Aqua Expands Container Security Platform With MicroEnforcer

Aqua Security 3.0 provides new capabilities to help organizations protect Kubernetes container workloads as well as new modes of container deployment, including the AWS Fargate service.

Aqua 3.0

Aqua Security launched version 3.0 of its namesake container security platform on March 7, refocusing the product on providing Kubernetes cloud-native enterprise security controls.

Aqua originally focused on just Docker container deployments, but with the new 3.0 update it is providing a series of capabilities that are aligned with Kubernetes deployments. Kubernetes provides container orchestration capabilities and has also been embraced by Docker Inc., which now also integrates Kubernetes as an option for its users.

Looking beyond just Kubernetes, Aqua 3.0 also has a new capability called the MicroEnforcer, which is aimed at emerging forms of lightweight container deployments, such as the AWS Fargate service.

"Over the last few years we had Docker as a focus," Amir Jerbi, co-founder and CTO of Aqua Security, told eWEEK. "In the last year, we have seen a shift in the market where more and more people are using Kubernetes and there is a great need for tools that will add value on top of what Kubernetes offers."

Aqua released its first container security platform in May 2016, providing runtime protection for containers. The Aqua 2.0 release debuted in February 2017, delivering an expanded set of container security capabilities, including application container traffic segmentation and support for secrets management. As a company, Aqua has raised a total of $38.5 million in venture capital funding, including a $25 million Series B round of funding that closed in September 2017.

The protections available in Aqua 3.0 aren't just a shift in name to Kubernetes; they also represent a shift in how certain security functions are enabled. For example, Jerbi said that for user access control, which defines which users can perform various actions, things are done differently in Docker than with Kubernetes. Jerbi explained that Docker user access control is done at a low level with a Docker command. In contrast, he said that with Kubernetes, Aqua is providing user access control at the API level.

"We moved the security layer to a higher level to be more aligned with the way Kubernetes works, which allows us to protect different types of resources," he said. "We can protect Kubernetes services and daemon sets and not just the containers."

Kubernetes has included a role-based access control (RBAC) capability since the 1.8 release, which debuted in September 2017. Jerbi said Aqua plugs into Kubernetes native dynamic admission control capabilities, which allow external security vendors to provide an additional layer of security.

Networking is also handled a little differently in Kubernetes than it has been typically done in Docker. Kubernetes has an abstraction known as the Container Networking Interface (CNI), into which different container networking technology can integrate.

"The integration with CNI allows us to create nano-segmentation," Jerbi said. "Unlike Docker where you don't have a lot of segmentation option, with Kubernetes there are different services and a lot of ways to group together applications."

As such, Jerbi explained that an Aqua 3.0 user can choose to segment an application running in a specific namespace segment to make sure that it will never connect to another application running in a different namespace.


Among the many different ways that Kubernetes is being deployed today is the AWS Fargate cloud service that provides a serverless approach to running containers. Fargate enables organizations to run containers without the need to manage servers or clusters.

To help protect AWS Fargate-based container deployments, Aqua is introducing its new MicroEnforcer model. With the typical Aqua deployment, what is known as a container "side-car" is deployed on every node, according to Jerbi. The side-car is a container that acts to protect other containers that run on the same host node.

"The problem with Fargate is there is no node, so you have to add the enforcement point together with the application," he said. "So we allow organizations to package the MicroEnforcer directly into the application container image."

Jerbi added that as part of the application container image, the MicroEnforcer protection will travel with the container wherever it is deployed. The MicroEnforcer also provides encryption to the container image, further protecting the data within an image.


Aside from its commercial platform, Aqua is also the leader of the open-source Kube-bench project, which provides a set of checks to make sure that Kubernetes is deployed in compliance with security best practices. As part of the Aqua 3.0 platform, Jerbi said Kube-Bench is now directly integrated inside of the product.

"We've also put additional capabilities on top of Kube-Bench in Aqua 3.0, including the ability to aggregate results across a cluster as well as the ability to generate reports," he said.

In addition, Jerbi noted that Aqua 3.0 provides compliance templates for Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA) compliance regimes.

Container Competition

The market for container security vendors is a competitive one, with multiple firms all aiming to grow market share. Among the startup vendors in the space are Twistlock, Capsule8, Neuvector, StackRox and LayeredInsight.

Jerbi said Aqua aims to differentiate itself from the competition by investing in the entire lifecycle of container security, from development to production deployment.

"From our perspective, we want to make sure we're providing customers with security consistency regardless of which cloud-native tool they choose," Jerbi said. 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.