Gartner’s 2020 Market Guide to Cloud Workload Protection Platforms
If you’re looking for the reference on how to protect cloud resources, check out Gartner’s recently published Market Guide for Cloud Workload Protection Platforms* . It outlines the core capabilities and key architectural considerations that buyers must evaluate when protecting hybrid cloud workloads.
In this report, which also highlights Aqua Security, Gartner notes that: “Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.”
Among the recommendations, Gartner suggests that security and risk professionals should:
- Proactively extend workload testing (especially with containers and serverless) into the CI/CD pipeline. Cloud Workload Protection Platform (CWPP) offerings that only focus on runtime protection are missing the critical shift in how applications and the workloads that host them are being developed.
- Favor CWPP vendors who specialize in container orchestration monitoring and serverless functionality.
- Architect for consistent visibility and control of all workloads regardless of location, size or architecture
- Require CWPP vendors to offer integrated Cloud Security Posture Management (CSPM) capabilities to identify risky configurations.
- At runtime, replace antivirus-centric strategies with a “zero-trust execution”/default-deny approach to workload protection where possible, even if used only in detection mode.
Let’s elaborate on these cloud security needs and how Aqua addresses them.
Shifting Left into CI/CD
Containers and microservices deliver incredible speed and flexibility, with Continuous Integration and Continuous Delivery (CI/CD) becoming the standard for IT teams. This increased velocity of new code being pushed out requires better control over the attack surface and incorporating security earlier into the development phase to enable security issues to be detected early and fixed quickly, before applications are deployed.
Aqua provides this capability for all cloud native workloads: scanning container images, VM images, and functions for known vulnerabilities, embedded secrets, malware, configuration issues, and over-provisioned permissions, integrating directly to the CI pipeline, as well as into registries or function stores. Additionally, Aqua DTA (Dynamic Threat Analysis) detects and prevents images with hidden malware that evade static scanning from being deployed in production environments, and “shifts left” incident response.
Native Controls for Containers and Serverless Functions
Cloud native presents a fundamental shift in architecture. Older security solutions use installed host-based agents and network-based controls that lack the application context and appropriate control points within the new stack. Without these capabilities, it is impossible to adequately detect threats and respond to them.
Aqua was natively architected for containers and serverless, providing full visibility and automated control over workload activity across the entire lifecycle, while remaining transparent and unobtrusive to DevOps. With dedicated instrumentation for each type of workload (the Aqua Enforcer family), Aqua provides security controls that follow the workload wherever it runs, whether it’s a container or a function. This makes it possible to provide granular security that doesn’t disrupt application continuity and is optimized for performance.
Providing Visibility Across All Workloads
These days, almost every cloud native enterprise deployment uses multiple types of workloads, often across multiple or hybrid clouds, and sometimes using more than one management platform (e.g., Red Hat OpenShift but also Tanzu Application Service).
At Aqua we’ve been zealous about supporting all popular platforms and types of workloads, providing a unified view of vulnerabilities, policies, and events across all your environments. We also recognize that many teams and stakeholders are involved, and developed our Aqua RBAC model so that organizations can define access and permissions for all elements within their cloud native environment, while maintaining separation between teams and roles.
Combining CWPP and CSPM
While CWPP secures the cloud native applications (workloads) that you run, CSPM helps you secure the infrastructure on which you run it. This provides protection of your cloud infrastructure and verifies that your cloud services are configured securely. More than just complementing each other, these combined services are essential to provide security and visibility both across and up and down your cloud stack.
With Aqua CSPM, you can continually monitor for security configuration issues, automate controls, and get remediation advice and automation. It supports all major public clouds including AWS, Azure, GCP, and Oracle. It examines user roles and privileges, certificates & MFA, specific service configurations, data encryption, networking, auditing features, usage trends, and conducts anomaly detection. As it monitors your environment, it provides alerts for remediation and reports on regulatory compliance and the CIS benchmarks.
Using Zero Trust in Runtime Protection
Zero trust security allows organizations to deterministically ensure that their applications are running in the most secure way possible. This helps organizations to reduce the attack surface and makes the reactive controls that complement it (detection and response) more effective, since it reduces the number of events they need to address. Zero trust can be applied to configurations, workload deployment, workload runtime protection, and networking - Aqua provides controls for all these aspects:
- Aqua Image Assurance policies define the level of tolerance of what is or is not acceptable in your environment and prevent unapproved images, VMs, and functions from being deployed, preempting operational errors, image sprawl, and rogue deployments
- Aqua’s Workloads Firewall implements micro-segmentation in workloads by automatically suggesting dynamic firewall rules, based on orchestrator concepts (pod name, namespaces), IP/CIDR addresses, and DNS, ensuring that only connections deemed legitimate are allowed, and alerting on or blocking network traversal attempts
- Enforce container and function immutability and detect unapproved changes to running workloads with Drift Prevention. Identify and block malware and zero-day exploits, least-privilege allow-lists detect and prevent anomalous behavior, privilege escalation, or code injection
- Aqua can automatically profile the runtime behavior of a container and use this information to build an Image Profile and apply container restriction and creating an allow-list for specific containers and blocking them from executing certain runtime activities. For example, Aqua can profile the system calls used in runtime by a container and only allow them, blocking the rest to prevent container escape attempts
Bringing it All Together
As enterprise requirements continue to evolve around cloud native security, the need to fully exploit the cloud’s capabilities without compromising on security is also growing. Software vendors are expected to deliver a powerful and unified solution that address security concerns up and down the stack, throughout the SDLC, and across multiple platforms - and Aqua has risen to that challenge.
* Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, Tom Croll, 14 April 2020