Aqua Security 3.0 architecture supports AWS Fargate

Aqua Security's MicroEnforcer deployed without a sidecar container supports containers on public cloud services such as AWS Fargate and Azure Container Instances.

Aqua Security is giving users multiple ways to support container deployments across clouds.

Version 3.0 of the Aqua Security tool, released this week, adds a new means to deploy within a container image, called a MicroEnforcer, to the company's existing Enforcer sidecar container. Aqua Security 3.0 can inject MicroEnforcer code into container images as they're built, which will support emerging public cloud container-as-a-service environments such as AWS Fargate and Azure Container Instances. In these environments, where users manage only containers and not the underlying VM and bare-metal infrastructure, Aqua Security Enforcer wouldn't have worked well, because it requires access to the container host.

Aqua Security isn't alone in this approach -- competitor Layered Insight came out of stealth in January 2018 with an architecture similar to the MicroEnforcer. But Aqua Security also has a formal partnership with AWS, and demonstrated the MicroEnforcer's support for Fargate at Amazon's re:Invent 2017 conference. Aqua Security also touts the combination of MicroEnforcer and Enforcer deployment methods as a "best of both worlds" approach that Layered Insight lacks.

Such versatility will be key to stay ahead of AWS itself, said Adrian Lane, analyst at Securosis.

"Tomorrow, Amazon could write its own version of container security into CloudWatch to support Fargate," Lane said, referring to Amazon's native application and network resource monitoring feature. "It wouldn't take much for them."

But enterprise IT shops look to escape cloud vendor lock-in, and  open source, generic software platforms such as Kubernetes offer portability and manageability in multi-cloud and hybrid cloud environments, Lane said. Kubernetes can also manage containers across multiple infrastructures that may include "zero-infrastructure" options such as Fargate. That would allow enterprises to have their cake and eat it too: host generic apps on cloud services and apps that require fine-tuned infrastructure elsewhere. Tools such as Aqua Security, Layered Insight and other competitors, such as Twistlock and Deepfence, look to provide cross-cloud security management for such customers.

Expect to see more container security players follow suit with new deployment formats as cloud container services become popular, said Fernando Montenegro, analyst at 451 Research.

Five years from now function as a service and containers will see equal use. Orchestration of applications and security across environments will be far more important than the individual unit of implementation.
Adrian Laneanalyst, Securosis

"[Services such as Fargate and Azure Container Instances are] a fundamental change to security architecture that forces vendors to rethink their approaches to securing workloads at runtime," Montenegro said. "It blurs the lines between infrastructure security and application security."

All container security vendors must continue to adapt to changing infrastructure management paradigms, particularly in the cloud, as function as a service also gains popularity.

"Five years from now function as a service and containers will see equal use," Lane said. "Orchestration of applications and security across environments will be far more important than the individual unit of implementation."

Aqua Security Version 3.0
A diagram shows Aqua Security's version 3.0 architecture

Aqua Security 3.0, competitors spar over Kubernetes support

Aqua Security 3.0 also adds support for Kubernetes clusters that run version 1.8 or higher of the container orchestration tool. Version 3.0 recognizes the latest Kubernetes security updates, such as role-based access control (RBAC), in addition to previous integration that allowed Aqua Security to run as a Kubernetes daemonset.

Twistlock claims similar support for Kubernetes security features, such as RBAC and the ability to block unapproved container images from deployment anywhere in Kubernetes clusters. However, Aqua Security claims it supports more advanced features, including the ability to block attempts at Kubernetes Pod commands that the tool's AI determines will be detrimental to the infrastructure. Version 3.0 also adds malware scanning for container images, in addition to scans for known security vulnerabilities.

Aqua Security and Twistlock generally run neck and neck among enterprise buyers in an increasingly crowded field, Securosis's Lane said.

"There's good client feedback on both in terms of reliability, ease of deployment and quality of support," he said. "We've seen both grow well as container security transitions from a problem enterprises are faintly aware of to a real market."

However, it's early in that transition, and many analysts predict the enterprise IT mainstream will hold off on purchasing from new container security players until they're snapped up by bigger fish in IT security software, which is expected to happen later this year. Support for Kubernetes security and the MicroEnforcer rollout positions Aqua Security as a likely acquisition candidate, Montenegro said.

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center