CONTAINER THREAT PREVENTION AND COMPLIANCE
Halo Container Secure automates threat prevention and compliance for Docker, Kubernetes, and continuous-delivery pipeline infrastructure
Security and Compliance that Keeps up with Continuous Delivery Pipelines
Containers have taken the digital world by storm, offering DevOps teams portability and scale with a deployment strategy directly aligned with continuous delivery. Containers along with service orchestration platforms like Kubernetes unlock the potential for true auto-scaling microservices, the brass ring for modern application architecture.
When implemented in conjunction with continuous delivery pipelines, these technologies drive a very fast and automated operational model. It’s up to your team to identify solutions that enable security and compliance functions to not just keep up, but also leverage these new models to make security part of the pipeline.
Designed for container security
Halo Container Secure was designed to integrate directly with Docker hosts, Kubernetes nodes, and a range of image registries like AWS ECR, Docker Trusted Registry, and jFrog. Halo Container Secure also includes a Jenkins native plug-in that enables key Halo assessments to become part of the build testing process, enabling true DevSecOps. This enables your security teams to integrate directly with DevOps processes and technologies, part of the “shift left” strategy of eliminating security flaws before they reach production. Container Secure is built on the Halo platform solution, meaning all container-related capabilities are tightly integrated with server and IaaS workload capabilities.
How it Works
Docker and Kubernetes security using the scalable, easily deployed architecture of the Halo platform
The Halo Container Secure architecture works by automatically building a database of Docker images and their vulnerability status, either by assessing images in a repository (images-at-rest) or by scanning images as new changes are committed or as images are moved towards production (images-in-motion).
Docker images-at-rest are scanned using an image registry connector that supports most popular registry softwares and IaaS services including Docker Hub, jFrog Artifactory, AWS Elastic Container Registry, and Azure Container Registry. Images-in-motion are scanned using a Jenkins-native plugin. Running containers on Docker hosts are monitored and correlated with image assessments to identify when known-vulnerable or completely unknown images are in use.
Consistent agent across assets
Security and compliance of self-operated Docker runtimes (e.g. Docker hosts, AWS ECS instances, or Kubernetes nodes) is assessed and monitored continuously using the same Halo agent as other security capabilities, simply by enabling Docker inspection and/or Kubernetes policies. Agents are available as software installed on the host or in a “sidecar” container form factor. Security and compliance of IaaS Docker runtime services (e.g. AWS Fargate, Azure Container Instances) are evaluated and continuously monitored agentlessly via Halo Cloud Secure. Lastly, a container-friendly agent form factor is used for “Dockerized servers” that are configured and operated like traditional servers, but are “Dockerized” for portability purposes.
Not all container use cases are created equal.
Halo Container Secure provides threat prevention and compliance assurance capabilities for Docker and Kubernetes environments including images, containers and the critical infrastructure that stores, test, orchestrates, and runs them.
Halo Container Secure provides confidence in the technology foundations of containerized environments as well as the actual containers and images. The containers themselves are important, but the image registry platforms, host operating systems, Docker daemons, orchestration software, and service controls plane are all one functional system, and every link in the chain needs to be addressed.
Container Secure was designed by real-world container environment architects and engineers to align key capabilities and features with container-based architectures and operating models.
For a complete inventory of all Halo Container Secure features and capabilities, please download the Halo Container Secure Technical Brief.
- Fully automated inventory and assessment of Docker images at rest in a variety of registries
- Security and compliance for self-operated Docker runtimes including underlying shared operating system, Docker daemon, and Kubernetes node software
- Halo agents for Docker runtimes including traditional host-deployed agent software and sidecar agent form factors
- Customizable technical rules and policies supporting common Docker and Kubernetes technical standards such as CIS benchmarks
- Automatic identification of containers launched from known-vulnerable, unscanned, or completely unknown “rogue” images
- Built on the Halo platform to provide one consistent interface, data model, REST API, and integration strategy for containerized assets as well as server-based and serverless assets
Halo Container Secure supports a variety of runtime models, image registries, and orchestration tooling.
From Dockerized servers to true microservices, self-hosted to turn-key IaaS services, Halo Container Secure can support your container, orchestration, and pipeline deployment. Most environments have some unique characteristics, so don’t hesitate to contact us and schedule a time to discuss your particular needs.
- Docker Enterprise Edition
- Docker Community Edition
- AWS Elastic Container Service
- AWS Fargate
- Azure Container Instances
- Docker Private Registry
- Docker Private Trusted Registry
- jFrog Artifactory
- AWS Elastic Container Registry
- Azure Container Registry
- Docker Hub
- Amazon Linux
- RedHat Enterprise Linux
- Debian Linux
- Oracle Linux
- RedHat Enterprise Linux
- Amazon Linux
- Oracle Linux
- Windows Server 2016
- Windows Server 2019