Last month at VMWorld we had the pleasure of being part of a next-generation security session given by VMWare’s SVP of Security Products, Tom Corn.
VMWare is of course no stranger to containers, and already has hybrid platforms running both VMs and containers side by side. The gist of VMWare’s next gen approach is what they call “The Goldilocks Model”, where there’s a layer on the hypervisor that can also access elements of what’s running on Guest VMs to get a manifest of application security privileges. This allows for the ability to exercise ‘least privilege’ in the context of the application, feeding from various sources including, of course, containers.
This approach is very much aligned with Aqua’s own security model, where we use both default and machine-learned container profiles to enforce and tighten the ‘least privilege’ principle in runtime.
We also use a similar approach to VMWare’s in providing application context, by tagging containers to specific applications. This allows for easier, contextual policy management as well as automated nano-segmentation of container network connections.
VMWare customers run applications on both VMWare VMs and Docker containers, and require a unified way to secure these environments from a policy management and visibility perspective.
To that end, we created an integration with VMWare's next generation console. The integration is bi-directional and allows customers to do two things:
You can view the full video of the presentation and live demo at the bottom of this blog (set to start at the point where Tom and Chris Corde, Sr. Director of Security Products, show how Aqua is works seamlessly with Goldilocks).
In the demo shown by VMWare, they created an actual application that mimics an online mortgage application. Chris is an attacker trying to breaking into the app and reset his mortgage debt.
Goldilocks can integrate with various security solutions, both VMWare’s own as well as 3rd party vendors for endpoint security or container security, demonstrated in the demo.
For example, Chris tries to run an executable from within a container, which would normally be permitted. But under the restrictive Aqua policy, the container can only run specific executables and not the one Chris tries to run.
Consider this demo a glimpse into the not-so-distant future of application and virtual datacenter security, courtesy of VMWare. However, I’d like to note that all Aqua features shown in this demo are available now, and you are welcome to see them for yourself by requesting a demo.
Aqua Security enables enterprises to secure their container-based and cloud-native applications from development to production, accelerating container adoption and bridging the gap between DevOps and IT security.
Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.