New Kubernetes security posture management (KSPM) and agentless runtime protection empower organizations to defend K8s-based applications against multiple threats

Aqua Security announced a suite of new Kubernetes-native security capabilities, providing a holistic approach to securing applications that run on Kubernetes across the development, deployment, and runtime phases of the application lifecycle. The company also announced significant new features in its Cloud Security Posture Management (CSPM) solution. These new capabilities are integrated into Aqua’s cloud native security platform, covering the spectrum of deployment options across containers, VMs, and serverless functions.

In a recent research note, Michael Isbitski and Frank Catucci from Gartner asserts that “Kubernetes’ inherent complexity often leads to outdated versions and misconfiguration by organizations, making clusters susceptible to compromise. Though some security mechanisms are included by design, K8s by itself is not a security offering, and security settings aren’t always enabled by default. Protecting a K8s cluster is a significant undertaking, requiring both substantial understanding of the underlying technology and engineering expertise to configure it all.

Kubernetes Security Posture Management (KSPM)

KSPM automates set of policies and controls to secure configuration and complianceAqua’s new Kubernetes security solution addresses the complexity and short supply of engineering expertise required to configure Kubernetes infrastructure effectively and automatically by introducing KSPM - Kubernetes Security Posture Management, a coherent set of policies and controls to automate secure configuration and compliance. Additionally, Aqua now offers new agentless runtime protection capabilities that use Kubernetes itself to deploy security controls into pods, leveraging and extending the native capabilities built into Kubernetes.

The large-scale use of Kubernetes, as well as developments in the threat landscape, necessitate a comprehensive approach to securing applications that goes beyond generic benchmarks, providing seamless workload protection in runtime,” noted Amir Jerbi, CTO and co-founder at Aqua. “We’ve been working with our enterprise customers to make it easier to securely deploy and seamlessly protect applications that run on Kubernetes, while complementing our existing capabilities in Kubernetes and container security.

KSPM new and innovative capabilities

  • Kubernetes Assurance Policies: With more than 20 predefined rules available out of the box, and the ability to use OPA (Open Policy Agent) Rego rules, these policies define which Pods may be deployed in a cluster based on multiple parameters. These policies work in conjunction with Aqua’s Image Assurance Policies to control which containers run in one's cluster based on both their image contents and configuration, as well as Pod configuration.
  • Kubernetes Roles and Subjects Assessment: Reduces administration overhead of maintaining Kubernetes user and service account privileges by identifying risks and suggesting their remediation. This addresses the least privilege security gaps while diminishing the need for Kubernetes security expertise, which is in short supply.

These new capabilities join Aqua’s existing certified CIS benchmark testing (powered by Aqua’s open source Kube-Bench), and penetration testing (powered by Aqua’s open source Kube-Hunter), providing enterprises with comprehensive insight into the security posture of their Kubernetes cluster, and the ability to address gaps efficiently with no need for specialized expertise.

Enhanced security extensions           

With its new Kubernetes Runtime Protection module, Aqua introduces a new model for deploying security runtime controls in a Kubernetes cluster, complementing its existing container runtime security deployment options. This new model leverages Kubernetes Admission Controllers to deploy and govern sidecar containers within Pods, in a similar fashion to other cloud native tools such as Envoy. This mode of deployment enables greater automation of deployment and does not require any privileges on the node’s host OS while providing dynamic runtime controls such as container drift prevention, behavioral controls, and network controls.

In addition to the extensions to Kubernetes security capabilities, the latest release adds many new features and enhancements including:

  • New Customisable Dashboard: Provides a clear view of the overall security status of your cloud native environment with dedicated widgets for key areas, such as host and image/container security, and drag & drop design. The new dashboard supports Aqua’s RBAC model to filter viewable data according to user role permissions.
  • AWS Bottlerocket Support: The new AWS operating system for running containers is now available as a protected workload platform.
  • Auto-Remediation for Azure in Aqua CSPM: Aqua CSPM now provides remediation advice and auto-remediation options for Azure cloud services, previously available for AWS.
  • New Compliance Reports in Aqua CSPM: Aqua CSPM now provides out-of-the-box compliance reports for additional compliance reporting, including SOC 2 Type 2, ISO27001, NIST SP 800-53, and NIST CSF.
  • VM Security: Now allows flexible scan scheduling, scan history review, and malware scans on mounted NFS shares.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

How Can Remote or Internet-Based Training Benefit Security?
How Can Remote or Internet-Based Training Benefit Security?

Internet-based training has long provided a less-expensive alternative to in-person classroom time. There are even universities that provide most or all of their instruction online. However, the COVID-19 pandemic has expanded acceptance even more and increased usage of internet-based meeting and learning tools. We asked this week’s Expert Panel Roundtable: How can remote or Internet-based training benefit the physical security market?

How is AI Changing the Security Market?
How is AI Changing the Security Market?

