Amir Jerbi

New Kubernetes security posture management (KSPM) and agentless runtime protection empower organizations to defend K8s-based applications against multiple threats Aqua Security announced a suite of new Kubernetes-native security capabilities, providing a holistic approach to securing applications that run on Kubernetes across the development, deployment, and runtime phases of the application lifecycle. The company also announced significant new features in its Cloud Security Posture Management (CSPM) solution. These new capabilities are integrated into Aqua’s cloud native security platform, covering the spectrum of deployment options across containers, VMs, and serverless functions. In a recent research note, Michael Isbitski and Frank Catucci from Gartner asserts that “Kubernetes’ inherent complexity often leads to outdated versions and misconfiguration by organizations, making clusters susceptible to compromise. Though some security mechanisms are included by design, K8s by itself is not a security offering, and security settings aren’t always enabled by default. Protecting a K8s cluster is a significant undertaking, requiring both substantial understanding of the underlying technology and engineering expertise to configure it all.” Kubernetes Security Posture Management (KSPM) KSPM automates set of policies and controls to secure configuration and complianceAqua’s new Kubernetes security solution addresses the complexity and short supply of engineering expertise required to configure Kubernetes infrastructure effectively and automatically by introducing KSPM - Kubernetes Security Posture Management, a coherent set of policies and controls to automate secure configuration and compliance. Additionally, Aqua now offers new agentless runtime protection capabilities that use Kubernetes itself to deploy security controls into pods, leveraging and extending the native capabilities built into Kubernetes. “The large-scale use of Kubernetes, as well as developments in the threat landscape, necessitate a comprehensive approach to securing applications that goes beyond generic benchmarks, providing seamless workload protection in runtime,” noted Amir Jerbi, CTO and co-founder at Aqua. “We’ve been working with our enterprise customers to make it easier to securely deploy and seamlessly protect applications that run on Kubernetes, while complementing our existing capabilities in Kubernetes and container security.” KSPM new and innovative capabilities Kubernetes Assurance Policies: With more than 20 predefined rules available out of the box, and the ability to use OPA (Open Policy Agent) Rego rules, these policies define which Pods may be deployed in a cluster based on multiple parameters. These policies work in conjunction with Aqua’s Image Assurance Policies to control which containers run in one's cluster based on both their image contents and configuration, as well as Pod configuration. Kubernetes Roles and Subjects Assessment: Reduces administration overhead of maintaining Kubernetes user and service account privileges by identifying risks and suggesting their remediation. This addresses the least privilege security gaps while diminishing the need for Kubernetes security expertise, which is in short supply. These new capabilities join Aqua’s existing certified CIS benchmark testing (powered by Aqua’s open source Kube-Bench), and penetration testing (powered by Aqua’s open source Kube-Hunter), providing enterprises with comprehensive insight into the security posture of their Kubernetes cluster, and the ability to address gaps efficiently with no need for specialized expertise. Enhanced security extensions            With its new Kubernetes Runtime Protection module, Aqua introduces a new model for deploying security runtime controls in a Kubernetes cluster, complementing its existing container runtime security deployment options. This new model leverages Kubernetes Admission Controllers to deploy and govern sidecar containers within Pods, in a similar fashion to other cloud native tools such as Envoy. This mode of deployment enables greater automation of deployment and does not require any privileges on the node’s host OS while providing dynamic runtime controls such as container drift prevention, behavioral controls, and network controls. In addition to the extensions to Kubernetes security capabilities, the latest release adds many new features and enhancements including: New Customisable Dashboard: Provides a clear view of the overall security status of your cloud native environment with dedicated widgets for key areas, such as host and image/container security, and drag & drop design. The new dashboard supports Aqua’s RBAC model to filter viewable data according to user role permissions. AWS Bottlerocket Support: The new AWS operating system for running containers is now available as a protected workload platform. Auto-Remediation for Azure in Aqua CSPM: Aqua CSPM now provides remediation advice and auto-remediation options for Azure cloud services, previously available for AWS. New Compliance Reports in Aqua CSPM: Aqua CSPM now provides out-of-the-box compliance reports for additional compliance reporting, including SOC 2 Type 2, ISO27001, NIST SP 800-53, and NIST CSF. VM Security: Now allows flexible scan scheduling, scan history review, and malware scans on mounted NFS shares.

