Container security tools push multi-cloud closer to reality

Container portability across clouds is the holy grail of IT management for many enterprises, but it takes more than multi-cloud Kubernetes compatibility to get there.

Early adopters of multi-cloud infrastructures can handle the initial Kubernetes setup on their own with open source software. But as the complexity of multi-cloud management sets in, they turn to container security tools from third-party specialists, such as Aqua Security, Twistlock and StackRox. These tools consolidate security monitoring into one interface as containers become too numerous and spread out across cloud data centers to scan for vulnerabilities manually. They also provide alerts and request blocking and container quarantine features that help users quickly address container security issues.

Mux Inc., a video streaming startup that serves media giants such as CBS and PBS, is one such early adopter of container security tools in a multi-cloud environment. The company runs thousands of containers for its video data analytics and video streaming services, and it set up container infrastructure with the kops open source management tool for Kubernetes on Amazon and Google public clouds. But, as workloads grew, Mux DevOps engineers quickly became overwhelmed with container image security scanning and security incident response.

“As our services have grown, we’ve gotten more and more enterprise contracts, which have required more enterprise security audits and compliance,” said Adam Brown, co-founder of Mux in San Francisco. “We wanted something we could drop in to what we have with minimal friction, that offered the quickest turnaround time to know what’s broken and triage vulnerabilities as quickly as possible.”

Mux evaluated Aqua Security, Twistlock and StackRox, and it opted for StackRox based on its easy deployment and for its management interface.

StackRox software is installed as a privileged Kubernetes DaemonSet that monitors system calls at the host kernel layer, creates dashboards and issues alerts as it detects potential security vulnerabilities among containers. For Mux engineers, StackRox offered a balance between fine-grained container security data collection and simple quarantine and response procedures that cut through the noise of the growing container environment.

“We like the way StackRox ranks vulnerabilities by severity — not just for containers, but network services, as well,” Brown said.

For now, his team is less interested in automated responses to anomalous container behavior than in dashboards that quickly pinpoint areas for his team to manually investigate.

“We have a lot of flux in our current infrastructure, as it is still an early and rapidly evolving product. So, we don’t want to cause more problems for ourselves by terminating legitimate traffic until things are very stable,” Brown said.

Aqua Security Workload Explorer
Aqua Security’s Workload Explorer distills Kubernetes cluster monitoring into a simplified visual interface in an appeal to DevOps pros.

Enterprises face paradox of choice with container security tools

As a small company without a separate IT security team, Mux faced few internal political hurdles in selecting its container security tool, and it was able to pick the one it felt offered the best developer experience and simplest interface.

We have a lot of flux in our current infrastructure … we don’t want to cause more problems for ourselves by terminating legitimate traffic until things are very stable.
Adam Brownco-founder, Mux

Container security tool selection is more difficult for large enterprise companies with IT security teams and DevOps teams that share responsibility for applications in containers. For these buyers, specialized container security tools also fight for attention against incumbent IT security vendors, such as Trend Micro, that have added container support in 2018 — all while enterprises struggle internally to achieve cooperation between DevOps and security teams.

Aqua says its user base of large enterprises demands not only more advanced automation features for containers, but also support for serverless security, which the company now offers in version 3.5 of its Container Security Platform (CSP) released this week. Aqua CSP 3.5 includes more granular policy enforcement and role-based access control features, as well as a Workload Explorer visualization tool to simplify container security monitoring in complex Kubernetes environments.

Unfortunately for IT buyers, no tool exists to manage the market’s complexity the way container security tools manage complex vulnerabilities in Kubernetes clusters.

“It makes me think of the idea of the paradox of choice in economics, that too many choices may make buyers less happy with their selection and may actually lead to fewer purchases,” said Fernando Montenegro, analyst at 451 Research, referring to a 2004 book by American psychologist Barry Schwartz.

The market will need more time for container security tool vendors to rise to the top of buyers’ radar and for security decisions to be concentrated within smaller, centralized DevSecOps teams, Montenegro said.