Aqua Security’s platform protects your virtual machine (VM) workloads by integrating security checks throughout the VM lifecycle, from build to runtime.
Let’s see Aqua in action. Imagine you have a VM image in your registry that you want to deploy. Before it even gets to your VM infrastructure, Aqua can scan it.
aqua image scan --image vmware.io/my-app:latest --host vmware.io/my-app:latest
This command would output a report detailing vulnerabilities, malware, and misconfigurations found in the vmware.io/my-app:latest image. If critical vulnerabilities are found, Aqua can be configured to prevent the deployment of that image entirely.
Once the VM is running, Aqua’s agent, called the Nautilus enforcer, provides runtime protection. This enforcer monitors VM activity for suspicious behavior.
Consider a VM running a web server. If an attacker tries to exploit a vulnerability in the web server software to gain shell access and execute arbitrary commands, Aqua’s Nautilus enforcer can detect this.
The enforcer operates by creating a lightweight, kernel-level monitoring layer. It intercepts system calls made by processes within the VM. For example, if a web server process suddenly attempts to open a network socket to an unusual IP address or tries to execute a shell command that it has never executed before, the enforcer flags this as potentially malicious.
Aqua’s solution addresses the challenge of securing dynamic and diverse VM environments. Traditional VM security often relies on perimeter defenses or agent-based solutions that are heavy and difficult to manage. Aqua shifts security left, integrating it into the CI/CD pipeline, and then provides continuous runtime visibility and enforcement. It focuses on the actual artifacts and running processes, rather than just the VM’s network presence.
The core problem Aqua solves is the gap between the static security of an image and the dynamic, often unpredictable, nature of a running VM. By embedding security checks directly into the build process and then monitoring runtime behavior, Aqua provides a layered defense. It ensures that the VM image is secure from the start and that the running VM behaves as expected, preventing zero-day exploits or insider threats from causing damage.
Aqua’s runtime protection capabilities are not just about detecting known bad behaviors. They also leverage behavioral anomaly detection. The Nautilus enforcer learns the normal activity patterns of applications running within the VM. This includes the system calls they make, the files they access, and the network connections they establish. When a process deviates significantly from its learned baseline, Aqua can trigger an alert or even terminate the process. This is particularly effective against novel threats that haven’t yet been cataloged in vulnerability databases.
When deploying VMs, Aqua’s Image Assurance policies are crucial. These policies define the security posture an image must meet to be deployed. For instance, you can set a policy that an image must have zero critical vulnerabilities, no malware, and adhere to a specific software bill of materials (SBOM).
apiVersion: aqua.security/v1alpha1
kind: ImageAssurancePolicy
metadata:
name: vm-deploy-policy
spec:
image: "vmware.io/my-app:*"
vulnerability:
critical: 0
high: 5
malware:
enabled: true
sbom:
enabled: true
This policy, when applied, would prevent any image matching vmware.io/my-app:* from being deployed if it has more than 5 high-severity vulnerabilities, any critical vulnerabilities, or if malware is detected. The fix is to remediate the image by updating vulnerable packages or removing malicious components, then rebuilding and rescanning. This works because the policy acts as a gatekeeper, enforced by Aqua’s admission controller or CI/CD integration, ensuring that only compliant images proceed to deployment.
The runtime visibility provided by Nautilus goes beyond just security events. It can also offer insights into compliance. For example, if a regulatory requirement dictates that certain sensitive files should never be accessed by a particular application, Aqua’s runtime monitoring can detect and alert on any such access attempts. This helps bridge the gap between static security scanning and the continuous assurance needed in production environments.
Aqua’s approach to VM security is fundamentally about understanding the workload’s entire lifecycle. It’s not just about scanning the image or protecting the running instance in isolation. It’s about creating a cohesive security strategy that spans development, deployment, and runtime, ensuring that security is an integral part of the VM’s existence.
The ability to segment network traffic at the VM workload level, based on Aqua’s understanding of what processes should be communicating with whom, offers a powerful layer of defense. This micro-segmentation, driven by observed and enforced network policies, can significantly limit the lateral movement of threats within your environment.
The next step is understanding how Aqua integrates with Kubernetes for containerized workloads.