CONTAINER THREAT PREVENTION AND COMPLIANCE

Halo Container Secure automates threat prevention and compliance for Docker, Kubernetes, and continuous-delivery pipeline infrastructure

Security and Compliance that Keeps up with Continuous Delivery Pipelines

Containers have taken the digital world by storm, offering DevOps teams portability and scale with a deployment strategy directly aligned with continuous delivery. Containers along with service orchestration platforms like Kubernetes unlock the potential for true auto-scaling microservices, the brass ring for modern application architecture.

Container Secure screenshot

When implemented in conjunction with continuous delivery pipelines, these technologies drive a very fast and automated operational model. It’s up to your team to identify solutions that enable security and compliance functions to not just keep up, but also leverage these new models to make security part of the pipeline.

Designed for container security

Halo Container Secure was designed to integrate directly with Docker hosts, Kubernetes nodes, and a range of image registries like Docker Hub and jFrog. Halo Container Secure also includes a Jenkins native plug-in that enables key Halo assessments to become part of the build testing process, enabling true DevSecOps. This enables your security teams to integrate directly with DevOps processes and technologies, part of the “shift left” strategy of eliminating security flaws before they reach production. Container Secure is built on the Halo platform solution, meaning all container-related capabilities are tightly integrated with server and IaaS workload capabilities.

How it Works

Docker and Kubernetes security  using the scalable, easily deployed architecture of the Halo platform

The Halo Container Secure architecture works by automatically building a database of Docker images and their vulnerability status, either by assessing images in a repository (images-at-rest) or by scanning images as new changes are committed or as images are moved towards production (images-in-motion).

Docker images-at-rest are scanned using an image registry connector that supports most popular registry softwares and IaaS services including Docker Hub, jFrog Artifactory, AWS Elastic Container Registry, and Azure Container Registry. Images-in-motion are scanned using a Jenkins-native plugin. Running containers on Docker hosts are monitored and correlated with image assessments to identify when known-vulnerable or completely unknown images are in use.

Consistent agent across assets

Security and compliance of self-operated Docker runtimes (e.g. Docker hosts, AWS ECS instances, or Kubernetes nodes) is assessed and monitored continuously using the same Halo agent as other security capabilities, simply by enabling Docker inspection and/or Kubernetes policies. Agents are available as software installed on the host or in a “sidecar” container form factor. Security and compliance of IaaS Docker runtime services (e.g. AWS Fargate, Azure Container Instances) are evaluated and continuously monitored agentlessly via Halo Cloud Secure. Lastly, a container-friendly agent form factor is used for “Dockerized servers” that are configured and operated like traditional servers, but are “Dockerized” for portability purposes.

Container Secure Architecture diagram

To learn more about how Halo Container Secure works, please check out the Halo Container Secure Technical Brief.

Use Cases

Not all container use cases are created equal.

Container technology is varied and can be deployed in many ways, creating many possible variations on container use cases. Here are a few of the most common scenarios and the security requirements that come with them.

Workload portability

Dockerized servers are a “lift and shift” strategy that uses containers to wrap fully functional servers for portability across environments. Halo provides discovery, and comprehensive security assessment of both the hosting environment and the dockerized server itself.

kubernetes-recolored

Kubernetes

There's a growing trend in implementing true service-centric and microservices architectures on Kubernetes. As with Docker, many enterprises would rather focus on the applications themselves, not the underlying Kubernetes platform. Halo assesses and monitors the Docker and Kubernetes environments, assesses the container images for vulnerabilities, and discovers and tracks both containers and hosting environments.​

Microservices

The trend in application architecture to implement functionality as interconnected microservices can be a boon to security as individual units are simple and static. Complexity arises in the number of these components and their rate of change, demanding a solution like Halo that can automate assessment, discovery, and tracking of these containers and their hosting environments.​

CICD and DevOps Enablement

The movement towards DevOps brings significant competitive benefits to the business in terms of agility. However, traditional security tools can stumble when used in these high speed environments. Halo helps security teams partner with DevOps to automatically deploy security sensors and continuously assess the environment. They can also leverage Halo to assess builds as they run through the CICD process. This allows teams to fail insecure builds as code is checked in, dramatically reducing the cost of fixing these problems and the likelihood of them reaching production. Further, as DevOps takes advantage of Halo as a security service they can integrate through the API to get ongoing security intelligence about the environment and automate responses and mitigations.

Elastic, Efficient Workloads

Containerized applications enable highly scalable and elastic environments that adjust to meet load automatically. Halo can automatically scale with these environments to efficiently assess and protect them as they expand and contract, and maintain continuous visibility into what is deployed and its security status. This is critical for successful security and compliance in these highly variable environments.

Features

Halo Container Secure provides threat prevention and compliance assurance capabilities for Docker and Kubernetes environments including images, containers and the critical infrastructure that stores, test, orchestrates, and runs them.

Halo Container Secure provides confidence in the technology foundations of containerized environments as well as the actual containers and images. The containers themselves are important, but the image registry platforms, host operating systems, Docker daemons, orchestration software, and service controls plane are all one functional system, and every link in the chain needs to be addressed.

Container Secure was designed by real-world container environment architects and engineers to align key capabilities and features with container-based architectures and operating models. 

For a complete inventory of all Halo Container Secure features and capabilities, please download the Halo Container Secure Technical Brief.

  • Fully automated inventory and assessment of Docker images at rest in a variety of registries
  • Security and compliance for self-operated Docker runtimes including underlying shared operating system, Docker daemon, and Kubernetes node software
  • Halo agents for Docker runtimes including traditional host-deployed agent software and sidecar agent form factors
  • Customizable technical rules and policies supporting common Docker and Kubernetes technical standards such as CIS benchmarks
  • Automatic identification of containers launched from known-vulnerable, unscanned, or completely unknown “rogue” images
  • Built on the Halo platform to provide one consistent interface, data model, REST API, and integration strategy for containerized assets as well as server-based and serverless assets

Supported Platforms

Halo Container Secure supports a variety of runtime models, image registries, and orchestration tooling.

From Dockerized servers to true microservices, self-hosted to turn-key IaaS services, Halo Container Secure can support your container, orchestration, and pipeline deployment. Most environments have some unique characteristics, so don’t hesitate to contact us and schedule a time to discuss your particular needs.

Docker Platforms (self-hosted)
  • Docker Enterprise Edition
  • Docker Community Edition
Docker Platforms (cloud)
  • AWS Elastic Container Service
  • AWS Fargate
  • Azure Container Instances
Image Registries (self-hosted)
  • Docker Private Registry
  • Docker Private Trusted Registry
  • jFrog Artifactory
Image Registries (cloud)
  • AWS Elastic Container Registry
  • Azure Container Registry
  • Docker Hub
Docker Base Image OSes
  • Ubuntu
  • Amazon Linux
  • CentOS
  • RedHat Enterprise Linux
  • Debian Linux
  • Oracle Linux
  • Alpine
  • Windows
Docker Host OSes
  • RedHat Enterprise Linux
  • CentOS
  • Amazon Linux
  • Oracle Linux
  • Debian
  • Ubuntu
  • CoreOS
  • Windows Server 2016
  • Windows Server 2019

Related Resources

You can start learning more about Halo Cloud Secure below. When you’re ready, don’t hesitate to contact us to schedule a demo, take a test drive in a pre-built sandbox environment, or register for a free 15-day trial to see Halo in your own environment.