Twistlock 2.0 brings compliance controls to Docker containers
Twistlock, founded by Microsoft alumni, aimed to bring better security to Docker containers by making containers less opaque and more readily monitored. But that was before projects under the CNCF’s wing started developing native security and introspection features.
The latest version of Twistlock, just released, hints at where third-party container security tools are going next: compliance.
Twistlock 2.0 sports a tool set for regulatory compliance with containerised applications. Its new Compliance Explorer feature analyses an organisation’s containers and reports back on anything that does not follow rules, such as those defined by HIPAA or PCI. The Explorer provides a rolling 30-day history of an organisation’s compliance state for containerised environments, and it allows the export of data about violations for use in other tools.
Twistlock CEO Ben Bernstein emphasised that compliance scanning includes vulnerability checks, such as looking for the use of secrets in production, but doesn’t end there. “We allow users to test compliance at three critical locations—the registry, during the CI/CD process, and in production,” he said in an email. Checking for compliance during CI/CD allows users to push back noncompliant items to the developer instead of waiting for them to go to production, he noted.
Twistlock earned kudos for previous versions of its container-protection product. Google Cloud Platform tapped Twistlock to provide container scanning and vulnerability detection for Container Registry and Container Engine. Those services also claimed to be HIPAA-compliant, but Twistlock promotes its solution as capable of accepting rule sets for most kinds of compliance, using NIST’s XCCDF language for security configuration rules.
This is not the first set of container compliance tools on the market. Apcera, for instance, offers such tools on its platform. But Twistlock is meant to be a more general solution that runs anywhere Docker containers are found, with a modifiable rule set for future compliance jobs.
Tools like these are meant to address the hesitancy that legacy IT organisations have about moving to containers. Those with stiff regulatory measures are likely to be slow to adopt any new technology. While in theory it is easier to manage compliance in the cloud, it is not always automatic, especially if you are dealing with your own containerised stack, as opposed to a pre-certified service.
Twistlock’s compliance feature brings oversight to containerised apps. But it also demonstrates that third-party providers of container software (essentially, anything that’s not Docker) can bring more to the table than slight variations on already offered features. By looking at the areas where containers still have not made inroads, it is possible to build products that ease container adoption.
IDG News Service