Month: August 2018

Vendorless, Security the Open Source Way

Posted on by Christian Wiens

Whether you love or hate the term, ‘serverless’ is one of the hottest new trends in the cloud computing world. Despite what the name may suggest, there are certainly still servers running your code, the real innovation here is that you do not need to manage these servers you just publish your code to be run by the serverless infrastructure. This architecture can be better described as FaaS: functions as a service or BaaS: backend as a service. Amazon leads this innovation with its Lambda service and other cloud providers have followed suit, including Google with Google Cloud Functions and Microsoft with Azure Functions.

Of course, this innovation is not restricted to proprietary offerings from large vendors, there are a number of open source projects offering serverless frameworks including Kubeless, Nuclio, OpenFaas, OpenWhisk, among many others.

A couple of years ago if an organization wanted to adopt the serverless architecture then they would have needed to engage with a vendor such as Amazon however today a growing number of open source projects address that need which leads me to the subject of this blog.

One of the most common trends we have seen in the industry is one that is rarely spoken about, in fact, it is so common now that it’s really the norm: Vendorless.

To best describe the term let’s walk through the way that most organizations started building their container infrastructure:

  • Linux as the foundation of their infrastructure: Pick your favorite distribution
  • Ansible (or Puppet, Chef, etc) to deploy the infrastructure
  • Docker to run containers
  • Jenkins to run the build pipeline
  • Kubernetes to handle container orchestration
  • Prometheus for monitoring
  • Elasticsearch + Fluentd + Kibana (EFK) for logging and analytics

The common theme here is obviously open source. A few years ago, with the exception of Linux, this list would look very different, either build using a monolithic solution form vendors such as IBM and Oracle or comprised of a number of proprietary products. Today the majority of cloud infrastructure deployments are built using open source solutions.

Getting started with an open source project such as Jenkins is simple, you can download a container image or packages for most Linux distributions and follow great documentation provided by the upstream project. There are often support forums or online communities using IRC or Slack. To get started you don’t need to call a vendor, sign an NDA, fill out an evaluation request to obtain a time-limited eval key and then be hounded by sales. You can get started without even talking to a vendor.

Most of the container projects we have seen today start ‘vendorless’ in this manner. But as deployments move from simple POCs and development environments to production that is often when vendors do get involved, typically the driver is the need for commercial support or to obtain value-added features. In the example we used above of Jenkins, we see many organizations move from Jenkins community edition to Cloudbees Jenkins Enterprise or from upstream Kubernetes to Red Hat OpenShift. So thankfully, speaking as a vendor, there is still a role for vendors, however, they typically get involved a little later in the project lifecycle and have to really earn their seat at the table with added features, certifications and support.

While open source solutions have historically provided the core layer of infrastructure, there have been areas in which organizations would need to look at proprietary solutions. The most notable of which is the security which had until recently remained the bastion of commercial vendors.

For container infrastructure there are typically two key security needs:

  1. Image Security – Analyzing images to ensure they do not contain vulnerabilities and are in compliance with your organization’s operational and security policies.
  2. Runtime Security – Real-time monitoring of containers to ensure report on or block malicious activity at the network, system or storage layers.

We have spoken at length about the first area: image security and covered how the open source Anchore Engine can quickly and easily be integrated into your CI/CD pipeline, container registries and Kubernetes infrastructure to ensure that only images that meet your organization’s policies are deployed.

Over the last decade, it has become clear that open source technologies provide the right foundation for infrastructure and at Anchore we believe that security and analysis tools should be open source so that anyone can inspect the code to validate that the results are fair and accurate. And since security tools typically are granted the highest level of privilege in terms of access and control of resources you need the mantra of “Trust but verify” is especially true.

With Anchore Engine we ensure that only the right content, from known sources configured in the right way, is promoted from your CI/CD system and deployed in production but once deployed unknown vulnerabilities or misconfigurations can lead to a container being exploited.

The traditional approach to security monitoring involved looking for known signatures is network traffic, files, etc. Similar to the approach taken in the early days of antivirus software where security vendors played an endless game of cat and mouse with virus authors, requiring the antivirus software to be continually updated with new signatures and new viruses were detected in the wild. Over time these solutions evolved to use heuristics in addition to signature mapping. A similar technique is used by the Falco project which takes a more behavioral approach to detection. While there are many different ways that a container could be compromised all of which would need to be explicitly monitored for Falco looks at what is happening once the attacker has compromised the container allowing you to report and then block anomalous behaviors. For example, why would a reverse proxy container need to write a file into the /bin directory, why would a PostgreSQL container make an outbound network connection, why would your Redis server spawn a shell process?

With the addition of Anchore Engine and Sysdig Falco you can build an open and secure container infrastructure.

