Sysdig Aims for IaC Auto-Remediation with Apolicy Acquisition
Cloud security company Sysdig has begun the process of acquiring Apolicy as part of its efforts to continue shifting left its suite of security products, adding to the Sysdig platform the ability to not only parse Infrastructure-as-Code (IAC) configuration files for errors but also to help prioritize and remediate any issues found.
Apolicy is built on top of the now-graduated Cloud Native Computing Foundation (CNCF) project Open Policy Agent (OPA), but Sysdig CEO Suresh Vasudevan explained that it was how Apolicy moved beyond OPA’s basic functionality that drew them to the product.
“Most companies that do infrastructure as code don’t even go as far as what they have done in using OPA or being able to parse a variety of different source files for Kubernetes environments. What we found fascinating, and the big driver of the acquisition, was really what they’ve done for auto-remediation,” Vasudevan said. “What Apolicy is able to do is to say, ‘Okay, here’s a misconfiguration that I’ve seen in my production instance,’ and instead of just pointing that up to the security teams and the DevOps teams, what they’re able to do is to recognize the specific YAML file or the source file that maps to that production incident, and create the actual fix.”
Vasudevan noted that Sysdig had already followed the shift-left trend of DevOps development practices, with its container image scanning and Cloud Security Posture Management (CSPM) tools, and that the move to acquire Apolicy was following the similar trend of GitOps, wherein these infrastructure-as-code files were being stored in Git-based repositories. With DevOps teams now tasked with writing IAC files, the ability to parse those files for errors, and now remediate those errors, also moves into the realm of those same teams. Apolicy brings the ability to fix errors directly into the GitOps workflow, he said.
“Instead of just surfacing up 1,000 errors and saying, ‘Here are all the errors that you need to go fix,’ they actually create the pull request so that if a developer just says ‘Yes, this is the correct fix,’ approving it, and it automatically gets deployed in production,” said Vasudevan.
Once the acquisition is complete and Apolicy is fully integrated into the Sysdig platform, which Vasudevan estimated to take place within the next two to three months, it will bring Sysdig users a few specific pieces of functionality.
First, Apolicy will provide the ability to enforce compliance and governance via policy as code, helping customers to meet regulations such as SOC 2, HIPAA, and PCI. Next, Apolicy will help users to detect runtime drift and automatically return the configuration back to the IaC source stored in their central repository. And finally, alerts regarding misconfigurations, and their associated fixes, will be presented to the user according to their priority.
“Imagine that I have a cluster with 10,000 nodes and basically every day, I’m covering a few hundred configuration errors,” Vasudevan said. “Even if I automate the pull request and create a JIRA task for the developer to look at, it doesn’t take away the fact that I’m dealing with 500 of those. What Apolicy does is, it looks at the severity of the configuration errors, automating the process of fixing and then prioritizing that based on which fixes address high-risk problems and which fixes address low-risk problems.”
While the addition of Apolicy’s functionality is significant for Sysdig, Vasudevan explained that the true potential is the combination of Apolicy with its existing tools moving forward. He said that Apolicy “dramatically” strengthens Sysdig’s ability to secure Kubernetes and CSPM by bringing policy as code, but that its potential also lies in adding auto-remediation to the Falco runtime security tooling.
“If Falco detects a runtime violation that we know needs to be corrected by making some other configuration changes, even Falco detections can use this remediation workflow so that we can correct it, not just in your production environment, but all the way in your source code files, as well,” said Vasudevan. “So, it’s very complimentary to CSPM, and it introduces IaC security to our workflow, but it also brings a capability that we can use in different parts of our product.”
Upon completion of the acquisition, the entire Apolicy team will join the Sysdig team, and the product will become part of the Sysdig Secure DevOps Platform.