Aqua Blog

Run Secure Applications on OpenShift with IBM Power Systems

Run Secure Applications on OpenShift with IBM Power Systems

As an important component of end-to-end application modernization and hybrid cloud adoption, Aqua Security integrates with OpenShift on Power to provide tools to help customers further secure the full lifecycle of Red Hat OpenShift containerized workloads.

Aqua has teamed up with IBM Power Systems as the first cloud native security PartnerWorld partner for OpenShift on IBM Power, ensuring that customers can take advantage of the high-performance, scalable engine for containerization. These capabilities are available to customers that deploy OpenShift on Power9 and Power10 servers.

Accelerating app modernization and hybrid cloud adoption

With Red Hat OpenShift running on Power, customers can take advantage of a powerful and flexible platform for modernizing their applications as well as developing and deploying new cloud native apps in a hybrid cloud infrastructure.

Aqua Security and IBM Power are teaming up to complement Red Hat OpenShift’s existing security capabilities, providing layers of security for containerized workloads across clusters that are deployed on-premises and in public or managed clouds.

Power10-based systems, in particular, support end-to-end security with accelerated cryptographic performance, transparent memory encryption, and enhanced defense for return-oriented programming attacks. Power10-based systems allow customers to run more containerized software on fewer servers, delivering significant improvements in performance and economics for cloud native applications – and a compelling set of reasons to move forward with application modernization.

A modern security approach for application modernization

As IBM Power customers shift to hybrid cloud developments and deploy more containerized applications, they need a security approach that is designed for how cloud native applications are developed, deployed, and run in production.

Many Aqua customers use Red Hat OpenShift as their Kubernetes platform to orchestrate and manage containerized applications, especially in hybrid deployments that span on-premises and public cloud environments. Customers use Aqua’s centralized management to define and enforce policies across clusters and protect workloads wherever they run.

However, Kubernetes can be a complex environment, extending across the underlying OS, clusters, master nodes, worker nodes, APIs, pods, and namespaces. And the complexity grows in tandem with the range of workloads running on the platform. In addition, attackers can exploit vulnerabilities in container images that run on the Kubernetes worker nodes or embed malware in the image via software supply chain attacks to gain access to the cluster.

In turn, enterprises need a set of consistent controls to manage who gets access that is consistent with their role to each of these Kubernetes elements, as well as security and compliance policies. The Kubernetes platform itself provides many controls that can greatly improve application security, and independent, third-party frameworks such as the Kubernetes CIS Benchmark serve as a guide for best practices.

Configuring these controls correctly and consistently, hardening the environment, and dealing with the complexities of the environment at scale requires specific expertise – and tools that help customers leverage and extend that expertise. Complete security coverage, consistent visibility, and ongoing compliance enforcement involve taking a holistic approach to the full life cycle of applications running on Kubernetes, securing them at the container, workload, and infrastructure levels.

Red Hat OpenShift already provides out-of-the-box capabilities to address many of these complexities, including built-in platform configuration, compliance, and life cycle management, and integrated build and CI/CD tools for more secure DevOps practices. The platform also meets the majority of the Kubernetes CIS Benchmark recommendations. As a Red Hat partner, Aqua Security further builds on this foundation with additional layered security offerings.

Aqua’s cloud native security for OpenShift on Power

Aqua extends OpenShift’s native capabilities with tools for risk-driven and container scanning vulnerability management. It supplements OpenShift’s Compliance Operator with additional capabilities to enforce assurance and compliance policies for cluster and admission controller configurations and to protect Kubernetes and containerized workloads at runtime. Aqua also provides a dynamic, real-time, logical view of running workloads in Kubernetes environments and associated security-risk insights.

Aqua’s approach is to leverage native Kubernetes capabilities such as admission controllers where it makes the most sense and augment them with more stringent controls and policy management made for security teams.

Combining Aqua’s frontline research and innovative open source contributions, the Aqua Platform offers a robust commercial product to further protect OpenShift cloud native applications running on IBM Power.

For enterprises that are enabling OpenShift on IBM Power and want to solidify their development and quality assurance process before migrating workloads to production, Aqua’s robust open source portfolio, including kube-bench, kube-hunter, Starboard, and Trivy, can help newer DevOps teams establish consistent Kubernetes-native security toolkits.

For customers that are embracing Red Hat OpenShift on Power for application modernization and hybrid cloud, Aqua’s unified, holistic platform helps mitigate the risks across the application life cycle in hybrid environments by delivering consistent visibility, build and image security, Kubernetes container orchestration infrastructure protection, and runtime policy enforcement.

Aqua’s customers using OpenShift on Power can now do the following:

  • “Shift security left” by scanning images for vulnerabilities, secrets, and malware directly in the CI/CD pipeline and image registries to provide complete risk analysis and rapid remediation. Aqua integrates directly with the Red Hat OpenShift Container Platform registry.
  • Manage OpenShift security posture by performing ongoing assessment based on the Kubernetes CIS Benchmarks, penetration testing, compliance policies, and custom rules to identify and alert on misconfigurations and security issues.
  • Automate OpenShift workload assurance by auto-discovering OpenShift resources and evaluating workloads for security risks and conformance with security and compliance policies through Aqua’s Starboard open source project.
  • Enforce OpenShift workload protection at runtime by validating and blocking non-compliant workloads and unregistered images with the Aqua kube-enforcer admission controller policies.
  • Maintain risk-based insights and security posture visibility by leveraging Kubernetes-native components across OpenShift clusters. Get real-time visibility into namespaces, deployments, nodes (hosts), pods, and containers and enable vulnerability management prioritization.
  • Enforce role-based access control (RBAC) for complex, multi-tenant environments and limit the use of default policies.
  • Apply consistent controls on any orchestration platform and across cloud providers, with support for multi-cloud and hybrid environments.

By the close of the second quarter of 2022, Aqua will also support container run security and automated compliance for OpenShift on IBM Power. This will enable customers to do the following:

  • Safeguard against unauthorized changes to the originating image’s processes, network connections, and user activities with container immutability enforcement.
  • Enforce network segmentation to restrict blast radius and protect against IP/DNS domains with suspicious reputations and crypto-mining attacks.
  • Ensure that the RHEL OS and the OpenShift Kubernetes Engine versions are up-to-date and fully patched by scanning OpenShift hosts running on ppc64le architecture for malware and vulnerabilities and performing host integrity checks and CIS Benchmark tests.
  • Maintain file integrity monitoring by providing a complete audit trail of any changes made.

Summary

Customers can now take advantage of the performance, scale, end-to-end security, and cost benefits delivered by OpenShift infrastructure on IBM Power, while addressing cloud native security and compliance concerns at scale with Aqua’s support for the new architecture and extended OpenShift on Power container and Kubernetes workload runtime protection capabilities.

Aqua Security builds on IBM Power’s advances in security to help customers mitigate the risks across the application lifecycle in hybrid environments by delivering consistent visibility, build and image security, Kubernetes infrastructure protection, and runtime policy enforcement.

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.