Aqua Security Introduces Industry’s First Serverless Function Assurance for Securing Serverless Environments
March 4, 2019Aqua Security announced
today the availability of version 4.0 of the Aqua cloud native security
platform, introducing new security and compliance controls for serverless
functions and Linux hosts. As enterprise development and deployment of cloud
native microservices-based applications continue to accelerate, Aqua enables
security teams to manage and enforce security policies across a blend of
VM-based containers, Containers-as-a-Service (CaaS) and Function-as-a-Service
(FaaS) spanning both multi-cloud and on-premises environments.
Gartner
Distinguished VP Analyst, Neil MacDonald, notes that “securing serverless will force information security and risk
professionals to focus on the areas we retain control over. Specifically, the
integrity and assurance of the code, identities of the code and developers,
permissioning, and serverless configuration, including network connectivity.”
Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts, scan them for vulnerabilities, detect excessive permissions and configuration issues, and provide function assurance – preventing the execution of untrusted or high-risk functions based on defined policies. The key controls for serverless environments include:
- Functions discovery: Creating an inventory of functions stored across cloud accounts.
- Vulnerability scanning: Deep scanning of a functions packages and dependencies for known vulnerabilities (CVEs), based on multiple sources and supporting multiple programming languages.
- CI/CD Integration: “Shifting left” beyond scanning existing functions, Aqua provides development teams with plug-ins for Continuous Integration environments to detect security issues as functions are being built.
- Permissions Assessment: Identifying use of excessive or over-provisioned permissions specific to the serverless cloud environment, and monitoring for unused permissions -reducing the potential attack surface of a function.
- Sensitive Data Assessment: Detecting secrets and hard-coded keys within the functions themselves, or within environment variables, specific to the cloud environment – for instance AWS credentials or Azure Authentication keys.
- Function assurance: Security teams can set policies to determine the risk threshold to allow or disallow function execution, based on a variety of factors including CVE severity, CVSS score, sensitive data, and permissions.
-
Function anomaly detection: Monitoring of
function usage patterns and alerting on sudden spikes in the frequency or
duration of function execution.
Another
significant addition to the Aqua platform is tighter controls to secure the
Linux hosts that run containers. This addresses potential risks from
vulnerabilities such as the one discovered earlier this year when a severe new
vulnerability (CVE-2019-5736) was disclosed in runc, a component used in
most container runtimes which is part of Linux OS distributions, highlighting
the need for securing the container stack at both the workload and host levels.
“The
new technologies supporting cloud native applications require a holistic
approach to security and compliance, across the application lifecycle as well
as up and down the stack, and this has become more evident in recent months
with significant vulnerabilities discovered in Kubernetes and runc for
example,” notes Amir Jerbi, CTO and co-founder at Aqua Security. “With this new
release from Aqua, our customers can protect their applications against those,
as well as yet undiscovered vulnerabilities by implementing tight compliance
and whitelisting-based zero-trust security.”
Aqua 4.0 builds on previous Aqua host protections that already included testing hosts according to CIS (Center for Internet Security) benchmarks, scanning hosts for known vulnerabilities, and monitoring user logins, to provide:
- Malware Scanning: Detecting malware in the host OS, or any of its components.
- Vulnerability scanning: Scanning for CVEs found in the host OS, or any of its components.
- Whitelisted and Blacklisted Users and OS Packages: Security teams can specify which types of users and OS packages are either allowed or forbidden from being used on a host.
- User Activity Monitoring: Aqua now logs all user commands on the host OS for security and compliance tracking (in addition to the previously available user logins and login attempts tracking).
- CIS Benchmarks Testing: Having achieved CIS certification for its Kubernetes benchmark, Aqua now provide detailed information on each benchmark test success/failure to provide teams with remediation information.
- Custom Benchmark Scripts: Enabling the upload of scripts that customize benchmarks to account for configurations that aren’t supported in the standard CIS benchmarks, including Kubernetes clusters on Red Hat OpenShift.
-
Host Assurance: Allowing to set
policies that will determine a threshold for host compliance and security risk
based on the results of the above scans and checks and generate alerts and
audit events upon policy violations.
Aqua CSP v4.0 will be generally available in mid-March for existing customers and new deployments.