Docker-style containers aren’t just a way to deploy software more quickly or flexibly. They can also be a way to make software more secure. Automatic analysis of the software components that go into containers, behavioral policies that span container clusters and multiple application versions, and innovative new developments in tracking and managing vulnerability data are just some of the ways containers are bolstering security for the entire application lifecycle.
How much of this comes out of the box, though, is another story. Container products provide the basics, but not always more than that, leaving more advanced monitoring or management solely in the hands of the admin. Here are four recently revamped products and services that bring additional kinds of security to containers, both in the cloud and in your own datacenter.
Twistlock Container Security Platform
Twistlock Container Security Platform features
Twistlock’s mainstay has been adding security controls for containers in scenarios that aren’t covered by “core” container products like Docker Enterprise. For example, Twistlock 2.0 added compliance controls for enforcing HIPAA and PCI rules on containers, and Twistlock 2.1 included compliance alerting for build tools like Jenkins.
With Version 2.2, Twistlock adds support for Kubernetes’s CIS Benchmark, so that a Kubernetes-managed deployment can be checked against a set of common criteria for securing Kubernetes. Twistlock now runs on Swarm-managed clusters as well as Kubernetes, although CIS checking is only available for Kubernetes.
Twistlock 2.2 includes a “cloud-native application firewall,” a way to protect containerized apps by pointing at any orchestrated app. The firewall analyzes network traffic between containers and devises rules automatically based on container behaviors, so that admins don’t have to manually generate rules.
Twistlock 2.2 also defends hosts against runtime attacks as well as defending containers, by building heuristics about legitimate and illegitimate system behaviors. An “incident explorer” tool allows admins to see, in a single report, all of the changes that took place in a system during a security incident
Where to buy Twistlock Container Security Platform
Twistlock is only available in a for-pay enterprise edition, but users can try out a 30-day evaluation version without paying.
Sysdig Secure features
Sysdig Secure provides a set of tools for monitoring the security container runtime environments, and obtaining forensics from them. It’s intended to run hand-in-hand with Sysdig’s other instrumentation tools, such as Sysdig Monitor.
Policies for the environment can be set and enforced per application, per container, per host, or per network activity. Any events tracked by Sysdig Secure can be viewed by host/container or through the lens of the orchestrator (typically Kubernetes). Every container’s command history can be logged and examined, and general forensics across the cluster can be recorded and played back in a manner similar to Twistlock’s “incident explorer” feature.
Where to buy Sysdig Secure
Sysdig Secure is available only as a paid offering from Sysdig, with both cloud and on-prem editions available.
Atomicorp Secure Docker Kernels
Atomicorp Secure Docker Kernels features
Atomicorp’s Secure Docker Kernel is an alternative Linux kernel, for Ubuntu and CentOS, that makes use of a number of hardening tactics to offset potential attacks. Many of the protections, like hardened permissions for userland memory, are derived from Atomicorp’s general line of secure-kernel products. Others, like container breakout protection, are chiefly for Secure Docker Kernels.
Where to buy Atomicorp Secure Docker Kernels
Aqua Container Security Platform
Aqua Container Security Platform features
Aqua Container Security Platform provides compliance and runtime security for both Windows containers and Linux containers.
Aqua Container Security Platform allows admins to apply security policies and risk profiles to applications. Those profiles can also be associated with different application build pipelines. Image scanning can be integrated with build and CI/CD tools. Aqua Container Security Platform also lets you use application contexts to segment networks for those applications at runtime.
Aqua Container Security Platform also works with Google’s Grafeas project. Aqua Container Security Platform can record any vulnerability information it finds in an app’s Grafeas store, and Aqua policies can make use of Grafeas definition data for security incidents and software issues.
Where to buy Aqua Container Security Platform
Aqua CSP is available as either an on-prem or in-the-cloud offering. Free trial or open source versions are not available, but Aqua has released a number of minor open source projects that stem from its work with CSP.