Sysdig deal reflects buzz about infrastructure security as code
Sysdig plans to acquire an infrastructure security start-up as code as the adoption of enterprise containers and DevOps reaches critical mass, tying application and infrastructure deployments more tightly.
The cloud-native observability and security provider announced this week that it will acquire Apolicy, a small startup based in Sunnyvale, Calif., On undisclosed financial terms.
Sysdig’s cloud and container security policy management software already integrates the policy as code through integration with the Open Policy Agent (OPA). Apolicy will extend this OPA integration to include infrastructure-as-code security configuration scans and autocorrect for tools like HashiCorp’s Terraform, AWS CloudFormation, and open source utilities like Kubernetes YAML files, Helm charts. and Kustomize files.
Infrastructure as Code is an approach to infrastructure provisioning that defines resources in declarative source code files written in a programming language, such as the domain-specific language of HashiCorp for Terraform or YAML open. source. It has grown in popularity as businesses embrace containers and Kubernetes, which lend themselves to defining resources as code, but also creating sprawling and complex infrastructures that are difficult to manage manually. The increasingly popular GitOps approach that centralizes all aspects of IT management in source code files and repositories has also spurred the adoption of infrastructure as code.
Sandy CarielliAnalyst, Forrester Research
As infrastructure as code becomes increasingly used in Kubernetes environments, container security vendors have spotted an opportunity to extend their products. The announcement of the Sysdig acquisition follows a similar deal reached last week by Aqua Security, which bought out the company behind the open-source tfsec project. Meanwhile, Styra Inc., the commercial backers of OPA, this week also launched new support for managing infrastructure security policies as code in its authorization service product. declarative.
“Infrastructure security as code is very active,” said Sandy Carielli, analyst at Forrester Research. “A lot of vendors in the container security space and the pre-release analytics space… realized the infrastructure because the code became part of the way [IT organizations] define applications, and are able to secure this becomes part of their responsibility, as well as securing containers and [application] coded.”
Sysdig harnesses trends in self-healing security
Apolicy’s self-healing features are what prompted Sysdig to acquire the company, rather than partnering with it as initially planned, and will set Sysdig’s integration apart from its competitors, according to the CEO of Sysdig, Suresh Vasudevan.
“What Apolicy did was really say: ‘not only will I detect where the drift is between production and my [infrastructure-as-code] source, I’m actually going to create a Jira ticket and give you a pull request that says, here is the specific Helm chart or YAML file, here is the line where I need to make the change, ”Vasudevan said. “So for the developer, it’s about… approving the pull request and at this point it’s deployed to production. “
Changes made by Apolicy to source files will go through the same approval process as any other changes to application or infrastructure code as code that developers are already using. Organizations may choose to automatically deploy such changes to production, but Vasudevan said this type of unattended automation remains rare in DevOps stores in his experience.
Once the Apolicy acquisition is complete, Sysdig’s roadmap for the combined companies also includes linking its self-healing capabilities to its Falco-based runtime security tools, to automatically correct breaches of the law. infrastructure security policy as code in production as well as pre-deployment.
“We should extend this runtime security feedback loop to your source files,” Vasudevan said.
While still relatively unique in the field of container execution security, self-healing is also growing in adjacent cybersecurity disciplines, Carielli said, as part of a wider convergence between previously segments. specialized in IT security under DevSecOps.
“Right now this is still happening a lot more at build time than at runtime, with static code analysis tools,” she said. “The developers were nervous about this at first, but we’re seeing it take hold. “
In part, DevOps professionals have been forced to accept hands-off automation because the container infrastructure becomes too complex for manual management, Vasudevan said.
“As container adoption increases, [customers] end up taking the infrastructure route as a code, ”he said. “Over the past two or three years, there has been a realization that if you deploy the infrastructure through [CI/CD] pipelines automatically compared to manual automation, you are less likely to make mistakes. “
DevOps pros are faced with a build vs. purchase
As security automation gains in popularity, it remains to be seen how much commercial products will win over free and open source tools. The integration between Apolicy’s runtime security and autocorrect will involve open source components, but will be primarily designed for commercial customers, Vasudevan said.
One of the early major users of Falco, online retail service provider Shopify, is generally interested in how projects like Falco and OPA can go beyond Kubernetes-based pod security policies. on rules, a now deprecated feature of Kubernetes. But the company still prefers to use the open source version of these tools to build their own security automation workflows.
“In addition to the other measures we use to protect our platform, we have already developed internal automation around policy enforcement using admission controllers,” said Shane Lawrence, security engineer at staff infrastructure at Shopify, via email. “Automation is critical to maintaining security at scale, and we’re pleased to see new features that reduce the effort required to improve security enforcement. “
Beth Pariseau, Senior Editor at TechTarget, is an award-winning veteran of computer journalism. She can be reached at [email protected] or on Twitter @PariseauTT.