Sysdig and Apolicy: Automating cloud and Kubernetes security with IaC security and auto-remediation
Today, Sysdig has completed the acquisition of Apolicy to enable our customers to secure their infrastructure as code. I am very pleased to see the Apolicy team become part of the Sysdig family, bringing rich security DNA to our company. Our customers now can shift security further left and manage risk when configuring their cloud and Kubernetes infrastructure with IaC security. Apolicy’s unique differentiation lies in simplified policy management across IaC, cloud and Kubernetes environments by leveraging policy as code via Open Policy Agent (OPA) and auto-remediation workflows. This allows customers to strengthen their Kubernetes and cloud security and close the gap from production to source. Apolicy is now a key pillar of Sysdig’s Secure Devops platform that unifies security, compliance and monitoring across containers, Kubernetes and cloud. There are two major forces shaping modern software development. The first is the shift towards microservices leveraging containers, Kubernetes and public cloud services. The second is the adoption of a DevOps culture and processes to build and deploy software continuously. These two forces require a radically different approach to ensure secure and reliable software. This has been our founding mission from the outset with our Secure DevOps Platform which focuses on three key themes:
- Shift-left security. Adoption of CI/CD methodologies requires software vulnerabilities and misconfigurations to be identified and remediated as part of the software development pipeline, well before software is deployed into production.
- Runtime security. Modern applications are composed by stitching together thousands of containerized services, often ephemeral, and public cloud resources. Comprehensive protection requires deep runtime visibility, behavioral threat detection, policy adherence, threat prevention and incident response. Further, runtime security findings should be remediated earlier in the software lifecycle, creating a virtuous cycle between shift-left security and runtime security.
- Continuous compliance. Risk and governance teams need to meet regulatory compliance mandates and internal risk management policies, not just in response to audits but on a continual basis. The ideal solution would automate the mapping of compliance policies to specific security controls, track regressions in real time, and integrate with ticketing systems to enable compliance without adversely impacting developer productivity.
IAC security is key to Secure DevOps, motivating the acquisition of ApolicyThe increasing adoption of DevOps and CI/CD tools has seen application developers release code much more frequently. In tandem, pipeline integrated image scanning to block vulnerabilities from making their way into production software is a well accepted best practice, with hundreds of customers deploying this as a core use case of the Sysdig Secure DevOps Platform. The same principles are now being applied by DevOps teams to deploy and manage infrastructure. Infrastructure as code and GitOps are founded on a few key principles:
- Infrastructure state is defined as version controlled code (YAML, Terraform, etc.) in a source code repository such as Git
- Any changes to infrastructure are achieved through pull requests that change the source files
- Once approved and merged, pull requests will reconfigure and synchronize production infrastructure to match the state defined in the source repository
Apolicy’s “source to production IAC security” is highly differentiatedWhen we dug into Apolicy’s approach, it became clear that they were addressing IAC security in a unique and highly differentiated manner. Apolicy’s philosophy has been to comprehensively address configuration risks from source to production, and some of their key differentiators include the following:
- Automated drift remediation between source and production. Apolicy detects any configuration that violates policy in production. Far more importantly, Apolicy maps the configuration to the applicable IAC source file and automatically creates a pull request to modify the source file. This automated workflow improves DevOps productivity and ensures that remediations can be applied consistently across all production environments.
- Risk prioritization. Apolicy has a deep understanding of the application context, and leverages this to map configuration errors to impacted production instances and impacted applications. This allows security and compliance teams to prioritize issues based on risk and reduce the number of alerts.
- Policy as code using OPA. Apolicy leverages OPA which has become the OSS standard for configuration policies much like Falco has become the OSS standard for runtime policies. Apolicy has a comprehensive set of out of the box (OOB) policies to automate compliance and governance that can be applied to and enforced across multiple IAC, Kubernetes and cloud environments to enable scalability and consistency across the organization.