Enterprise Kubernetes maturity has pushed infrastructure deployments into DevOps pipelines, prompting container security vendors to support infrastructure-as-code scans.
Sysdig plans to acquire an infrastructure-as-code security startup as enterprise container and DevOps adoption reach critical mass, linking application and infrastructure deployments together more tightly.
The cloud-native observability and security vendor said this week it will acquire Apolicy, a small startup based in Sunnyvale, Calif., for undisclosed financial terms.
Sysdig's cloud security policy management and container security software already incorporate policy as code via integration with the Open Policy Agent (OPA). Apolicy will broaden that OPA integration to include infrastructure-as-code security configuration scans and autoremediation for tools such as HashiCorp's Terraform, AWS CloudFormation and open source utilities such as Kubernetes YAML files, Helm charts and Kustomize files.
Infrastructure as code is an approach to infrastructure provisioning that defines resources in declarative source code files written in a programming language, such as HashiCorp's domain-specific language for Terraform or open source YAML. It has gained popularity as enterprises adopt containers and Kubernetes, which lend themselves to defining resources as code but also create sprawling, complex infrastructures that are difficult to manage manually. The increasingly popular GitOps approach that centralizes all aspects of IT management within source code files and repositories has also spurred infrastructure-as-code adoption.
Infrastructure as code has become part of the way in which [IT organizations] are defining applications and being able to secure that becomes part of [vendors'] responsibility.
Sandy CarielliAnalyst, Forrester Research
As infrastructure as code becomes more widely used in Kubernetes environments, container security vendors have spotted an opportunity to expand their products. Sysdig's acquisition announcement follows a similar tuck-in deal last week by Aqua Security, which bought the company behind the tfsec open source project. Meanwhile, Styra Inc., commercial backers of OPA, also launched new support for infrastructure-as-code security policy management in its Declarative Authorization Service product this week.
"Infrastructure as code security is very active," said Sandy Carielli, an analyst at Forrester Research. "A lot of vendors in the container security space and prerelease scanning space ... have realized infrastructure as code has become part of the way in which [IT organizations] are defining applications, and being able to secure that becomes part of their responsibility, along with securing the containers and [application] code."
Sysdig taps into security autoremediation trends
Apolicy's autoremediation features are what prompted Sysdig to acquire the company, rather than partner with it as originally planned, and will make Sysdig's integration stand out from competitors, according to Sysdig CEO Suresh Vasudevan.
"What Apolicy has been doing is really saying, 'not only am I going to detect where is the drift between production and my [infrastructure-as-code] source file, I'm actually going to create a Jira ticket and give you a pull request that says, here's the specific Helm chart or YAML file, here's the line where I need to make the change,'" Vasudevan said. "Then for the developer, it becomes a matter of ... approving the pull request and at that point it gets deployed to production."
Apolicy's changes to source files will be subject to the same approval process as any other change to application or infrastructure-as-code code that developers already use. Organizations can choose to automatically deploy such changes to production, but Vasudevan said that kind of unattended automation remains rare in DevOps shops in his experience.
Once the Apolicy acquisition is complete, Sysdig's roadmap for the combined companies also includes linking its autoremediation features to its Falco-based runtime security tools, to automatically correct infrastructure-as-code security policy violations in production as well as pre-deployment.
"We should be extending this feedback loop from runtime security all the way back to your source files," Vasudevan said.
While still relatively unique in the container runtime security field, autoremediation is also growing in adjacent cybersecurity disciplines, Carielli said -- part of a larger convergence between previously specialized segments of IT security under DevSecOps.
"Right now, it's still happening a lot more at build time than at run time, with static code analysis tools," she said. "Developers were nervous about it at first, but we're seeing it take hold."
In part, DevOps pros have been forced to accept hands-off automation as container infrastructure becomes too complex for manual management, Vasudevan said.
"As container adoption grows, [customers] have to go down the infrastructure-as-code road eventually," he said. "Over the last two to three years, the realization has set in that if you deploy infrastructure through [CI/CD] pipelines automatically versus doing automation manually, you're less likely to make mistakes."
Apolicy infrastructure-as-code security
DevOps pros face build vs. buy decision
While security automation grows in popularity, however, how much traction commercial products will gain over free and open source tools remains to be seen. The integration between runtime security and Apolicy's autoremediation will involve open source components but will be primarily designed for commercial customers, Vasudevan said.
One major Falco early adopter, online retail service provider Shopify, is generally interested in how projects such as Falco and OPA can move beyond rules-based Kubernetes pod security policies, a now-deprecated feature of Kubernetes. But the company still prefers to use the open source version of such tools to build its own security automation workflows.
"In addition to the other measures we use to protect our platform, we've already developed in-house automation around policy enforcement using admission controllers," said Shane Lawrence, staff infrastructure security engineer at Shopify, via email. "Automation is critical to maintaining security at scale, and we're happy to see new features that reduce the effort required to improve security enforcement."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
