Aqua, HashiCorp Enable Cloud Native Security, Zero-Trust Approaches
We’re delighted to announce our recent achievement of Premier tier status in HashiCorp’s partner ecosystem – a significant milestone in helping our mutual customers automate security and compliance as part of the cloud journey, and more effectively manage risk by shifting security left, securing the software supply chain and adopting zero trust architectures:
This categorization comes as a result of Aqua’s continued commitment to our partnership with HashiCorp, leading organizations in their respective segments of the cloud native domain.
As a cloud native security pioneer and a leading Cloud Native Application Protection Platform (CNAPP) provider, Aqua recognizes the value that our mutual customers generate from HashiCorp’s tooling for Infrastructure Management (Terraform, Packer), Security (Vault, Boundary), Networking (Consul), and Applications (Nomad, Waypoint, Vagrant).
This new partnership level builds on and extends our longstanding integration with Vault for automated injection of secrets into containers to maintain security posture and reinforce zero trust architecture. Additionally, it enhances support for Terraform configurations and Run Tasks including parsing and scanning for Infrastructure as Code (IaC) vulnerabilities, misconfigurations, and potential security weaknesses. Aqua’s Terraform integrations help developers shift left by providing actionable remediation alerts and context as part of the authoring process as well as identifying potential software supply chain security issues with comprehensive artifact scanning in the pre-plan and plan phases.
Why Aqua Security and HashiCorp Collaborate
HashiCorp is a major contributor to enabling cloud native practices for deployment, operation, and monitoring of infrastructure. HashiCorp has built a reputation by helping customers to scale and automate through Terraform for repeatability and seamless versioning. This allows organizations to fully embrace the scale, elasticity, and flexibility of public cloud with a tooling spanning infrastructure, networking, security, and application workload orchestration and workflows.
However, as IaC (Infrastructure as Code) adoption has grown, so too have the security risks. Without the right guardrails and guidance, IaC tools may increase the risk of misconfigurations that expose organizations or move malicious code into production, leaving an opening for an attacker.
As part of the template authoring process, preventing misconfigurations, security policy violations, and operator error for deployment patterns while identifying vulnerabilities before code is moved into production improves both security posture and reinforces the benefits of IaC. When developing new software, a key element of improving security is providing security feedback as early as possible as part of a shift left in security practices.
The challenge for security teams is to identify security issues, misconfigurations, and policy violations. They need to communicate clearly to developers the context and severity of the issues while providing resolutions without detracting from the rationale for the adoption of IaC. This optimizes speed, automation, consistency, and often cost.
Organizations also need to scrutinize what proprietary and open-source components they utilize. This secures the software supply chain, ensures images are compliant with assurance and risk policies, and confirms that cloud provider and container orchestration platforms are configured for best practices.
Furthermore, they need to ensure that attacks in run time are addressed too, including the ever-growing risk posed by zero-day threats such as Log4J or Spring4Shell. Subsequently, Gartner states that ‘Optimal security of cloud native applications requires an integrated approach that starts in development and extends to runtime protection’.
Aqua’s Cloud Native Application Protection Platform is uniquely positioned to mitigate cloud native threats by catering to the multiple sources of potential risk. Providing a single source of truth that consolidates risk insights – including vulnerability findings, IaC misconfigurations and potential security issues, as well as cloud service provider account assessment – helps security teams better collaborate with DevOps, shifting security further left.
Additionally, Aqua’s technical integrations with HashiCorp products Terraform and Vault help ensure users remain secure, compliant, and in a position to fully realize the benefits of cloud native adoption without exposure to risk.
Where we integrate
Our integration with Vault helps maintain security posture by automating secrets injection at run time into containers. Because secrets are not written to disk, this reduces the attack surface. All container secrets and associated policies can be centrally managed through Vault, allowing customers to extend zero trust architectures to their runtime environment. The integration also allows for Vault secrets management through the Aqua platform.
Find more info in our earlier article Injecting Secrets - Kubernetes, HashiCorp Vault and Aqua on Azure
Infrastructure-as-Code (IaC) Scanning:
Trivy can scan Terraform templates to prevent cloud misconfigurations from being deployed by Terraform and produce results as part of the template authoring process. Read more about Shifting Left: Infrastructure as Code security with Trivy.
The Terraform Cloud run tasks integration introduces Policy-as-Code scanning for Terraform too. This integration reinforces “shift left” by providing actionable remediation and severity context earlier in the development lifecycle to improve security posture. This facilitates DevSecOps practices through the use of assurance and hardening policies for configuration and application artifacts.
Find out more about Trivy Run Tasks for Terraform here.
Deployment through the Terraform Provider allows security teams to scale their operations and ensure that the Aqua components, like our Enforcer, are integrated into standard build workflows. By reducing operational overhead and managing change through a defined process with governance gates, security teams can use configuration as code to deploy Aqua more broadly, getting better visibility and allowing them to react more quickly with greater clarity when a runtime issue arises.
The Terraform Provider permits configuration of the Aqua Enterprise platform and allows security teams to govern and audit change management. Users can now automate the deployment of their Aqua infrastructure using Terraform as well as manage security changes through version control and CI/CD workflows.
Find more detail about Aqua's configuration with Terraform.
Use-Case – the Journey to Zero-Trust
Zero Trust approaches to security have emerged as an alternative to traditional methods of enterprise security built around principles of boundary control and access within ‘walled gardens’, which have become redundant in a new cloud context. The complexity, dynamism, scale, and volume that define cloud native computing mean that organizations are exposed to risk unless they take steps to continuously authenticate and authorize every user and resource to eliminate implicit trust.
Containerized systems can incorporate zero trust policies to secure communication within clusters and between containers. Zero trust requires authentication every time a container accesses a service, with containers configured with least privilege access. This strategy prevents attackers from moving between containers and helps contain breaches.
A simple way that users can leverage the combined strengths of Aqua and HashiCorp in the pursuit of zero trust is in Secrets management using Vault.
HashiCorp Vault offers a means to store and controls access to secrets such as passwords, API keys, tokens, and certifications and permits their distribution. Aqua scans container images for malware, vulnerabilities, configuration issues, and OSS licensing. It also scans for embedded secrets, ensuring none are left in source code when moved into production.
When required, Aqua securely transfers secrets from Vault to containers at runtime, encrypted at rest and in transit, and places them in memory with no persistence on disk so they are only visible to the relevant container. Using Aqua integrated with Vault, users can revoke, update, and rotate secrets without restarting containers or exposing secrets through the DevOps pipeline.
Additionally, users can maintain extensive event logging and reporting—granular audit trails of access activity, scan container commands, events and coverage, container activity, system events, and secrets activity.
In this example, zero-trust is enabled in that secrets are stored in a secure location (not in code), accessed, and distributed to the target location in an automated manner with no interruption of service, permitting the authentication of containers in runtime and providing an audit trail of the activity.
Aqua and HashiCorp’s technical alliance is built on a shared goal of enabling customer organizations to adopt cloud in a scalable and secure manner. Our combined capabilities provide an environment in which customers can develop cloud native applications without being exposed to risk in the supply chain, in code, in infrastructure provisioning, or at runtime, putting customers in a better position to realize the speed, scale, and agility benefits of cloud adoption.