Finally Delivering on Bill Gates’s Trustworthy Computing
[ Upesh recently joined the Aqua team as our VP of Business Development. Upesh has an amazing track record in the cybersecurity space in getting innovative start-ups embedded with major IT vendors and ecosystem players. This is his “30 days at Aqua” blog - Rani ]
How long have security practitioners been trying to engage the application developers to not only build secure code, but also to test all environments where that code will execute to limit their threat exposure?
Bill Gates famously penned a Memo 5 years ago where he declared Trustworthy Computing the highest priority for all the work Microsoft was doing. At the time, Mr. Gates & Microsoft were promoting the .NET architecture as the platform to deliver this new Trustworthy Computing. While this architecture was useful for the developer, it did not really address the needs of the IT & Security operations staff.
More recently, Virtualization presented a runtime architecture, whereby we decouple the application & OS from the infrastructure/underlying hardware, to deliver on Trustworthy Computing. This was great for the operations team, they now had the ability to isolate critical applications and optimize them for scale.
Today, we are seeing rapid acceptance and adoption of Container technology which has taken virtualization a step further by decoupling the application from the OS. More importantly, this new container architecture provides portability, cloud-scalability and finally a true platform to deliver Trustworthy Computing for the enterprise.
I’m thrilled to be here at Aqua Security to build out the technical and business partnerships needed to integrate our security platform with the myriad of other technologies, tools and products from other vendors across this devops/security industry. Integrating our platform with the leading products and tools that Developers, IT Operations and Security Practitioners use, on a daily basis, will ensure that security is baked into the application, the runtime environment and the security monitoring/alerting systems used in the enterprise.
Like all good platforms, the Aqua Container Security Platform provides programmatic access to all its functions & capabilities through standard web API’s. I like the way our marketing team defines the 3 components of the platform – Shift Left, Shrink-Wrap, Prevent.
Here we address the Developer and the integration of our platform with the CI/CD tools such as Jenkins and Microsoft Visual Studio, allowing the developers to automatically scan their image for security issues, and to ensure there are no known vulnerabilities, configurations or hard-coded passwords in their image prior to submitting it to the repository. Shift left implies that security checks are now moving into the development process. Gartner recently recommended this in their March 2017 report entitled Market Guide for Cloud Workload Protection Platforms:
“Require vendors to API-enable security protection functions to be automated and integrated into DevSecOps-style workflows for scanning prior to deployment.”
This is where we truly bake our security sauce into the application by building a security policy that locks the image to use only the services & resources it needs to function, also known as applying least privileges. Here we are integrated into various orchestration, registry and security products that allow us to lock down and secure the deployment of the container. We also have the ability to integrate and enforce existing network & host based security policies. These are the tools that the IT Operations staff utilize to deploy container-based applications.
Continuous monitoring of images to ensure newly discovered vulnerabilities are not exploited in the application, is a critical security control provided by Aqua, but that’s only the beginning. Stopping suspicious activities within a container at a very granular level, without killing that container or the application, gives the security practitioner the confidence to use enforcement mode without being bombarded with false positives or overly aggressive blocking. Like all good citizens in the security ecosystem, Aqua has already integrated into your existing security incident & event management system, like Splunk, IBM QRadar, Sumo Logic, which is critical to ensure the security practitioner has visibility into the system.
We have a great opportunity in the industry to finally bake security into the next generation of container-based applications and truly deliver on Bill’s promise of Trustworthy Computing. I’m really looking forward to working with all the vendors in this hyper-growth Container Ecosystem moving forward as well as engaging with the security industry to deliver on this promise.