Introducing Anchore Enterprise 1.1

Posted on by Daniel Nurmi

Today, we’re proud to be announcing the availability of Anchore Enterprise version 1.1. This release of services and software from Anchore will now provide a common framework for users seeking to achieve a secure, compliant container image environment. As container-based deployments are extending further into enterprise infrastructure, our objective has remained the same: provide technology and expertise in the areas of security and operational best-practices enforcement, in order to remove as many barriers as possible toward achieving a fully automated container build process.

With Anchore Enterprise 1.1, we have added some major improvements to core Anchore technology, based on the team’s insights as well as feedback from a growing Anchore user community. We believe that both existing and new users of Anchore will find these updates and additions powerful and easy to use.

Anchore Engine: OSS for Enterprise

At the core of Anchore Enterprise 1.1 is the open-source Anchore Engine. Anchore Engine is a stand-alone service that deploys anywhere that can run a container, providing a broad API for users, clients and CI/CD frameworks alike to request container image content analyses, perform security scans, generate a variety of reports, and execute customizable security and best-practice policy evaluations. Anchore Engine can be used interactively, has been integrated into leading CI/CD frameworks for build-time security enforcement, and provides mechanisms to constantly scan and evaluate policies against your container images as new vulnerabilities are published or your own policy definitions evolve. While the latest Anchore Engine is always freely available as an open-source offering, many enterprise-focused improvements have been introduced since the last Anchore Enterprise release, including:

  • Ability to scale up the Anchore Engine service to accommodate large numbers of image scans, both in aggregate and per unit time
  • Introduction of both OS package (RPMs, Debian Package, Alpine Package) scans as well as Non-OS, language package (Node NPM, Ruby GEM, Python, and Java Archive) content and security scans
  • Refined policy language, including the ability to tune, in fine detail, security checks and image content checks
    Extended query capabilities, for obtaining deep information about the contents of container images and their build metadata
  • Enterprise storage integrations against AWS S3, Swift, and other S3 compatible storage back-ends
  • Introduction of an event subsystem that provides detail records for information and error level system events, from the engine
  • Availability of Prometheus metrics, for integration into service monitoring systems that can consume Prometheus data sources
  • Many system improvements largely targeted at processing and reporting against very large container image sets, over time.

The latest version of Anchore Engine is 0.2.4, which is at the core of Anchore Enterprise 1.1.

Anchore Enterprise

 

New for this release, we’re excited to introduce the Anchore Enterprise UI, which is an on-premises service that provides Anchore users a fully graphical console, accessible via any client browser. The Anchore Enterprise UI console includes:

  • Graphical container image navigation, showing all container registries, repositories, images and image histories in an interface that makes for simple viewing and navigation of the global collection of container images
  • Ability to add new images or entire image repositories via a simple graphical control
  • Complete and deep image overview, including individual controls for reviewing image contents, security scan reports, and policy evaluation results
  • Ability to generate PDF reports for sharing or offline review
  • A graphical changelog application, where users can see at a glance the differences between container images over time, at a fine-grained level of detail
  • An event log viewer, for Anchore operators to see and filter operational events that are being retrieved from the Anchore Engine
  • Container image registry configuration UI, where users can add image public and private registry credentials, supporting
  • Azure, AWS, Google, and any docker v2 on-premises registry
  • A policy manager control, to help manage your set of policies for the different phases of your container environment
  • A graphical policy editor for creating, testing and tuning Anchore security, compliance and best-practice enforcement policies

Anchore Enterprise On-prem Services

Full Control Over Vulnerability Data & Air-Gapped Operation

Anchore Enterprise 1.1 includes access to a fully on-premises Anchore Feed Service, which gives users the ability to control the access and update frequency of external vulnerability data. With the inclusion of this service, users can deploy Anchore Enterprise in an air-gapped (limited/manual access to the Internet) environment, to fully support deployments running with strict data provenance and access requirements. The Anchore Feed Service includes:

  • Ability to enable air-gapped installations of Anchore
  • API that is accessible to Anchore Engine seamlessly, for transferring vulnerability and other external data sources
  • API for monitoring the operation of the Feed Service itself

With Anchore Enterprise 1.1, available immediately, we aim to provide organizations who have already deployed a container-based environment, groups in the process of migrating to containers now, and teams planning for the future with a suite of tools and services that provide automated enforcement of security, compliance and best-practice policies, integrated directly in the build process or anywhere container images exist. We sincerely hope you enjoy our latest release, and look forward to working with you!

For more information on requesting a trial, or getting started with Anchore Enterprise 1.1, go to anchore.com/enterprise or click the button below:

Try our enterprise-ready security and compliance platform today.