Secure Apps Across VMs and Containers with Aqua and VMware AppDefense
Best-of-Breed Security for Hybrid Environments
Today we announced a new partnership with VMware, based on their AppDefense solution. The combined offering provides a least-privilege security solution for applications running across containers and VMs. VMware, known of course for its virtualization technology, has deep understanding and visibility into VM configuration, workloads and processes, which puts them in an optimal position to secure those VMs using their hypervisor-based visibility, coupled with integration with DevOps systems, artificial intelligence and machine learning applied to massive data sets. This enables AppDefense to understand the intended state of a distributed application and help customers achieve Cyber hygiene at scale.
Similarly, we at Aqua have unparalleled visibility into the contents of containers, since our solution works across the entire container lifecycle, controls image contents and flow, and monitors and learns container activity in the context of the application. We understand how to apply least privilege to containers, and have the controls in place to enforce it at the container level.
Together, Aqua and VMware AppDefense provide a best-of-breed solution for combined environments, adopting the same least-privilege and whitelisting approaches to protect workloads against both known as well as unknown threats.
Those among you who've been following us for a while know that this has been brewing for a long time. VMware demoed a proof-of-concept of this integration at VMworld back in September 2016. Both companies have come a long way since, and now we can present a mature, highly integrated solution. You can also read more about this in Tom Corn's (SVP security product at VMware) blog post.
How Do AppDefense and Aqua Work Together?
The combined solution allows security teams to manage their security policy for VMs and containers within AppDefense, as well as view and respond to policy violations from Aqua within AppDefense. Let's see how it works.
Aqua serves as a collector of policy violation data for AppDefense at the container level. Based on Services defined in container environments (usually in the orchestrator), you can set a scope for a policy. In this example we use a "streaming" app grouped into three tiers, each constituting a service:
These services are mapped into AppDefense, as you can see below.
Now let's look at the violation policy. In Aqua, you can see that someone attempted a user ID change, which triggered both an alert and a block action to prevent an unauthorized user from accessing the container which is part of the streaming-web service:
In AppDefense, the same alert is shown as an Aqua Alarm, citing UID change as the action that caused it:
What About Policy Management?
The AppDefense / Aqua integration is actually bi-directional, allowing AppDefense to inherit and display the policy from Aqua's image runtime profiles, but also tweak them in a very easy way.
Aqua's Image Profiles are set either manually or using Aqua's machine learning capabilities, or a combination of both. They include controls for inbound and outbound networking, read only files and directories, allowed executables, host resource limits, volumes access, user inside the container, and more.
In AppDefense, there's a cool UI that shows the rules of the Aqua image runtime profile as a series of on/off switches. Once the policy is inherited from Aqua, it's possible to tune it from within AppDefense in order to rationalize policy across various services and modes of deployment.
So there you have it - an integrated, highly scalable approach to securing VMs and containers through a combined solution, with unparalleled visibility and control, leveraging the best that the leader in virtual infrastructure and security can offer, together with Aqua's expertise in cloud-native and container security.
The combined VMware AppDefense / Aqua solution will be GA by early July, and in the meantime if you are interested in testing it, don't hesitate to contact us!