Aqua Security, global security platform provider for securing container-based and cloud native applications, has announced the availability of version 4.0 of the Aqua cloud native security platform, introducing new security and compliance controls for serverless functions and Linux hosts. As enterprise development and deployment of cloud native microservices-based applications continue to accelerate, Aqua enables security teams to manage and enforce security policies across a blend of VM-based containers, Containers-as-a-Service (CaaS) and Function-as-a-Service (FaaS) spanning both multi-cloud and on-premises environments. Gartner Distinguished VP Analyst, Neil MacDonald, notes that “securing serverless will force information security and risk professionals to focus on the areas we retain control over. Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity.” Serverless Security Solutions Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts, scan them for vulnerabilities, detect excessive permissions and configuration issues, and provide function assurance – preventing the execution of untrusted or high-risk functions based on defined policies. The key controls for serverless environments include: Functions discovery: Creating an inventory of functions stored across cloud accounts. Vulnerability scanning: Deep scanning of a functions packages and dependencies for known vulnerabilities (CVEs), based on multiple sources and supporting multiple programming languages. CI/CD Integration: “Shifting left” beyond scanning existing functions, Aqua provides development teams with plug-ins for Continuous Integration environments to detect security issues as functions are being built. Permissions Assessment: Identifying use of excessive or over-provisioned permissions specific to the serverless cloud environment, and monitoring for unused permissions –reducing the potential attack surface of a function. Sensitive Data Assessment: Detecting secrets and hard-coded keys within the functions themselves, or within environment variables, specific to the cloud environment – for instance AWS credentials or Azure Authentication keys. Function assurance: Security teams can set policies to determine the risk threshold to allow or disallow function execution, based on a variety of factors including CVE severity, CVSS score, sensitive data, and permissions. Function anomaly detection: Monitoring of function usage patterns and alerting on sudden spikes in the frequency or duration of function execution. Enhanced Security Controls Another significant addition to the Aqua platform is tighter controls to secure the Linux hosts that run containers. This addresses potential risks from vulnerabilities such as the one discovered earlier this year when a severe new vulnerability (CVE-2019-5736) was disclosed in runc, a component used in most container runtimes which is part of Linux OS distributions, highlighting the need for securing the container stack at both the workload and host levels. The new technologies supporting cloud native applications require a holistic approach to security and compliance" “The new technologies supporting cloud native applications require a holistic approach to security and compliance, across the application lifecycle as well as up and down the stack, and this has become more evident in recent months with significant vulnerabilities discovered in Kubernetes and runc for example,” notes Amir Jerbi, CTO and co-founder at Aqua Security. “With this new release from Aqua, our customers can protect their applications against those, as well as yet undiscovered vulnerabilities by implementing tight compliance and whitelisting-based zero-trust security.” Aqua 4.0 Security Platform Aqua 4.0 builds on previous Aqua host protections that already included testing hosts according to CIS (Center for Internet Security) benchmarks, scanning hosts for known vulnerabilities, and monitoring user logins, to provide: Malware Scanning: Detecting malware in the host OS, or any of its components. Vulnerability scanning: Scanning for CVEs found in the host OS, or any of its components. Whitelisted and Blacklisted Users and OS Packages: Security teams can specify which types of users and OS packages are either allowed or forbidden from being used on a host. User Activity Monitoring: Aqua now logs all user commands on the host OS for security and compliance tracking (in addition to the previously available user logins and login attempts tracking) CIS Benchmarks Testing: Having achieved CIS certification for its Kubernetes benchmark, Aqua now provide detailed information on each benchmark test success/failure to provide teams with remediation information. Custom Benchmark Scripts: Enabling the upload of scripts that customize benchmarks to account for configurations that aren’t supported in the standard CIS benchmarks, including Kubernetes clusters on Red Hat OpenShift. Host Assurance: Allowing to set policies that will determine a threshold for host compliance and security risk based on the results of the above scans and checks and generate alerts and audit events upon policy violations. Aqua CSP v4.0 will be generally available in mid-March for existing customers and new deployments.

