Aqua 4.0 release also tightens Linux host protection and compliance on the heels of recent vulnerability disclosures
Boston, MA – 4 March 2019 – Aqua Security, the leading platform provider for securing container-based and cloud native applications, announced today the availability of version 4.0 of the Aqua cloud native security platform, introducing new security and compliance controls for serverless functions and Linux hosts. As enterprise development and deployment of cloud native microservices-based applications continue to accelerate, Aqua enables security teams to manage and enforce security policies across a blend of VM-based containers, Containers-as-a-Service (CaaS) and Function-as-a-Service (FaaS) spanning both multi-cloud and on-premises environments.
Gartner Distinguished VP Analyst, Neil MacDonald, notes that “securing serverless will force information security and risk professionals to focus on the areas we retain control over. Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity.”
(Gartner, Security Considerations and Best Practices for Securing Serverless PaaS, 4 September 2018, by Neil MacDonald)
Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts, scan them for vulnerabilities, detect excessive permissions and configuration issues, and provide function assurance – preventing the execution of untrusted or high-risk functions based on defined policies. The key controls for serverless environments include:
- Functions discovery: Creating an inventory of functions stored across cloud accounts.
- Vulnerability scanning: Deep scanning of a functions packages and dependencies for known vulnerabilities (CVEs), based on multiple sources and supporting multiple programming languages.
- CI/CD Integration: “Shifting left” beyond scanning existing functions, Aqua provides development teams with plug-ins for Continuous Integration environments to detect security issues as functions are being built.
- Permissions Assessment: Identifying use of excessive or over-provisioned permissions specific to the serverless cloud environment, and monitoring for unused permissions –reducing the potential attack surface of a function.
- Sensitive Data Assessment: Detecting secrets and hard-coded keys within the functions themselves, or within environment variables, specific to the cloud environment – for instance AWS credentials or Azure Authentication keys.
- Function assurance: Security teams can set policies to determine the risk threshold to allow or disallow function execution, based on a variety of factors including CVE severity, CVSS score, sensitive data, and permissions.
- Function anomaly detection: Monitoring of function usage patterns and alerting on sudden spikes in the frequency or duration of function execution.
Another significant addition to the Aqua platform is tighter controls to secure the Linux hosts that run containers. This addresses potential risks from vulnerabilities such as the one discovered earlier this year when a severe new vulnerability (CVE-2019-5736) was disclosed in runc, a component used in most container runtimes which is part of Linux OS distributions, highlighting the need for securing the container stack at both the workload and host levels.
“The new technologies supporting cloud native applications require a holistic approach to security and compliance, across the application lifecycle as well as up and down the stack, and this has become more evident in recent months with significant vulnerabilities discovered in Kubernetes and runc for example,” notes Amir Jerbi, CTO and co-founder at Aqua Security. “With this new release from Aqua, our customers can protect their applications against those, as well as yet undiscovered vulnerabilities by implementing tight compliance and whitelisting-based zero-trust security.”
Aqua 4.0 builds on previous Aqua host protections that already included testing hosts according to CIS (Center for Internet Security) benchmarks, scanning hosts for known vulnerabilities, and monitoring user logins, to provide:
- Malware Scanning: Detecting malware in the host OS, or any of its components.
- Vulnerability scanning: Scanning for CVEs found in the host OS, or any of its components.
- Whitelisted and Blacklisted Users and OS Packages: Security teams can specify which types of users and OS packages are either allowed or forbidden from being used on a host.
- User Activity Monitoring: Aqua now logs all user commands on the host OS for security and compliance tracking (in addition to the previously available user logins and login attempts tracking).
- CIS Benchmarks Testing: Having achieved CIS certification for its Kubernetes benchmark, Aqua now provide detailed information on each benchmark test success/failure to provide teams with remediation information.
- Custom Benchmark Scripts: Enabling the upload of scripts that customize benchmarks to account for configurations that aren’t supported in the standard CIS benchmarks, including Kubernetes clusters on Red Hat OpenShift.
- Host Assurance: Allowing to set policies that will determine a threshold for host compliance and security risk based on the results of the above scans and checks and generate alerts and audit events upon policy violations.
Aqua CSP v4.0 will be generally available in mid-March for existing customers and new deployments.
About Aqua Security
Aqua Security enables enterprises to secure their container and cloud-native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security. Aqua’s Cloud native Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance. Aqua was founded in 2015 and is backed by Lightspeed Venture Partners, Microsoft Ventures, TLV Partners, and IT security leaders, and is based in Israel and Boston, MA. For more information, visit www.aquasec.com or follow us on twitter.com/AquaSecTeam