Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Securing Applications in ContainersAqua Container Security Platform

2

In 5 years ALL new software deployments will be based on containers, running in a hybrid environment

3

GARTNER PREDICTS

By 2020, more than 50% of global organizations will be

running containerized applications in production, up from less

than 20% today.

Gartner’s 6 Best Practices for Creating a Container Platform Strategy

Copyright @ 2017 Aqua Security Software Ltd. 4

Copyright @ 2017 Aqua Security Software Ltd. 5

6

What Are Containers?

New form of lightweight virtualization.

Makes applications think they have a

complete operating system for

themselves.

Container[kuhn-TAY-ner] , noun

7

Containers: A New Approach to Computing

Host OS

App

Host

Host OS

App App

VOS VOS

Host

Host OS

Container engine

Host

SCALABILITY, DENSITY, COMPLEXITY

VIRTUALIZATION CONTAINERIZATION

8

MAKING A CONTAINERIZED APPLICATION

< / >

.NET

Docker Image Docker Host

9

MAKING A CONTAINERIZED APPLICATION

< / >

.NET

Docker Image Docker Host

10

CHALLENGE #1: VISIBILITY

What is in the image?

What will it do?

Who made it?

Is Development making infrastructure decisions?

11

CONTAINER DEPLOYMENTS

12

CHALLENGE #2: PROCESS

Where to add security in the pipeline?

Is the image still the same when it gets to the hosts?

Who can run containers and manage them?

How to get inventory of what is running?

13

RUNNING CONTAINERS ON THE HOST

14

RUNNING CONTAINERS ON THE HOST

CPU

15

CHALLENGE #3: CONTROL

What is each container doing? Is it what it’s supposed to?

How to limit user context and permissions?

What network connections is the container making?

How to give specific, sensitive, information to a container?

16

CONTAINERS HAVE GREAT BENEFITS

Runs AnywhereUp in Seconds Massive Scale

17

SECURITY IS A BARRIER TO ADOPTION

18

BRIDGING THE GAP

Shift Left Automate Prevent

19

SHIFT-LEFT INTO THE BUILD PHASE

• Evaluate risk based on configuration and content• Register compliant images as approved for use• Scan for vulnerabilities on the finished product• Share information between Dev, Ops and Sec

20

ADD ENFORCEMENT OF IMAGE USAGE

• Only accept known images• Approve images based on risk• Maintain integrity

21

LIMIT ACCESS TO CONTAINER ENGINE

• Separate automation from human actions• Control parameters that elevate privilege• Permissions on volumes, networks, etc.• Audit trail with accountable user

22

GRANULAR CONTROLS OF RUNNING CONTAINERS

• User context of the container• Executables and resources inside the container• Isolation from the host• Network segmentation

23

CONTAINERS + AQUA = BETTER SECURITY

24

THE SECURITY FOUNDATION FOR CONTAINERS

1. Image Assurance

2. Runtime Protection

3. Container Network Firewall

4. Secret Management

5. Access Control and Docker Compliance

25

AQUA SECURITY: SNAPSHOT

TEAM

70 experienced, passionate innovators

FORTUNE 1000 CUSTOMERS

Banking Media

Insurance Healthcare

Retail Travel

Software & Internet Telecommunications

Investors

Light Ventures Capital Microsoft Ventures TLV PartnersShlomo Kramer

Tel Aviv San Francisco Boston

26

DEPLOYMENT ARCHITECTURE

Center

Aqua Command Center

Aqua Cyber Intelligence

Linux/Windows OS

Aq

ua

En

forc

er

Co

nta

ine

r

Co

nta

ine

r

Container Engine

Public Registry

Private Registry

CI/CD SIEM / Analytics

Aqua Gateways

TO THE DEMO

28

For Additional Info

Our Resource Center: www.aquasec.com/resources/

Container Wiki: www.aquasec.com/wiki

WWW.AQUASEC.COM