NeuVector Introduces "Security Policy as Code" for Kubernetes Workloads
November 26, 2019

NeuVector announced the immediate availability of its “Security Policy as Code” capability for Kubernetes services.

The release – built into the NeuVector platform – enables DevOps teams to automate container security by using Kubernetes Custom Resource Definitions (CRDs) to define and manage application security policies throughout application development and production. Now, DevOps teams can more quickly deliver secure cloud-native apps because security policies can be defined, managed and automated during the DevOps process. Security Policy as Code adds to recently-released enhancements to the NeuVector platform, including data loss prevention (DLP) and multi-cluster/multi-cloud management capabilities.

With Security Policy as Code, DevOps teams can now easily implement robust security policies using CRDs to deploy customized resource configurations via developer-friendly YAML files. NeuVector also enables developers to create CRDs that capture the full profile of application behavior – and do so in a Kubernetes-native way. The result is simple-to-deploy, powerful security policy enforcement that:

- Captures the entire application behavior, including network rules, protocols, processes, and file activities that are allowed – or ‘whitelisted’ – for the application.

- Only permits allowed network connections between services – enforced by application protocol (layer 7) inspection.

- Allows or prevents external or ingress connections as warranted.

- Sets the “protection mode” of the application to either Monitor mode (alerting only) or Protect mode (blocking all suspicious activity).

- Supports integration with Open Policy Agent (OPA) and other security policy management tools.

- Allows DevOps and security teams to define application policies at different hierarchies such as per-service rules defined by DevOps and global rules defined by centralized security teams.

- Is RBAC-enabled, enforcing the creation and updates of security policy as allowed natively by Kubernetes service accounts and roles.

- Is extensible, to support future expansion of security policy as code to admission control rules, DLP rules, response rules and other NeuVector enforcement policies.

“By introducing our industry-first Security Policy as Code for Kubernetes workloads, we’re excited to provide DevOps and DevSecOps teams with even more control to automate safe behaviors and ensure their applications remain secure from ever-increasing threat vectors,” said Gary Duan, CTO, NeuVector. “We continue to build out new capabilities sought by customers – such as DLP, multi-cluster management, and, with today’s release, CRD support. Our mission is acutely focused on raising the bar for container security by offering a complete cloud-native solution for the entire application lifecycle.”

Using Security Policy as Code and CRDs, developers and DevOps teams can define and allow the run-time application behavior they expect by implementing specific security rules for network connections, process activity, file access patterns, and other run-time policies. Importantly, because these security policies are defined as code, they are version-tracked and built for easy automation. This makes it simple to migrate security policies across Kubernetes clusters (or from staging to production environments), and to manage versions of security policies tied to specific application versions. Developers can also easily enforce global security policies this way, and further specify policies for each Kubernetes workload as needed.

NeuVector’s behavioral learning technology delivers the ability to learn and define appropriate application behavior in testing or staging environments, and to export that security policy as a CRD YAML file that developers and DevOps teams can review and edit before deploying in production. Combined with NeuVector’s full lifecycle vulnerability scanning and ConfigMap-based deployment capabilities, CRD support from NeuVector further enhances security automation during the entire CI/CD pipeline and into production environments.

Share this

Industry News

January 16, 2020

VAST Data announced the general availability of its new Container Storage Interface (CSI).

January 16, 2020

Fugue has open sourced Regula, a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment.

January 16, 2020

WhiteHat Security will offer free application scanning services to federal, state and municipal agencies in North America.

January 15, 2020

Micro Focus announced the release of Micro Focus AD Bridge 2.0, offering IT administrators the ability to extend Active Directory (AD) controls from on-premises resources, including Windows and Linux devices to the cloud - a solution not previously offered in the marketplace.

January 15, 2020

SaltStack announced the availability of three new open-source innovation modules: Heist, Umbra, and Idem.

January 15, 2020

ShiftLeft announced a partnership and deep integration with CircleCI that enables organizations to insert security directly into developer pull requests from code repositories.

January 14, 2020

Containous closed $10 million in Series A funding.

January 13, 2020

JFrog announced the launch of the free ConanCenter, enabling better search and discovery while streamlining C/C++ package management.

January 13, 2020

Perfect Sense launched Gyro - a cloud management tool that mitigates the risks associated with manually provisioning and managing infrastructure, lack of standards in configurations, and unpredictable results from changes to cloud infrastructure.

January 13, 2020

Synopsys has completed the acquisition of Tinfoil Security, a provider of dynamic application security testing (DAST) and Application Program Interface (API) security testing solutions.

January 09, 2020

IT Revolution, the industry leader for advancing DevOps, opened its call for presentations for both DevOps Enterprise Summit 2020 events in London and Las Vegas.

January 08, 2020

Anchore announced the immediate availability of Anchore Enterprise 2.2.

January 08, 2020

TigerGraph announced new functionality and performance for TigerGraph Cloud.

January 07, 2020

Compuware Corporation announced a CloudBees Technical Alliance Partner Program (TAPP) Premier Partnership and new advancements to Topaz that together enable organizations to quickly achieve low-risk, low-cost mainframe modernization by fully leveraging their existing mainframe resources.

January 07, 2020

Allegro A officially welcomes Allegro Trains Agent to the Allegro Trains ecosystem.