Aqua Security, the platform provider for securing container-based and cloud native applications, announced the integration of its platform with Datadog’s cloud monitoring and analytics platform. With this integration, Aqua provides real-time visibility into the security posture of cloud native applications to Datadog users, including information on vulnerable images, untrusted running containers, and security anomalies found by Aqua in the runtime environment. For DevOps teams that continuously monitor applications for operational parameters such as performance, bug tracking, and errors, security events are often a blind spot that is handled elsewhere although they may directly affect application uptime and resiliency. The integration of Aqua’s granular security information into Datadog’s comprehensive monitoring makes it possible to identify issues quickly and analyze their impact on application availability. Bridging The Gap Between Application And Security Teams We are helping organizations bridge the gap between these traditionally siloed teams" "As organizations shift to more dynamic infrastructure through cloud and container technologies, communication between application and security teams is more important than ever,” said Ilan Rabinovitch, VP Product and Community at Datadog. “By combining Datadog's deep insights into containerized application performance with Aqua Security’s enforcement of security best practices, we are helping organizations bridge the gap between these traditionally siloed teams.” The integration between Datadog and Aqua CSP features pre-built Datadog dashboards that display: Container images currently in Aqua’s scan queue Known vulnerabilities and security issues found in existing images Containers running from unauthorized images Aqua runtime policy violations and audit events Detecting And Fixing Security Issues Additionally, Datadog users can use the data provided in the Aqua dashboards to set up their own alerts, aggregate data streams from different applications, and customize how data is displayed. “We are excited to be partnering with Datadog to deliver a more complete security view to DevOps teams,” said Amir Jerbi, CTO and co-founder of Aqua Security. “In the cloud native era, ensuring security can no longer be the exclusive burden of security teams, and instead should be part of the overall operational soundness of applications throughout their lifecycle. Our integration with Datadog creates a valuable shortcut that allows security issues to be detected early and fixed quickly, preventing escalated security incidents in production.” 

Aqua Security announced that its Aqua Container Security Platform (CSP) has been certified by CIS Benchmarks to compare the configuration status of Kubernetes clusters against the consensus-based best practice standards contained in the CIS Kubernetes Benchmark. Organizations that leverage Aqua CSP can now ensure that the configurations of their critical assets align with the CIS Benchmarks consensus-based practice standards. “We are thrilled to have our platform certified by the CIS for the Kubernetes Benchmark,” said Amir Jerbi, CTO and co-founder at Aqua. “This certification is a testament to the rigorous security testing performed by our platform, and our commitment to providing enterprise customers with solutions that enable them to meet CIS best practice standards and maximize the security posture of their Kubernetes clusters.” Aqua Container Security Platform (CSP) Aqua’s platform is used by more than 100 of Global 1000 companies, securing their container-based and cloud native applications, on-prem and in the cloud, supporting both Linux and Windows runtime environments, across Kubnernetes as well as other orchestrators. The Aqua platform drives DevSecOps automation and provides visibility and runtime protection for cloud native workloads, including both host-level and network-level controls. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts This certification is issued by CIS (Center for Internet Security, Inc.) and reflects proven guidelines that are continuously refined and verified by a volunteer, global community of experienced IT professionals. “Cybersecurity challenges are mounting daily, which makes the need for standard configurations imperative. By certifying its product with CIS, Aqua Security has demonstrated its commitment to actively solve the foundational problem of ensuring standard configurations are used throughout a given enterprise,” said Curtis Dukes, CIS Executive Vice President of Security Best Practices & Automation Group. CIS Certified Security Software Products In order for a product to receive the CIS Benchmarks Certification, a vendor must adapt its product to accurately report to the security recommendations in the associated CIS Benchmarks profile. CIS Certified Security Software Products demonstrate a strong commitment by the vendors to provide their customers with the ability to ensure their assets are secured according to consensus-based best practice standards. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.

