT security while taking advantage of revolutionary new technologies and architectures enabled by the Cloud’s power.
We strongly believe defense-in-depth is the best approach to meeting these challenges. While one may have relied on perimeter security in traditional data center security, being cloud-native can (and must) deliver security in every aspect of your cloud and application life-cycle. Therefore customers often approach us with the question: How can we deploy state-of-the-art serverless and container workloads while maintaining (and exceeding) our security requirements?
Frequent readers of our blog will know our mantra of “People, Process, and Tools” to deliver a comprehensive cloud security strategy. That’s why, today, we want to present to you our new partner: Aqua Security (Aqua). Aqua is the largest pure-play cloud native security company, providing a security tool belt that protects your entire DevOps application lifecycle whether that be for Kubernetes, Serverless functions like Lambda, or VMs. (Make sure to check out our other blog posts regarding the Security Champions Program, addressing people and processes).
However, before we start, we want to provide a little additional context.
A potted history of containers
Unless you’ve been living under a rock, you’ll likely have noticed the rise of container technologies over the last eight years or so, beginning with the release of Docker in 2013. However, Docker did not invent containers, and in the time since it brought the possibilities of containerized workloads to a larger audience, multiple competing container runtimes have emerged.
It immediately became apparent that, although containers are very convenient to manage a single application’s whole life-cycle, organizing a fleet of containers to deploy a microservice architecture is not significantly more convenient than using traditional VMs. Nobody should or has considered going back to monolith architectures just for the sake of using containers.
Lo and behold: the Dawn of container orchestrators
There has been a brief period where multiple orchestrators competed to deliver containerized applications’ ease of use onto arbitrary size clusters. Docker itself developed “Swarm” and “Docker-Compose” Apache integrated container orchestration into their Mesos project, and Google published Kubernetes as an open-source version of their internal orchestrator Borg. Today, Kubernetes has been the clear winner among the orchestrators, and its development has transferred to the Cloud Native Computing Foundation. With a dedicated organization behind its back, containers and its ecosystem are maturing rapidly, yet it is still a bleeding-edge technology, and many pitfalls are yet to be overcome.
Next level Kubernetes
Everyone who tried running Kubernetes in production has quickly noticed that running it securely is quite tricky. Whether it‘s vanilla Kubernetes or managed Kubernetes like EKS on AWS, everyone who tried to implement a comprehensive security strategy quickly realised this is still in its infancy.
Even though AWS offers many sophisticated security tools, Aqua delivers the same security level inside a Kubernetes cluster as AWS does for its native cloud services.
We at Alice&Bob have been frequently approached by customers to help them overcome this gap. While traditional and AWS native workloads can tap into the vast offering of AWS security services, securing workloads in EKS/Kubernetes is very much your venture to undertake. While we are always eager and up for new challenges and bleeding edge engineering, implementing your own security framework on a greenfield project is a difficult proposition for any company subject to industry standards and certification. These are the reasons why we are very proud to announce this partnership.
Aqua is the perfect fit to close the gap between the in-depth security experience of cloud-native AWS services and the container world to deliver the same security level both inside and outside of your Kubernetes cluster. Aqua enables Alice&Bob to offer you all your security requirements at every step of your containerized application life-cycle, tightly integrated into your AWS setup and toolchain, as Aqua is an AWS certified advanced technology partner.
“As an Advanced APN member and Container Competency technology partner, Aqua provides highly-integrated security controls for cloud-native applications on AWS, supporting managed container services, such as Amazon ECS for container orchestration, Amazon EKS for Kubernetes-based deployments, AWS Fargate for on-demand container scaling, AWS Lambda for serverless functions, and Amazon ECR for storing and managing container images.”https://www.aquasec.com/solutions/aws-container-security/
To give you an idea of what Aqua brings to the table, we want to highlight some of its features, delivering you the next level of Kubernetes security.
Super Power #1: Image Vulnerability Scanning & Assurance
Aqua prevents unauthorized images from running in your AWS environment. It continuously scans images stored in Amazon ECR to ensure that DevOps teams do not introduce vulnerabilities, wrong configurations, or secrets into container images. Get actionable recommendations for remediation of security issues.
Super Power #2: Cloud VM Security and Compliance
Aqua protects workloads running on Amazon EC2 instances and ensure they are properly hardened. Scan for vulnerabilities and malware, apply File Integrity Monitoring (FIM), check configuration against the CIS Benchmark for Linux, and monitor user access and activity. Create a command-level audit trail for compliance and forensics.
Super Power #3: Serverless Function Risk assessment and Mitigation
Aqua continuously scans Lambda functions in AWS accounts to ensure that developers don’t introduce vulnerabilities into function code, leave access keys in environment variables, or create overly permissive roles. Define security policies for AWS Lambda functions and alert or prevent the execution of tasks that violate the guidelines.
Super Power #4: Protect Applications in Runtime
Aqua prevents unvetted containers from running in your Amazon ECS, EKS, and Fargate environments. Automatically create security policies based on container behavior and ensure that containers only do what they are supposed to do in the application context. Detect and prevent activities that violate the policy, and defend against container-specific attack vectors.
Super Power #5 (Last but not least): Deep integration into your environment
The last superpower we want to mention is that Aqua integrates into nearly every CI/CD, SIEM, Monitoring, and Collaboration tool worth mentioning. Therefore Aqua will quickly become a trusted companion of your cloud journey.
All that is only a small part of the features Aqua delivers, and we’re proud to have them on our side. Together we will revolutionize the way clients deliver, secure, and control their application, giving you a powerful tool, combined with specialist know-how from A&B.