Leading enterprises continue to adopt containers and Kubernetes at a growing pace because container technology provides developers with scalability and portability. According to statistics from a recent survey led by The New Stack, “Sixty-nine percent of organizations surveyed by CNCF use Kubernetes to manage containers.”1 Infrastructure and operations teams continue to rely on Kubernetes to manage their cloud native applications.
Throughout our partner network, we see innovation happening both up and down the technology stack and across the application lifecycle. This past year, Oracle has continued to innovate and offer more tools for enterprises to build and scale cloud native applications. Oracle has announced both the Oracle Cloud Infrastructure Registry (OCIR) and the Oracle Container Engine for Kubernetes (OKE). Twistlock is proud to be an official partner with Oracle and presented on stage with Oracle at Oracle Code One 2018 with a talk titled Container Registry 2.0: Enabling Enterprise Container Deployments.
Integrating security with OCIR
Oracle offers developers and devops teams the ability to store their container images in their registry named Oracle Cloud Infrastructure Registry (OCIR). Because OCIR is a Docker v2 registry, Twistlock seamlessly integrates with OCIR to identify every image that has been pushed along with all vulnerability and compliance issues identified with each image.
In the example screenshot above, Twistlock has scanned over a dozen images and identified vulnerabilities and compliance issues by severity level. Twistlock will continuously monitor and scan the registry any time a new image is identified. Drilling deeper, Twistlock can surface information about the vulnerabilities in each image, along with a description of the issue and whether or not there is a vendor fix available.
In the image shown in the screenshot above, Twistlock has identified several vulnerabilities impacting nodejs and the Vendor Status with corresponding fixes.
Additionally, Twistlock will identify any compliance issues, including requirements from the Docker, Kubernetes, or Linux CIS Benchmarks, as well as custom policy criteria. An example is shown in the following screenshot:
By continuously monitoring every image in OCIR, Twistlock is able to ensure you are always deploying secure applications.
Security for Oracle Container Engine for Kubernetes (OKE)
As soon as you deploy an application on OKE, Twistlock automatically identifies all the microservices present and builds 4D whitelist models across file system, processes, network activity, and system calls. Simultaneously, Twistlock builds a real time visio of all the microservices that make up your Kubernetes applications. This visio, which we call Twistlock Radar, allows you to see all of the pods that make up your applications as well as which pods or services are connected to one another:
Additionally, Twistlock will surface vulnerability and compliance status that’s updated in real time if there is any change to an running containers. For example, the screenshot above shows a microservice named payment:0.4.3 with several Critical, High, and Medium severity vulnerabilities. Users can also leverage Twistlock to automatically prevent containers from being deployed into their environments based on several criteria, such as vulnerability threshold.
Network security: Microsegmentation and firewalling
Twistlock protection includes not just our automatically-generated whitelist models, but also includes two automatically-deployed firewalls:
- CNAF is a layer 7 web application firewall (WAF) that can protect any container that handles web requests.
- CNNF is a layer 3 firewall that automatically models inter-container traffic. As part of our automatic behavioral learning at runtime, Twistlock builds out a topology of connections from one container to another.
In the Radar view in the above screenshot, you can see both layer 3 and layer 7 firewalls deployed on the Kubernetes application. CNAF has been deployed on the front-end microservice while CNNF has learned traffic between pods.
Managing vulnerabilities and compliance at runtime
While scanning images as part of the build and within the registry is important. Oracle users can get up-to-date visibility into vulnerabilities and compliance issues with Twistlock Vulnerability Explorer and Compliance Explorer. For example, Vulnerability Explorer will stack rack every vulnerability in your environment with the ability to see a top 10 list of highest risk CVEs or the ability to search for any CVE.
In order to prioritize your efforts and fix vulnerabilities that truly impact your environment, Twistlock provides a proprietary Risk Score, including Risk Factors and Vendor Fix status, for all vulnerabilities in your running applications:
We’re proud to be a partner with Oracle
Twistlock is proud to be an official partner with Oracle helping customers secure their containerized applications on Oracle Cloud Infrastructure.
To learn more about how Twistlock and Oracle work together to secure cloud native applications, check out our video presention from Oracle World 2018 titled Container Registry 2.0: Enabling Enterprise Container Deployments.
1. The New Stack: What the Data Says About Kubernetes Deployment Patterns
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How My Company (Teckro) Uses ContainersRead the Blog
Mitigating CVE-2019-5736 Impacting RunC and DockerRead the Blog
From Agile to DevSecOps and DevOps SecurityRead the Blog
What’s Next for Cloud-Native Infrastructure Technology?Read the Blog
Cloud Native Security Beyond Your Cloud Vendor’s ToolsRead the Blog