Aqua Security, global platform provider for securing container-based and cloud native applications, has announced version 3.5 of its cloud native security platform, which now protects a wide range of cloud native technologies, including applications using serverless functions. Customers can deploy end-to-end security to establish a consistent policy enforcement layer spanning container, serverless containers (such as AWS Fargate) and serverless functions (such as AWS Lambda). Aqua CSP v3.5 In addition, driven by continued enterprise adoption of the Aqua platform in some of the largest global enterprises, Aqua CSP v3.5 raises the bar in terms of ease of management of complex, multi-application and multi-team enterprise environments by enabling flexible policy scopes and highly granular user role definitions, and adds container encryption for protection of intellectual property. Moving to a serverless model allows developers to prioritize simplicity and agility by abstracting infrastructure concerns to provide a straightforward execution environment for applications and microservices. However, serverless architectures also introduce new security risks. Attackers may leverage a weakness or vulnerability in the serverless function code itself or outsourced libraries; or attempt to take advantage of the complexity of cloud infrastructure permissions to reach services or networks that contain sensitive information. Building on Aqua’s experience in securing containers, Aqua CSP v3.5 addresses these serverless threat vectors and minimizes their potential impact. Security For Hybrid Cloud Deployments There is a growing need for scalable security that is easy-to-manage across multi-cloud and hybrid cloud deployments, covering both containers and serverless functions" “As the adoption of containers and serverless continues to expand within a greater number of enterprises, and to greater numbers of applications within those enterprises, there is a growing need for scalable security that is easy-to-manage across multi-cloud and hybrid cloud deployments, covering both containers and serverless functions,” said Amir Jerbi, CTO and co-founder of Aqua Security.\ “Our customers now run multiple cloud native applications and require a unified platform to manage security across teams, while providing security and DevOps teams segregation of duties coupled with the control they require.” Features And Capabilities Risk Assessment for Serverless functions: Checks functions for known vulnerabilities, embedded secrets (keys and tokens), and cloud permissions, to ensure that function privileges are secure and minimized. Serverless support is fully integrated with Aqua’s extensive controls for container runtime deployments and is managed via the same console. Container Encryption: Aqua now makes it possible to encrypt the entire contents of a container image, decrypting it with a key when it is instantiated as a container. This feature enables companies with sensitive intellectual property embedded in their container images to protect them against unauthorized use and prevents unauthorized access to code in case of a registry breach or when code is given under license to partners and customers. Greater Visibility through Workload Explorer: With a tabular and visual view of running workloads on Kubernetes and Docker environments, Workload Explorer provides visibility into large, distributed runtime environments, highlighting vulnerable or risky components (i.e., namespaces, deployments, pods, containers). Operations and security staff can easily filter the data and drill down to view detailed information quickly to ensure compliance. Contextual Runtime Policies: Based on feedback from some of Aqua’s largest customer implementations, Aqua runtime security policy models now allow the definition of a highly specific scope for each policy, to be applied to an application context. The scope can be defined according to dozens of parameters, including Kubernetes deployment and namespace, image registry prefix, environment variables, and many more. This flexibility allows customers to easily differentiate between multiple applications, for example by applying stricter policy to applications with higher trust requirements, such as mission critical applications, even if they use the same images as other applications. Fine-Grained Administrative Access Control: An enhanced RBAC engine enables fine-grained permissions for DevOps, security and compliance teams on the Aqua platform, enabling true segregation of duties between teams and roles. For example, different teams may be granted access to different sets of images or registries, while their ability to view or change Aqua policies for images, serverless functions, runtime, secrets, and compliance will vary according to their specific role.

