Container Secure automates security and compliance coverage for Docker, Kubernetes, and continuous-delivery pipeline infrastructure. Built on top of the Halo platform, it provides container security as a standalone service, or in concert with Halo Server Secure (CWPP) and Cloud Secure (CSPM).
Expanding the Halo platform, Container Secure provides security and compliance automation for containerized applications running in public, private, or hybrid cloud hosting environments.
Halo Container Secure is more than just container security—it secures the runtime and development environments.
Assesses the DevOps toolchain for security and compliance
Assesses images before they go into production
Verifies safety and compliance of container runtime environments
Immediately detects and inventories containers launched from unknown or “rogue” container images
Halo automates key security and compliance functions through a set of customizable policies and technical rules that support common Docker and Kubernetes standards such as CIS benchmarks. These policies and rules are used to determine if container-related assets are compliant with best-practice security controls.
Automatically discovers, interrogates, and inventories Docker hosts, AWS ECS container instances, AWS Fargate, Azure Container instances, Kubernetes nodes, AWS EKS clusters, and Azure AKS clusters
Detects vulnerabilities in host operating systems, container runtimes, orchestration configurations, unpatched packages, access privileges, security control configurations, network services, process whitelists/blacklists, and more
Continually monitors Docker hosts, AWS ECS instances, Azure Container instances, Fargate deployments, Kubernetes nodes, AWS EKS clusters, and Azure AKS clusters to detect new vulnerabilities and exposures introduced by innocent changes or malicious activity
Automatically detects Docker host and Kubernetes node intrusions through log monitoring, file and system integrity monitoring, and IoT/IoC detection for container security
Immediately delivers vulnerability and exposure issues to system owners via REST API and message queues—see list of integrations
Provides detailed issue evidence and remediation guidance, automatically detecting and reporting resolved issues
Security and compliance requirements vary depending on the design of your container environment. Halo Container Secure not only secures containers, but also image registry platforms, Docker daemons, and orchestration software to ensure proper security and compliance.
When combined with Cloud Secure and Server Security, it expands coverage to the service control plane, host, and host operating system.
Halo Container Secure was designed to integrate directly with Docker hosts, Kubernetes nodes, and a range of image registries like AWS ECR, Docker Trusted Registry, and JFrog Artifactory.
Halo Container Secure includes a Jenkins native plug-in that provides key Halo assessments to the build testing process. This integrates security teams directly with DevOps processes and technologies as part of the “shift left” strategy that eliminates security flaws before they reach production.
Container Secure automatically builds a database of Docker images and their vulnerability status in the Halo Cloud by assessing images in one of three ways.
Halo’s registry connector scans container images-at-rest.
A Jenkins-native plugin scans images as changes are committed or as images are moved towards production.
Halo detects containers launched from unknown or “rogue” images, immediately scans rogue image instantiations, and seeks to associate them with known images.
A lightweight 2MB software sensor (microagent) assesses running containers on Docker hosts, collects data about the container, and sends it to the Halo Cloud.
Microagent can be installed directly as software on the container host environment or as a running container for easy implementations of container security
The Halo Cloud does the heavy lifting for the microagent, comparing the data from the microagent with its container image database, known vulnerabilities, and security controls defined in policies and rules.
Many cloud security “suites” are mashups of old technology that require separate licensing, deployment, administration, and maintenance. Some even require that you purchase their legacy technologies or additional features that should be included to make their “next-generation” technology operate. Unlike “free” IaaS provider tools that don’t provide parity in their competitors’ clouds, Halo works across CSPs.
Halo was designed from the ground up to be a truly unified solution. The Halo Container Secure service uses the same API connectors, microagents, console, API, policy engine, data model, and analytics engine as our Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM) services.