DevOps Chat: Kubernetes, Security Controls and Aqua Security 3
In this combination DevOps Chat and Security Boulevard Chat, we catch up with Rani Osnat of Aqua Security and one of our favorite folks to interview. Rani brings up to speed on the latest around Kubernetes, container security controls and the latest version of Aqua Security.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard, Container Journal, and you’re listening to a DevOps Chat. Happy to have, as my cohort today, somewhat of a regular guest—he’s been here before—Rani Osnat, VP, Aqua Security. Rani, welcome.
Rani Osnat: Thank you, Alan. Good morning.
Shimel: So, Rani, you’re sitting in your desk in Israel; I’m sitting here in my desk in Boca Raton, Florida. An inevitable march of containers, as a dominant form of application infrastructure, appears to be moving ahead on all fronts. Lots of new news around Kubernetes and container adoption, and, of course, anytime we’re talking about containers and container adoption, there’s container security involved. What are you seeing from your point of view?
Osnat: So we are seeing a lot of movement in the market. Basically, I would say, a widening of adoption, so lots of new entrants into the space, from the end-user perspective. More and more enterprises getting into the thick of things, obviously, at different stages of adoption, but, you know, very wide interest in adoption, at least at early stages. And then some of the more advanced companies are way, way into production with multiple applications – some of them, hundreds of applications – and I’m not just talking about the Facebooks and Twitters of the world; I’m talking about established Fortune 100 companies that we all know. So –
Shimel: Yeah, no, Rani, I agree. I mean, we’re seeing – I am constantly amazed. It seems that every survey, every analysis that comes out, shows not only greater adoption or intent to adopt containers, but actually using containers in production environments, which, to me, is sort of that last bastion, right? It’s that last – that’s the real credibility. When you’re using this as your production environment, the numbers are phenomenal. I mean, the rate of adoption, the rate of deployment, I don’t remember the VMware Hypervisor thing catching on as quickly as containers.
Osnat: Yeah, I agree. I’ve been in that round of kind of shifts back in the day as well, and I remember it as being a lot slower, and I think there are a few reasons why this is going even faster. One is, obviously, the fact that a lot of this is driven by cloud adoption, cloud migration, hybrid cloud strategies and so forth, so there are drivers that are kind of outside the realm of just the technology, that really make this happen faster.
The other reason, I think, is that the benefits are just overwhelmingly positive. The agility and scalability that these technologies enable, whether it’s containers, micro-services, this whole group of what’s now being coined “cloud-native technologies,” these are all driving a huge amount of benefit to any size organization but especially the larger ones actually see greater benefits. So I think that’s the reason why we’re seeing all this mass movement, sometimes even at the risk of having things better organized after the fact, whether it’s around security specifically or just around configuration management or processes, right? So they kind of go head in first and then kinda figure it out.
Usually, what we see is the customer start with one application, not necessarily a business-critical application, but something that is relatively new that they need, and then they figure it out, learn from that, and then move on to more and more critical applications. And, you know, a lot of the companies that we work with are at that stage, where they’re either before deployment of the first application or after deployment of the first application, you know, figuring out how to scale up. And some of them are also in that stage where they’re really already way beyond that and are really migrating, virtually, any application that they can to those platforms.
Shimel: Got it. Got it. So, Rani, couple of things in here, though. You know, recent news items. First of all, we saw Kubernetes graduated, if that’s the – I think that’s the term they used – Kubernetes graduated the Native Cloud Computing Foundation – I don’t know – open-source project incubator or mentorship, or I don’t even know what to call it, but I’m sure you probably saw the news as well. You guys are intimately involved with Native Cloud and Kubernetes, obviously. For our listeners, what exactly does that mean, as far as you know?
Osnat: Yeah, so definitely it’s moved from an open-source – like a pet project, right, that was originally open-source by Google, to something that’s a lot more widely supported and adopted. You know, right now, Kubernetes is at 1.9, with 1.10 planned for release soon, and there’ve been just leaps and bounds of progress over the past year, in terms of its capabilities around everything, really, you can imagine, and stability, scalability, and so forth.
At the same time, you also have a much better ecosystem of companies supporting it, whether it’s actual contribution to the open source – everybody from Google to Microsoft or Red Hat to IBM are behind this. Dell. You know, the list is very long – not just large companies, but also smaller companies and individual contributors. We ourselves also contribute some stuff to the Kubernetes community. We have a tool called “Kube-Bench” which is an open-source tool that enables you to check your cluster against best-practice security configuration, as stated by the CIS benchmark.
So, you know, you have a lot of these things happening all at once, which just created a huge momentum of people both contributing to and using Kubernetes, which, of course, creates this kind of cycle of more contribution, more adoption. And so I think we’re definitely headed down a very good path here. That said, I would say that, in terms of maturity, Kubernetes is probably a teenager or, you know, something like that. I mean, there’re still a lot of things that need to be refined and improved. And there was a very nice roadmap, which is open to everyone because it is an open-source project, and it will continue to improve.
So, you know, if I look at companies making choices today, saying, “Okay, what am I gonna use as my restoration platform or management platform for my next move into cloud-native applications?” there’s no doubt that we’re going to see much better – you know, we’re gonna see much more commitment towards adopting Kubernetes. We’re going to see – I mean, people have choices today of using supported or managed Kubernetes offerings, from the likes of Red Hat with OpenShift or other firms like Heptio and Platform9, and there’s really a bunch of ’em out there. So there are options, right? You don’t have to do everything yourself; you can get help. But, in terms of making the gamble on what technology to use, that’s probably the wining proposition at the moment. And it seems like a pretty safe bet, right? I mean, the adoption is just so wide that this is probably the de facto standard right now.
Shimel: Understood. Yeah. No doubt about it. Speaking of new releases and continued maturity, you folks over at Aqua Sec released a new version, yeah?
Osnat: Yes, we released version 3.0 of our platform last week. And this has been a culmination of quite a lot of work we have done with customers, as well as some forward-looking work looking at some market trends and things we thought we should pay attention to and support. There are several key themes to this release. The one major theme is really around Kubernetes specifically. We took all of the progress that was made in Kubernetes, especially versions 1.8 and 1.9, which are the two recent ones, and really tried to leverage as much as we can on the security side while adding significant value on top of that. Because, when we look at Kubernetes today, there are a lot of options to provide security controls and there’s a lot of hooks built into it to allow you to do things like segment your network and enforce role-based user access controls and stuff like that, but it takes a lot of knowledge, configuration, and work to get it right.
So we wanna add value by doing something that, first of all, is secure by default, second, is much easier to manage and closes that skill gap because – let’s face it – you’re not gonna go into enterprises today and find a lot of Kubernetes security experts, whether they’re security experts who know Kubernetes or Kubernetes experts who know security. They’re just not out there, so you want to close that gap by providing tools that allow you to do that. And the third is really around a principle that we both know as separation of duties or segregation of duties, which, in the DevOps world, is kind of being blurred and that’s one thing that really should not be blurred, right?
So, even if you have a DevSecOps approach and you have embedded security in your DevOps team and so forth, there still needs to be clear separations between the people who run the cluster and the people who are in charge of securing the cluster, right, so you can’t let the cat guard the cream. Right? It has to be separated. And so we enable that by creating this separation between the people who create the policy, enforce the policy, and the people who actually run the Kubernetes cluster.
Shimel: Got it. Good. And so, Rani, you’re living in such a fast-changing, fast-paced world. Do you classify this as a major new release? Is this just, in the DevOps way, just a iteration? Do we just keep doing iterations pretty rapidly? What is the release cycle at Aqua, for instance?
Osnat: So, yeah, I’ll talk about release cycle in a second, but, it is a major release. The other thing we did was a major architectural change we introduced to our platform, which is to add the ability to support environments. They don’t have a good, cool name today, but, basically, we call them “zero-infrastructure” or “VM-less” environments. Those are basically container-as-a-service offerings that are run by Amazon and Azure, at the moment. At Amazon, it’s called “AWS Fargate”; at Azure, it’s called “Azure Container Instances,” ACI. And these are new services that were introduced late last year, where the user or customer doesn’t need to manage any clusters or any hosts or nodes or infrastructure, so, basically, they say, “I wanna run a container,” and they run a container. Where that container runs, they don’t know. Right? That’s managed by the cloud service provider.
And this introduces a new challenge to the space because our own approach, as well as the approach of most other vendors in our space, whether in security monitoring or storage, has been to use the model known as a “sidecar container,” where you deploy a container that looks at all the other containers on the same host and provides control points. So, if you’re running 30 containers on a VM, you add one more container which is, we call it, the “Aqua Enforcer,” and that’s how we actually do our runtime security. And the same goes for many other vendors in our space.
That model doesn’t work with these services because there is no host, as far as you know, right? You don’t know what it is. It’s completely virtualized. So the solution, in this case, is to embed the control code, the security code, into the image itself so that, when you run the container, it’s kind of a self-policing container. And we call this technology the “Micro Enforcer,” and that’s another thing we introduced in Aqua 3.0, and that is complete new architecture that we support, side by side, with the previous architecture. We still think the sidecar container is the right approach for the vast majority of deployments, but we have to be ready for those Fargate and ACI deployment types. And I’m sure there’s gonna be more of those coming from other cloud providers
Osnat: So, yes, so it is a major version. In general, we work with very Agile methods ourselves here at Aqua. Everything is containerized. We do use CI/CD pipeline tools, et cetera, for our own releases. And, in terms of formal releases, we usually have one every couple of months, but, in between, we do sprints where we offer customers minor updates that are both bug fixes as well as new features that are added, but we don’t necessarily announce them as a release.
Shimel: Got it. And that’s kind of the DevOps way, right? When you’re doing continuous improvement, continuous delivery, to start doing announcements and hullabaloo over every new feature that gets added – well, I guess it’s good for the PR agencies, right?
Osnat: Yeah. [Chuckles] Well, there’s only so much you can announce, right? I mean, the market only takes –
Shimel: Yeah, it desensitizes people.
Osnat: – so much. You can’t announce a new version every month. It’s just not – you know, it gets a bit tired.
Shimel: So, Rani, here we are in middle of March, heading to April, and, this year, April is RSA season. It’s usually the end of February, but it’s a little later. What’s your plans for RSA?
Osnat: So, first of all, we’re sponsoring the DevOps Day at RSA, the –
Shimel: DevSecOps Days?
Osnat: DevSecOps Day, yeah.
Osnat: Which is the Monday, right, the first week of – the first day of the week of RSA.
Shimel: Yep. In Moscone Center.
Osnat: Where – yep, where we expect probably well over 1,500 people to attend.
Shimel: Through the day, yes.
Osnat: Through the day. We think that’s the right forum for us at RSA. RSA obviously draws a huge crowd of security professionals, but, as both you and I know, most of what these security professionals are concerned with today has to do with more traditional – you know, I don’t wanna sound too conceited, but yesterday’s threats, right? So –
Shimel: Well, I thought you were gonna say most of ’em were more concerned about how many women were keynoting, but that’s a whole ‘nother story.
Shimel: So, you know, I have an interesting take on that, though, Rani. Yes, while many of the 50,000 expected people to come to RSA this year maybe take a more, let’s all call it, “traditional” approach to security that is a lot about network security, a lot about endpoint security, consumer security, if you will – you know what? – I think DevSecOps is mainstream. I do think app-sec is mainstream. I think containerized security or container security is becoming mainstream. So, while all 50,000 may not be worried about how to secure their Kubernetes and container infrastructure today, I think it’s on their radar, and they’ve gotta start thinking about it because it’s going to be the infrastructure they deploy on, going forward. So –
Osnat: I’ll have to disagree with you somewhat, maybe on semantics, but –
Shimel: Okay. Symantec _____ _____.
Osnat: Not Symantec, but semantics.
Shimel: [Laughs] I gotcha.
Osnat: [Laughs] But, yeah, I think, you know, I wouldn’t call it mainstream yet. I think it’s getting into the mainstream. I think there’re a lot of people interested in it, for sure, but, if you look at the overall security – you know, the body of security professionals that’s there, we’re probably talking about maybe ten percent who are relevant to our business right now, which is probably a significant increase from last year, right? So I do see this evolving. I do see this developing. I can tell you that, last year at RSA, we had a container security talk, which was put at – it was Thursday at 3:00 PM, right? One of the session tracks, which is – at Thursday at 3:00 PM –
Shimel: Kind of a bad time, yeah.
Osnat: Yeah, that’s like the time when you start dismantling your booth.
Shimel: Exactly. People are on their way to the airport.
Osnat: The expo is shutting down.
Osnat: And so we thought maybe 50 people will show up. We had 450 people show up.
Shimel: Yeah. So that’s why – you know what? I disagree with you, Rani. I think it’s more than ten percent and I’m gonna hold you to it. I’m gonna go back to some of our RSA folks and ask them if they’ve done any kind of research into how many people are concerned or interested in container security.
Osnat: No, I’m just saying, you know, 450 people is great on a Thursday, for sure, but it’s still one –
Shimel: Sure. That was _____ –
Osnat: But it’s still one percent of the attendees, right? It’s not keynote material yet.
Shimel: Well, look, they’ve got enough trouble with keynotes.
Osnat: One step at a time, yeah.
Shimel: Yes. I am proud to say, though, that 50 percent of the people presenting at DevSecOps Days are, in fact, women.
Osnat: That’s great.
Shimel: Yeah. We have actually a very diverse – now RSA approves and, in essence, picks the speakers, so it goes to show that there are women out there who, at least on the topic of DevSecOps – maybe we’re lucky that way – we have a lot of great, talented women who will be there, and that, again, is Monday. Of course, you need to be registered for RSA. You could go to devopsconnect.com, if you’re listening to this, and get a free pass for RSA Expo, which will get you into the DevSecOps event. Rani, but we’ll also see you Tuesday. We’ll have a luncheon on “Security at the Speed of DevOps” around DevSecOps – hopefully, you’re participating. And, of course, Wednesday is the security bloggers meet-up – I hope I’ll see you there as well.
Shimel: As always, it’s not a party without Rani.
Shimel: But, you know, Rani, we’re actually well over our time already today – I apologize for going so late – but thanks for joining us. Hope to have you on another chat soon.
Osnat: Thank you, Alan.
Shimel: Thank you. Rani Osnat, VP, Aqua Security here on DevOps Chat with Alan Shimel. We’ll see you soon, everyone, on another DevOps Chat. Have a great day.