Aqua Security, the premier platform provider for securing container-based and cloud-native applications, announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack. Runtime Protection Against “Zero Days” Sophisticated attacks often exploit unknown vulnerabilities in the application or operating system, also known as “zero days”, to either escalate privileges, run arbitrary code, or exfiltrate data. Doing this at the OS level requires the use of system calls (syscalls), core functions that applications use to request the OS perform anything from opening files, creating network connections, to rebooting the system. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls The large number (more than 330) of available syscalls present a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers. Aqua Container Security Platform However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls – which is why most organizations often rely on the weak default. The release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analyzing a running container’s syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, reducing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert. Securing Cloud-Native Deployments Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity" “Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity,” says Amir Jerbi, CTO and co-founder of Aqua Security. “Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits.” Modes of cloud-native app deployment are constantly expanding to cater for varying needs. Today, in addition to running containers on VMs, organizations can deploy “serverless” code, whether as on-demand containers using services such as AWS Fargate or Azure Container Instances, or as serverless functions. New capabilities For Full-Stack Security Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua’s MicroEnforcer technology released earlier this year: AWS Lambda function scanning: Aqua’s extensive vulnerability, hard-coded secrets and malware scanning is now available for scanning AWS Lambda functions. CRI-O and containerd support: Aqua’s runtime protection controls are now available in environments using the CRI-O and containerd container engines. “Thin OS” protections: Aqua Monitors hosts that run containers for successful and failed login attempts and provides discovery and scanning for container images stored on the host. Additional Compliance And Platform Features Aqua 3.2 also introduces numerous new features based on customer requirements: Aqua’s Container Firewall now allows the use of rules based on domain names, in addition to container/cluster IP addresses, making it easier to create application network rules. New out of the box compliance templates for runtime protection, applying best practices for meeting NIST, PCI, HIPAA, and GDPR requirements. Integration with the Azure Container Registry quarantine feature, preventing vulnerable images from being pulled from the registry. Enhanced SAML support, allowing Federated Single Sign-On from Microsoft ADFS, Okta, and Google Apps, among others.

The Aqua Container Security Platform gives organizations total control over the security and compliance posture of software containers Aqua Security™ (formerly named Scalock) today announced the company’s formal launch and General Availability of the Aqua Container Security Platform, the industry’s most comprehensive solution for securing containerized environments. The Aqua Container Security Platform provides organizations with full control over the security and compliance posture of software containers at all times, enabling them to reap the agility, flexibility and efficiency benefits container-based application architectures provide. Challenges Posed By Containers “Containers bring tremendous benefits to the efficiency and speed of application development and delivery, but they also present new challenges in security,” said Raffi Margaliot, SVP & General Manager, Application Delivery Management, Hewlett Packard Enterprise.  “With Aqua's Container Security Platform we can help our customers automate and improve their container security and compliance posture, control user access and monitor usage in real-time – all via a fully automated, integrated solution.” "Containers bring tremendousbenefits to the efficiency andspeed of applicationdevelopment and delivery, butthey also present new challengesin security" “I’m extremely excited about Aqua. Software containers are taking the enterprise IT world by storm, but they present new security and control gaps that cannot be addressed using existing approaches and tools,” said Shlomo Kramer, Aqua Security founding investor.  “Aqua’s container security platform provides granular, context-aware container security while automating the entire process, allowing enterprises to focus on deploying and running applications.” Container-based Development Strategy Aqua was co-founded by CEO Dror Davidoff, former McAfee/Intel security, and by CTO Amir Jerbi, former Chief Architect of CA Technologies Security business unit, with more than 14 patents to his name. Aqua’s launch follows the completion of an extended beta program comprised of more than a dozen enterprise customers, the majority of them Fortune 500 companies, reluctant to move forward on a container-based development strategy without appropriate security measures in place.  Aqua's Comprehensive Security Solution The Aqua Container Security Platform delivers the most comprehensive security solution built for containerised environments, supporting Docker and Windows containers, and available for on-premises deployment. Providing development-to-production container lifecycle protection, its key features include: Image assurance that includes both passive as well as active scanning, and continuously assures images integrity and enforces correct use. Fine-grained, role-based user access control that limits user access and type of access to specific containers, hosts, and applications. Full visibility, monitoring and audit trail for container activity, user access and host configuration changes. Automated security policies that provide an optimal security wrapper for containers and does not require manual intervention. Runtime protection that includes both real-time detection as well as prevention when container behavior breaks policy. Integrations with a variety of image registries, CI/CD tools, SIEM and analytics tools. “At Aqua our goal is to provide a truly immersive security ‘envelope’ for containers, providing multiple layers that protect containers from multiple risks,” said Dror Davidoff, Co-founder and CEO, Aqua Security. “By providing a fully automated solution, we bridge the gap between DevOps and IT security, enabling container adoption while providing the necessary oversight and security policy enforcement that enterprises require.”