Artificial intelligence is more than just the latest buzzword in the security marketplace. In some cases, smarter computer technologies like AI and machine learning (ML) are helping to transform how security operates. AI is also expanding the industry’s use cases, sometimes even beyond the historic province of the security realm. It turns out that AI is also a timely tool in the middle of a global pandemic. We asked this week’s Expert Panel Roundtable: How is artificial intelligence (AI) changing the security market?

Moving to Sophisticated Electric Locking
Moving to Sophisticated Electric Locking

In part one of this feature, we introduced the shotbolt – a solenoid actuator – as the workhorse at the heart of most straightforward electric locking systems. Shotbolts remain at the core of most sophisticated electric locking solutions as well. But they are supplemented by materials and technologies that provide characteristics suited to specialist security applications. Here we look at some more demanding electric locking applications and contemporary solutions. Preventing forced entry Where the end of the shotbolt is accessible, the electric holding force can be overcome by physical force. That’s why anti-jacking technology is now a frequent feature of contemporary electric solenoid lock actuators. Anti-jacking, dead-locking or ‘bloc’ technology (the latter patented by MSL) is inherent to the way the locking assembly is designed to suit the requirements of the end application. The patented bloc anti-jacking system is highly effective and incorporated into many MSL shotbolts deployed in electric locking applications. The bloc technology uses a ring of steel balls in a shaped internal housing to physically jam the actuated bolt in place. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm Real life applications for MSL anti-jacking and bloc-equipped shotbolts include installation in the back of supermarket trucks to secure the roller shutter. Once locked from the cab, or remotely using radio technology, these shutters cannot be forced open by anyone with ‘undesirable intentions’ armed with a jemmy. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm. While anti-jacking features are an option on these shotbolts, consideration was given to the construction materials to provide durability in saltwater environments. Marine locks use corrosion-proof stainless steel, which is also highly polished to be aesthetically pleasing to suit the prestigious nature of the vessel while hiding the innovative technology that prevents the lock being forced open by intruders who may board the craft. Rotary and proportional solenoids sound unlikely but are now common A less obvious example of integrated technology to prevent forced override is a floor lock. This lock assembly is mounted beneath the floor with round-top stainless-steel bolts that project upwards when actuated. They are designed to lock all-glass doors and are arguably the only discreet and attractive way to lock glass doors securely. In a prestigious installation at a historic entranceway in Edinburgh University, the floor locks are remotely controlled from an emergency button behind the reception desk. They act on twin sets of glass doors to quickly allow the doors to close and then lock them closed with another set of subfloor locks. No amount of stamping on or hitting the 15mm protruding bolt pin will cause it to yield, thus preventing intruders from entering. Or leaving! Explosion proofing In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosion. For example, remote electric locking is used widely on oil and gas rigs for stringent access control, general security and for emergency shutter release in the event of fire. It’s also used across many industrial sectors where explosion risks exist, including flour milling, In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosionpowder producers, paint manufacture, etc. This adds a new dimension to the actuator design, demanding not only intrinsically safe electrical circuits and solenoid coils, but the careful selection of metals and materials to eliminate the chance of sparks arising from moving parts. Resilience under pressure The technology boundaries of solenoids are always being pushed. Rotary and proportional solenoids sound unlikely but are now common. More recently, while not directly related to security in the traditional sense, proportional solenoid valves for accurately controlling the flow of hydrogen and gases now exist. Magnet Schultz has an extensive and somewhat innovative new range of hydrogen valves proving popular in the energy and automotive sectors (Fig. 2-6). There’s a different kind of security risk at play here when dealing with hydrogen under pressures of up to 1050 bar. Bio security Less an issue for the complexity of locking technology but more an imperative for the effectiveness of an electric lock is the frequent use of shotbolts in the bio research sector. Remote electric locking is commonplace in many bioreactor applications. Cultures being grown inside bioreactors can be undesirable agents, making 100% dependable locking of bioreactor lids essential to prevent untimely access or the unwanted escape of organisms. Again, that has proven to be topical in the current climate of recurring coronavirus outbreaks around the world. More than meets the eye In part one, I started by headlining that there’s more to electric lock actuation in all manner of security applications than meets the eye and pointed out that while electric locking is among the most ubiquitous examples of everyday security, the complexity often involved and the advanced technologies deployed typically go unnoticed.Integrating the simplest linear actuator into a complex system is rarely simple For end users, that’s a very good thing. But for electro-mechanical engineers designing a system, it can present a challenge. Our goal at Magnet Schultz is to provide a clearer insight into today’s electric locking industry sector and the wide range of locking solutions available – from the straightforward to the specialized and sophisticated. Integrating the simplest linear actuator into a complex system is rarely simple. There’s no substitute for expertise and experience, and that’s what MSL offers as an outsource service to designers. One benefit afforded to those of us in the actuator industry with a very narrow but intense focus is not just understanding the advantages and limitations of solenoid technology, but the visibility of, and participation in, emerging developments in the science of electric locking. Knowing what’s achievable is invaluable in every project development phase.