Container security tools now act a lot like tools from traditional IT security vendors. And as cloud infrastructure proliferates, IT pros could look to industry newcomers to secure legacy infrastructure, in addition to cutting-edge applications.
Twistlock and Aqua Security — two companies that began with a strict container security focus — expanded their support for security scans and policy enforcement on container hosts this week, along with further support for cloud computing services such as AWS Fargate and serverless functions.
At this time in 2018, most industry analysts predicted that traditional IT software vendors would snap up container security specialists, which also include Sysdig and NeuVector. Despite enterprise users’ trust, those legacy vendors lag in trends such as container orchestration and serverless computing.
However, with the exception of Qualys, which acquired Layered Insight in October 2018, incumbent IT vendors such as Trend Micro, Palo Alto Networks and CloudPassage added their own container security features instead of buying specialist startups. Now, those specialist startups have backfilled support for legacy infrastructure with host support — and the race is on between the two camps to win enterprise business.
“The host side is still required to a certain extent, but we’re getting more and more abstracted away from it,” said Travis Jeppson, director of engineering at Nav Inc., a fintech company in Draper, Utah.
Nav uses Twistlock and a trial deployment of Sysdig for container security, along with tools such as Qualys and configuration management scans to ensure host security. But Jeppson said Twistlock’s support for host security policy enforcement will probably replace the other host security tools.
“We don’t run our own hardware anymore. And how long ago did cloud even become a thing?” he said. “The host is not as important as containers for us going forward.”
“[This support] would make a transition to more of a managed Kubernetes solution a lot less painful,” he said.
Container security becomes a commodity — then what?
Most IT security vendors can now check boxes that say they support the same types of IT infrastructures: hosts, containers, orchestration platforms, and highly abstracted and function-based cloud services. For forward-thinking IT shops such as Nav, the real differentiation between container security tools has become much more subtle.
Sysdig, for example, focuses on compliance policy enforcement and forensics, in addition to container security and container monitoring, and it added compliance enforcement templates this week specifically for Kubernetes and Red Hat OpenShift. Twistlock also has brushed up its security forensics capabilities, with a custom runtime rule language that supports host log parsing for forensics purposes. But Sysdig’s deeper experience in this area really shows, Jeppson said.
Travis Jeppsondirector of engineering, Nav Inc.
“Sysdig can narrow search results very quickly to pinpoint the timing of events within forensics data,” Jeppson said. “It can use this data to pinpoint the timing of events even if an attacker deleted the history or the container they used. You can still view their activity in the system calls.”
However, Nav’s Sysdig trial deployment is about to expire, and the company has used Twistlock in production for two years. It also uses Qualys tools that can satisfy auditors’ requirements. Twistlock’s appeal to Nav is more about security than compliance, and its ability to enforce fine-grained security policies with its own cloud-native firewall feature is unique among competitors, Jeppson said.
“Twistlock and Sysdig both got into the game early, but they’re still very relevant to understand what the [IT security market] looks like and how it’s changing,” Jeppson said. “It’s the ancillary feature sets above the basics of hosts, containers and compliance that have the most value.”
While container security tools capitalize on the latest IT trends, vendor expansion to cover hosts also shows that enterprises aren’t prepared to leave legacy infrastructure completely behind.
“It shows the reality that, in many cases, what customers need isn’t just a high-end focus on Kubernetes and Istio, but the more mundane host and VM,” said Fernando Montenegro, analyst at 451 Research. “The majority of organizations will have VMs and containers, and hybrid workloads on premises and in the cloud, for a long time.”