Startup Twistlock addresses these challenges with security and vulnerability management tools to reduce the risk of using containers. Twistlock's security solution for containerized computing primarily addresses three areas today:
- Vulnerability management, with an integrated intelligence stream of the latest CVEs and security standards.
- Security hardening for containers, their contents, and the fabrics they run on.
- Advanced authentication and authorization capabilities, including Kerberos support and role based access control.
According to Twistlock, its solution secures the entire lifecycle of containerized apps, from development to test to production, across all the environments they run in, including development workstations, private clouds and public clouds. A unique aspect of the solution is that it, too, is containerized, running as an agentless privileged container side by side with your application.
This is not an agent that you install on the host OS, nor is it something you have to install in your container. Taking this approach enables Twistlock to run completely independently of whatever infrastructure you deploy containers on. Anywhere you can deploy a container, Twistlock says it can protect those containers in a consistent way.
For all the places you would be deploying containers in your environment, you have a Twistlock container called a Container Defender deployed on every host you are going to be working with. This ensures that any other application that you add on top of that host is going to be monitored and protected by that Container Defender.
Your developers don't have to do anything for this capability to work; they just start building their application, package it and deploy it as they normally would. They don’t have to change their application, install an agent, build their container with a particular flag, integrate one of Twistlock's libraries, or anything like that. They literally build their app, deploy it like they normally would, and the Container Defender is able to look inside that container and make security decisions.
Some of those security decisions might be about vulnerabilities (CVEs). The Twistlock Security Intelligence Stream provides near real time consolidation of CVEs and recommended configurations from open source, vendor and governmental data sources. Twistlock’s cloud service consumes, parses, validates, and combines all this data into a single feed for Twistlock to send to its customers.
You can set up a scan of your environment to automatically inspect what applications have what binaries in them and what in those containers makes it vulnerable to a particular CVE. Now you have the ability to look inside your containers and understand your risk posture, and then make vulnerability management decisions like whether to replace containers that are high risk.
Another Twistlock capabilitity is security hardening, to make sure the environments you are running your containers on are configured properly to give you the maximum level of defense against risks to your underlying environment. In the Twistlock console, there is a policy user interface where you can select benchmark policies that will control your environment. The selected policies are consistently enforced by the Container Defender wherever you run your containers.
Sign up for CIO Asia eNewsletters.