Google Cloud gains security for Docker containers

With Twistlock Container Security Suite, businesses can apply security controls and defenses to containers without involving developers

Google Cloud gains security for Docker containers

Container security startup Twistlock announced general availability of its Container Security Suite on Tuesday. It features integration with Google Cloud Platform that provides container image scanning, access control functions, and the ability to enforce runtime security policies.

Container Security Suite, in beta since last May, adds multiple layers of monitoring to containers, such as the ability to scan applications in containers to detect vulnerabilities, and to apply access control logic and policies to the containers. This lets businesses apply security controls and defenses without getting in the way of how developers work with containers, said Chenxi Wang, chief strategy officer of Twistlock.

Containers can be easily updated and moved to other machines, which is great for developers as it speeds up the development lifecycle significantly. From a security standpoint, though, it's a challenge to tell whether the containers have any vulnerabilities or if there are issues with how the application is being developed. The problem is magnified when developers use existing images as templates for new containers, thereby copying any existing vulnerabilities. 

Twistlock's Container Security Suite scans the applications both in image registries and in runtime to detect vulnerabilities present in the Linux distribution, application frameworks, and custom-developed application code. It also has activity monitoring and smart profiling capabilities to detect misconfigurations and malicious activities and to take appropriate action, such as blocking the containers from launching and killing misbehaving containers dynamically. The suite can also apply enterprise access control policies to the container environment.

In a typical scenario, organizations initially use Twistlock's tools to scan and monitor new container deployments, Wang said. Afterward, they shift toward policy compliance monitoring and keeping track of what existing containers are doing.

Twistlock's integration with Google Cloud Platform adds the above-mentioned security controls to containers stored in Google Container Engine and Google Container Registry. The Twistlock Console acts as both a policy configuration portal and a central dashboard to configure image scan policies, specify runtime controls, and view the real-time security posture of the containers. Twistlock Defender runs on the same node as the containers and applies configuration policies as needed; it also monitors container health and reports the information back to the Console.

The Registry Scanner, a special type of Defender, helps users detect if any components in the software stack have known CVEs or violate configuration policies. If any anomalies are detected in a running Container Engine cluster, Twistlock takes automated corrective actions, such as raising an alert, blocking user access, or disconnecting the container from the network.

For example, if a policy states containers should not have inbound SSH access, Twistlock can scan container images in the registry to ensure none of them include SSH. Twistlock can also monitor traffic while the containers are running to detect if any of them are opening SSH connections.

There are ways to do this kind of monitoring manually, and many organizations have successfully used Twistlock on other cloud platforms, but the integration with Google Cloud Platform makes the entire process easier and seamless, Wang said. Existing Google Cloud users will be able to use the Google Cloud Launcher to deploy Twistlock Console and Registry Scanner. Wang said the option will be available within the next two weeks, but until then, users will have to go through Twistlock to sign up for the 60-day free trial and receive the batch install script.

Developers are the primary driver for container adoption. The Twistlock announcement won't necessarily increase adoption among organizations who haven't already made the decision to use containers. But the integration will help adoption among organizations who already use containers because it eases their concerns about how to gain visibility and control over the environment.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform