Aqua Security’s Kubernetes Benchmarks Get CIS Approval
The move to cloud native applications and microservices involves a shift in practices along the full lifecycle of an application, from development to deployment. Aqua Security works to provide security across this lifecycle for containers and cloud native applications, across all platforms and clouds, and now the company’s Aqua Container Security Platform (CSP) has been certified by the Center for Internet Security (CIS) Benchmarks to compare the configuration status of Kubernetes clusters against the CIS Kubernetes Benchmark standards.
Providing security for the full lifecycle is essential for containers and cloud native applications, said Rani Osnat, vice president of product marketing at Aqua Security, in an interview with The New Stack.
“Aqua Security is a full lifecycle security solution. In order to secure well, you have to start early in development process. There’s a lot of automation happening and, with the speed at which code gets updated, it’s not something you can handle with a solution that’s an afterthought,” said Osnat. “You lose context and can’t understand what various components do. You need something that’s integrated into CI tools, into image build, into registries and into runtime, including into Kubernetes itself.”
The Aqua Security CSP provides security for container-based and cloud native applications, on-prem and in the cloud, supporting both Linux and Windows runtime environments, across Kubernetes as well as other orchestrators.
The CIS Kubernetes Benchmark consists of 113 specific recommendations, each of which includes a description, rationale, method of audit and remediation, impact, and default value. For example, one of the first recommendations is to “Ensure that the –basic-auth-file argument is not set.” The recommendation explains the reasoning behind this: “Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.”
“Unlike other bodies that issue high-level guidelines, the CIS benchmarks are specific and prescriptive,” explains Osnat. “Aqua Security is the only solution at the moment that has this certification. We underwent some very rigorous testing that checked that what we check for is what CIS benchmark expects and that we provide accurate results on pass/fail scenarios.”
By certifying with CIS, Aqua Security customers can be assured that the results provided by an Aqua Security audit accurately reflect the standards contained within the CIS Kubernetes Benchmark. Curtis Dukes, CIS Executive Vice President of Security Best Practices and Automation Group, cites this as a necessary development for an industry looking to develop a standard that ensures security.
“Cybersecurity challenges are mounting daily, which makes the need for standard configurations imperative,” said Dukes in the Aqua Security statement. “By certifying its product with CIS, Aqua Security has demonstrated its commitment to actively solve the foundational problem of ensuring standard configurations are used throughout a given enterprise.”
Shortly after the CIS Kubernetes Benchmark released a little over a year ago, Aqua Security released kube-bench, and open source tool that performs checks and returns pass/fail results on your cluster. The company’s newly certified offering provides these same results alongside dashboards and more.
Aqua Security is a sponsor of The New Stack.
Feature image: Aqua Security’s Liz Rice at KubeCon + CloudNativeCon 2018.