Aqua Expands Container Security Platform with MicroEnforcer Technology


Aqua Security 3.0 provides new capabilities to help organizations protect Kubernetes container workloads as well as new modes of container deployment including the AWS Fargate service.

Aqua 3.0

Aqua Security launched the 3.0 version of its namesake container security platform on March 7, refocussing the product on providing Kubernetes cloud native enterprise security controls.

Aqua was originally focussed on just Docker container deployments and with the new 3.0 update is providing a series of capabilities that are aligned with Kubernetes deployments. Kubernetes provides container orchestration capabilities and has also been embraced by Docker Inc, which now also integrates Kubernetes as an option for its users as well. Looking beyond just Kubernetes, Aqua 3.0 also has a new capability called the MicroEnforcer which is aimed at emerging forms of lightweight container deployments, such as the AWS Fargate service.

“Over the last few years we had Docker as a focus,” Amir Jerbi, co-founder and CTO of Aqua Security, told eWEEK. “In the last year, we have seen a shift in the market where more and more people are using Kubernetes and there is a great need for tools that will add value on top of what Kubernetes offers.”

Aqua released its first container security platform in May 2016, providing runtime protection for containers. The Aqua 2.0 release debuted in February 2017, delivering an expanded set of container security capabilities, including application container traffic segmentation and support for secrets management. As a company, Aqua has raised a total of $38.5 million in venture capital funding to date, including a $25 million Series B that closed in September 2017.

The protections available in Aqua 3.0 aren’t just a shift in name to Kubernetes, they also represent a shift in how certain security functions are enabled. For example, Jerbi said that for user access control, which defines which users can perform various actions, things are done differently in Docker than with Kubernetes. Jerbi explained that Docker user access control is done at a low-lever with a docker command. In contrast he said that with Kubernetes, Aqua is providing user access control at the API-level.

“We moved the security layer to a higher level, to be more aligned with the way Kubernetes works, which allows us to protect different types of resources,” Jerbi said. “We can protect Kubernetes services and daemon sets and not just the containers.”

Kubernetes has included a Role Based Access Control (RBAC) capability since the 1.8 release, that debuted in September 2017. Jerbi said that Aqua plugs into Kubernetes native dynamic admission control capabilities which allow external security vendor to provide an additional layer of security.

Networking is also handled a little differently in Kuberentes than it has been typically done in Docker. Kubernetes has an abstraction known as the Container Networking Interface (CNI) into which different container networking technology can integrate.

“The integration with CNI allows us to create nano-segmentation,” Jerbi said. “Unlike Docker where you don’t have a lot of segmentation option, with Kubernetes there are different services and a lot of ways to group together applications.”

As such, Jerbi explained that an Aqua 3.0 user can choose to segment an application running in a specific namespace segment to make sure that it will never connect to another application running in a different namespace.


Among the many different ways that Kubernetes is being deployed today, is the AWS Fargate cloud service that provides a serverless approach to running containers. Fargate enables organizations to run containers without the need to manage servers or clusters.

To help protect AWS Fargate based container deployments, Aqua is introducing its’ new MicroEnforcer model. Jerbi explained that with the typical Aqua deployment, what is known as a container “side-car” is deployed on every node. The side-car is a container that acts to protect other containers that run on the same host node.

“The problem with Fargate is there is no node, so you have to add the enforcement point together with the application,” Jerbi said. “So we allow organizations to package the MicroEnforcer directly into the application container image.”

Jerbi added that as part of the application container image, the MicroEnforcer protection will travel with the container, wherever it is deployed. The MicroEnforcer also provides encryption to the container image, further protecting the data within an image.


Aside from its commercial platform, Aqua is also the leader of the open-source Kube-bench project which provides a set of checks to help make sure that Kubernetes is deployed in compliance with security best practices. As part of the Aqua 3.0 platform, Jerbi said that Kube-Bench is now directly integrated inside of the product.

“We’ve also put additional capabilities on top of Kube-Bench in Aqua 3.0, including the ability to aggregate  results across a cluster as well as the ability to generate reports,” Jerbi said.

Additionally Jerbi noted that Aqua 3.0 provides compliance templates for Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA) compliance regimes.

Container Competition

The market for container security vendors is a competitive one with multiple firms all aiming to grow market share. Among the startup vendors in the space are Twistlock, Capsule8, Neuvector, StackRox and LayeredInsight.

Jerbi said that Aqua aims to differentiate itself from the competition by investing in the entire lifecycle of container security from development to production deployment.

“From our perspective, we want to make sure we’re providing customers with security consistency regardless of which cloud native tool they choose,” Jerbi said. 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Leave A Reply