01.16.20

Spotlight on Aqua Security

By Agustin Romano
#AquaSecurity

Security has always been an important aspect of cloud deployment. While cloud infrastructure services like AWS are now equipped with built-in security tools, there is still a big need for container-level security and a more holistic approach to cloud security in general.

Aqua Security is the leading provider for container-based applications, particularly applications designed to be cloud-native and serverless. A recent acquisition of CloudSploit brought Aqua Security to the cloud security posture management (CPSM) landscape.

Conquering Complexity

Kubernetes security is often seen as a complex task to tackle, which is why Aqua Security’s approach to simplifying Kubernetes security is a huge step in the right direction. Instead of offering complex tools for managing granular aspects of K8s deployments, Aqua Security immediately takes a more holistic approach with its policy-driven security.

Aqua Security offers policy-driven controls that integrate well with native features of Kubernetes. Security controls become a set of policies that tackle different parts of Kubernetes deployment, from user management and kubectl commands to master and worker nodes within a cluster. By integrating the process and making it seamless, Aqua Security conquers the complexity of Kubernetes security perfectly.

Of course, the security platform offers a set of tools that can be integrated with your security policies, starting with Image Assurance that is designed to work with Kubernetes. It also integrates runtime protection as a feature, allowing for malicious behaviors to be detected early; this helps prevent further security risks from affecting the entire infrastructure.

Network rules, namespaces, and clusters are managed in the same fashion. Aqua Security has the ability to map network connections and organize rules automatically. You’ll be surprised by how easy it is to map the entire cluster and its network rules. It even works seamlessly with plugins and add-ons. Details about these features are even more fascinating.

Image Assurance for Kubernetes

Security starts from the very basic, and that means making sure that all nodes and images running within the cluster are all vetted and approved. Aqua Security will automatically stop images without sufficient credentials or approval levels from running inside your cluster, preventing further security risks in the process.

The policies governing how the images are sorted and approved can be fully customized. It is actually easy to automate the process of reviewing and scoring images based on vulnerabilities, including based on malware signatures, configuration issues, and other factors used in checking for compliance. A simple interface is used to perform image scanning.

Role Based Access Control is the next element in the process. RBAC allows you to specifically dictate access and how it is given to users and services. Similar to Image Assurance, the controls you have with RBAC are very granular, without making the whole process too complicated to manage. You can even create policies for specific Kubernetes deployments and nodes.

Encrypting Secrets

Next, we have the age-old problem with Kubernetes: securing Secrets. Secrets are essential to the scalability of a cloud infrastructure, but you have to make sure that Secrets are delivered in a secure way. This has always been a challenge; there have been many solutions designed specifically to solve this problem.

Aqua Security automates the process. It automatically delivers Secrets in an encrypted and secure way, all without causing a bottleneck or creating downtime. In fact, Aqua Security stays true to its serverless nature and make Secrets delivery seamless and on-the-fly. You don’t need a special encrypted storage for Secrets.

Advanced Cluster Security

We really cannot talk about Aqua Security without talking about the advanced security features it offers. Image Assurance is only the beginning. Once the images are deployed in the cluster, Aqua Security can continue the process by constantly monitoring the performance of your cluster. The platform has a comprehensive database of CIS Kubernetes benchmark tests that it can use to measure performance.

To further strengthen security, security profiles – Runtime Profiles – are added. Whitelisted operations are kept running, but anomalies and unrecognized actions are automatically scrutinized. This is done on a pod-per-pod basis.

The anomaly detection in Aqua Security is advanced enough to prevent most security issues. To complete the set of measures, network activities are also monitored for anomalies. The result is a set of security tools that completely protects your cluster down to the last detail.

Integration as a Feature

What’s interesting about Aqua Security’s approach is the way it can integrate all of the tools it provides – all of the security tools we need – without cluttering the user interface. Everything is designed to work out of the box with minor adjustment.

When you do need specific tools or features, Aqua Security has a long list of add-ons already supported, including plug-ins like Calico and Flannel. Integrating these add-ons is just as easy. The context provided by Aqua Security’s dashboard ties everything together.

As you can see, Aqua Security provides the necessary tools and features to secure a container-based environment from start to finish. It is an integrated tool that helps you manage K8s security without adding complexity to the process.

Don’t miss our other article on this subject, Securing Cloud-Native Applications


Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with microservices, containers, cloud infrastructure, and CI/CD deployments. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and profit from our DevOps-as-a-Service offering too.