Aqua Extends Container Security Platform With Compliance Features

Aqua Security brings enhanced policy and compliance capabilities to its container security platform.

Aqua 3.0

Aqua Security announced on April 9 that it is adding new automated compliance capabilities to its namesake container security platform.

The enhanced capabilities are aimed at helping organizations meet different compliance requirements. Aqua now includes compliance checks to help identify personally identifiable information in container application images. In addition, the Aqua update can identify embedded "secrets" that include passwords and access tokens. Aqua also scans for malware in container images as well as container hosts to help identify threats.

The new compliance capabilities come a month after the release of Aqua Security 3.0 in March, which extended the container security platform to include a more comprehensive approach for Kubernetes-based container environments. Rani Osnat, vice president of product marketing at Aqua, said the new release is an incremental update to the 3.0 platform. 

The market for container security is a competitive one, and Aqua isn't the only vendor helping organizations with compliance. Twistlock has a compliance explorer feature, and both StackRox and Layered Insight have announced container compliance capabilities as well.

Image Assurance

One of the ways that Aqua can help enable compliance is with the platform's image assurance policy feature.

"Image assurance is the term we use for the ability to determine which images are allowed to run in a customer's environment," Osnat told eWEEK. "There is a default policy that provides security by default for a wide range of use cases, but the interesting bits are custom policies that admins can create and apply to different environments."

Policies can be configured for specific open-source software licensing parameters, as well as look for sensitive data and personally identifiable information, Osnat said. When an image fails to meet any of the criteria set in the policy that it's typically not allowed to run, the system can be configured to run in audit mode, he said.

"We use a cryptographic digest to track images from the moment they're created to runtime, so we know if anyone tries to run an image that didn't pass the policy or didn't go through our process to begin with," Osnat said. "We enforce this both at the Kubernetes cluster level, at the master node, as well as on individual Docker hosts."

Although organizations can use the Aqua image assurance capabilities to meet compliance objectives, the platform does not have templates to meet specific compliance regimes, such as Payment Card Industry Data Security Standard (PCI DSS) or General Data Protection Regulation (GDPR). Osnat said templates are planned for the next 3.x release update. Aqua does, however, have a series of guides for its customers on how to achieve PCI DSS, GDRP and Health Insurance Portability and Accountability Act (HIPAA) compliance with containers and the Aqua Security platform.

While templates can be helpful for guiding an organization's compliance requirements, another common approach for defining compliance in some organizations is done with the Security Content Automation Protocol (SCAP). Osnat said Aqua supports SCAP scripts, using the Open Vulnerability and Assessment Language (OVAL).

"We have many customers who use these [SCAP scripts] for compliance elsewhere, and this makes it easy for them to apply them to containers as well," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.