One of the more interesting customers we’ve been working with at Twistlock is ClearDATA, a company that provides secure, managed services for healthcare providers on AWS. Healthcare organizations have to meet significant regulatory and compliance management requirements which often make them slower to adopt cloud technology. These same organizations are also faced with huge amounts of sensitive data to manage, customers demanding easier ways to work with them, and increasing competition. ClearDATA helps by providing a secure, managed cloud deployment that allows them to balance these competing needs. The providers get all the agility, cost savings, and capabilities of the cloud, while ClearDATA makes sure they leverage the security capabilities of AWS to meet their needs by using HITRUST processes and controls.
Recently, ClearDATA began building a new set of products and service offerings that allow health providers to run Docker containers using AWS EC2 Container Service (ECS). Just like the past, ClearDATA will make sure the underlying security complies with HIPAA regulations so the health providers can focus on building apps for their patients and customers. Twistlock has long supported the ECS team, dating back to the original release of the EC2 Container Registry, so we were happy to help with this opportunity as well.
ClearDATA’s initial interest was in Twistlock’s vulnerability and compliance management features. Using these, they can create rules that prevent the deployment of images with high severity CVEs or that fail to meet internal compliance standards. Once they learned about Twistlock’s runtime defense capabilities they began to leverage these to extend protection and compliance across running environments. For example, with Twistlock, ClearDATA is able to block any container than attempts to run a process as root in a HIPAA compliant environment. Below, we’ll share a bit more about how this is accomplished.
ClearDATA’s initial architecture was already using Weave for advanced networking in their ECS deployment. They wanted to continue to benefit from all the control and visibility Weave provides, while also benefiting from the automation and scaling that ECS enables, with the benefits of Twistlock’s capabilities. Since the ECS agent talks to Weave via a Unix socket, what we needed to figure out was the right place for Twistlock to fit into this flow, such that ECS could still provide orchestration, while Weave provided software defined networking capabilities.
ClearDATA had already been mounting the Weave Unix socket within the ECS agent as /var/run/docker.sock, so what we did was configure Weave to talk to the Twistlock Defender via our standard TCP socket. To get this configuration Weave uses the WEAVEPROXY_DOCKER_ARGS environmental variable, allowing it to be easily provisioned and managed across the environment. The flow looks like this:
|User sends commands…|
|which is received by the ECS agent…|
|which then sends it through /var/run/docker.sock to Weave…|
|to a TCP socket to Twistlock where it’s checked against policy…|
|to the Docker Engine which executes it|
Once these settings were in place, we created a new compliance rule in Twistlock to block containers running as root and then attempted to run a container that violated this rule. The commands flowed as expected and the container was prevented from starting:
$ docker -H /var/run/weave/weave.sock run -ti morello/docker-whale docker: Error response from daemon: [Twistlock] Operation blocked. Action container_create violates policy john-ecs-weave-compliance-rule  - Container is running as root.
This is an example of how open systems and standards can help organizations build sophisticated solutions to meet their needs.
Attend Managing Compliance in Container Environments to hear Twistlock CTO John Morello and ClearDATA Senior Director of Cloud Architecture Adam Greenfield discuss how to enforce security and compliance measures in your container environment.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...