You've likely never heard of Aqua, but if you're interested in container security then you'll probably soon be hearing a lot more about this Israeli security startup.
The people behind Aqua believe not only that they can bring the security that's needed and currently lacking in Docker, but also that there's an opportunity for containers to be made more secure than monolithic apps can ever be.
So who are the people behind the company? It turns out that they have security pedigrees: Dror Davidoff, the CEO, was previously at McAfee, and Amir Jerbi, the CTO, was chief architect of CA's host-based access control products.
Investors include Shlomo Kramer, co-founder of Check Point and founder of Imperva, and Michael Fey, president and COO of Blue Coat (now part of Symantec) and former COO of McAfee.
So that's the people, but what about the product?
Providing Security to Containers Throughout Their Lifecycles
It turns out that Aqua is designed to provide security to containers throughout their lifecycles.
The first stage is the now familiar image scanning to identify if there are any security issues or known vulnerabilities in a container when it is put together. Trustworthy images are then signed. Docker and others also do something similar to this.
Then as containers continue in their lifecycle to QA and testing, the containers are "profiled" as Jerbi puts it.
"We take measurements of what happens when the container is running, so that when it is in production, we have information to see if the container is running abnormally or is displaying signs of malicious activity," he says.
What kind of abnormal behavior? Jerbi gives the example of a database container that would normally only receive incoming connections.
"If it suddenly starts opening outbound connections, then that would be detected and prevented," he says. "If new executables are running in a container then that could be injected code, or if a file is suddenly accessing or moving more files than normal, then that would raise a red flag.
In those circumstances administrators can be alerted, or mitigations can be activated: the system can freeze the container, or cut its network connection, or stop the container running certain processes.
Aqua provides other security measures too: it can restrict and enforce namespaces as well as restrict access to root and access to system calls.
It can also apply the least privilege principle to container access to operating system and network resources. And it can enforce runtime parameters.
How Aqua Is Deployed for Container Security
The product itself is deployed as a management console that integrates with image registries and also with existing monitoring solutions. Alongside that an Aqua agent (which is actually a container in its own right) is deployed on each container host (Linux or Windows) to keep an eye out for trouble.
And finally Aqua has its own threat intelligence feed in the cloud — called Container Cyber Intelligence — that provides the product with information such as malicious IPs that should be blocked.
The information is aggregated from Aqua staff and from open source intelligence feeds and some commercial solutions too, according to Jerbi.
Aqua's product went GA more than six weeks ago and already has paying customers, Jerbi says. Pricing is done on a per-agent basis, with a single agent costing over $1000, but with the usual discounts for larger users.
"Companies that benefit the most are web scale infrastructure companies, and we see Fortune 1000 companies adopting Docker. They have the highest security demands and they are the companies we are targeting," he adds.
Is There Really a Need for Aqua?
Now we've talked before in this column about how container security has not been as strong as it needs to be, and how Docker has recently stepped up to the plate and begun to raise the bar — to mix some sporting metaphors.
So is there really any need for Aqua (and all the other container startups that are appearing)?
"We expect some security issues to be fixed by platform providers, but there are pure security issues that won't be dealt with by the platform," says Jerbi. "It's the same with databases: they are getting better but there is still room for a security layer. Or VMware: it has made many security acquisitions, but there are plenty of special security products for VMs."
If that's the case then Aqua would appear to have a very promising future indeed.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.