Today, we announced that Sysdig is acquiring Apolicy to enable our customers to secure their infrastructure as code. I could not be more excited because the innovation that Apolicy brings to bear is unique and highly differentiated, allowing customers to strengthen their Kubernetes and cloud security and compliance by leveraging policy as code and automated remediation workflows that close the gap from source to production. Apolicy is a key building block to delivering on our secure DevOps vision, and the Apolicy team also strengthens Sysdig’s deep expertise in Kubernetes and cloud security.
There are two major forces shaping modern software development. The first is the shift towards microservices leveraging containers, Kubernetes and public cloud services. The second is the adoption of a DevOps culture and processes to build and deploy software continuously. These two forces require a radically different approach to ensure secure and reliable software. This has been our founding mission from the outset with our Secure DevOps Platform which focuses on three key themes:
Shift-left security. Adoption of CI/CD methodologies requires software vulnerabilities and misconfigurations to be identified and remediated as part of the software development pipeline, well before software is deployed into production.
Runtime security. Modern applications are composed by stitching together thousands of containerized services, often ephemeral, and public cloud resources. Comprehensive protection requires deep runtime visibility, behavioral threat detection, policy adherence, threat prevention and incident response. Further, runtime security findings should be remediated earlier in the software lifecycle, creating a virtuous cycle between shift-left security and runtime security.
- Continuous compliance. Risk and governance teams need to meet regulatory compliance mandates and internal risk management policies, not just in response to audits but on a continual basis. The ideal solution would automate the mapping of compliance policies to specific security controls, track regressions in real time, and integrate with ticketing systems to enable compliance without adversely impacting developer productivity.
IAC security is key to Secure DevOps, motivating the acquisition of Apolicy
The increasing adoption of DevOps and CI/CD tools has seen application developers release code much more frequently. In tandem, pipeline integrated image scanning to block vulnerabilities from making their way into production software is a well accepted best practice, with hundreds of customers deploying this as a core use case of the Sysdig Secure DevOps Platform.
The same principles are now being applied by DevOps teams to deploy and manage infrastructure. Infrastructure as code and GitOps are founded on a few key principles:
Infrastructure state is defined as version controlled code (YAML, Terraform, etc.) in a source code repository such as Git
Any changes to infrastructure are achieved through pull requests that change the source files
- Once approved and merged, pull requests will reconfigure and synchronize production infrastructure to match the state defined in the source repository
IAC is rapidly gaining ground because it offers a path towards higher resiliency through better operational control. IAC also offers the promise of much better security and compliance by identifying and eliminating configuration risks before infrastructure is deployed in production. The acquisition of Apolicy allows us to translate this potential into reality.
Apolicy’s “source to production IAC security” is highly differentiated
When we dug into Apolicy’s approach, it became clear that they were addressing IAC security in a unique and highly differentiated manner. Apolicy’s philosophy has been to comprehensively address configuration risks from source to production, and some of their key differentiators include the following:
Automated drift remediation between source and production. Apolicy detects any configuration that violates policy in production. Far more importantly, Apolicy maps the configuration to the applicable IAC source file and automatically creates a pull request to modify the source file. This automated workflow improves DevOps productivity and ensures that remediations can be applied consistently across all production environments.
Risk prioritization. Apolicy has a deep understanding of the application context, and leverages this to map configuration errors to impacted production instances and impacted applications. This allows security and compliance teams to prioritize issues based on risk and reduce the number of alerts.
- Policy as code using OPA. Apolicy leverages OPA which has become the OSS standard for configuration policies much like Falco has become the OSS standard for runtime policies. Apolicy has a comprehensive set of out of the box (OOB) policies to automate compliance and governance that can be applied to and enforced across multiple IAC, Kubernetes and cloud environments to enable scalability and consistency across the organization.
Apolicy’s IAC security strengthens our KSPM (Kubernetes Security Posture Management) and CSPM (Cloud Security Posture Management) offerings and complements the other use cases we address with our Secure DevOps platform, including image scanning, runtime visibility, threat detection and response, and regulatory compliance.
2020 marks a watershed moment as the adoption of containers and cloud has become a priority even for the most “cloud-skeptical” enterprises. This has in turn caused an urgent need to address container and cloud security risks, the biggest barrier to deploying modern cloud applications. Addressing this need requires a Secure DevOps approach that ensures visibility, security and compliance from source to production. This belief fuels us and our desire to innovate at a rapid pace so that our customers can confidently run their modern cloud applications.