Sysdig’s commercial runtime defence offering Sysdig Secure is out in v2.2, introducing service-based access control and making better use of Kubernetes’ admission controllers, audit data and labels.
The software is meant to secure cloud native hosts, applications, containers and networks by identifying vulnerabilities, auditing activity across microservices and enforcing compliance, amongst other things.
According to Knox Anderson, product manager at Sysdig, the latest release lets enterprises answer “the questions of, who is doing what within Kubernetes”. For example, it uses the kube-apiserver with its audit logs to get more information about the cluster management tasks done and alert ops people to out-of-the ordinary behaviour.
Through Kubernetes’ admission controllers, Sysdig Secure 2.2 can establish if unscanned images or those that are known for their vulnerabilities, are about to be deployed and inform users about the associated risks. If time is limited, administrators can also use Kubernetes labels to limit compliance checks to the more important resources.
V2.2 also sees the introduction of so-called service-based access control, which is Sysdig’s way of describing user groups. They have defined access to policy events and their configuration, as well as the ability to scan data limited to certain services (as per an orchestrator’s definition, that is). Groups can be used to set up individual Sysdig Secure views for different user groups, such as developers, operational engineers, and security teams, or restrict access for selected development projects for example.
Sysdig Secure uses the same core as open source project Falco, which was also initiated by Sysdig. Falco should help detecting intruders and abnormal application behaviour on platforms such as Kubernetes and Cloud Foundry. It was introduced to the sandbox of the Cloud Native Computing Foundation in October 2018 for better visibility and alignment with other cloud native projects.