The NeuVector demonstration provided VIC security at the application layer where it was able to inspect and analyze connections into deployed containers. The product uses visual mapping of containers, behavioral learning to create a security policy, and detection of privilege escalations within a container environment.
VMware’s VIC is the company’s enterprise-focused container runtime product. It allows developers to use Docker to deploy containers alongside traditional virtual machine-based workloads on vSphere clusters.
NeuVector CEO Fei Huang said the company’s focus is on runtime security challenges. A container runtime allows developers to manage resource allocation by providing application programming interfaces (APIs) and tooling that can reveal technical details of container performance.
Specific to runtime security, the NeuVector product keeps watch over host security, compliance auditing, and vulnerability scanning.
Huang said many of its customers were working in the VMware world and looking for a security solution to run on top of a VIC deployment.
“Many of our customers are already familiar with VMware, so were looking for something that could be easier to deploy and manage because of that familiarity,” Huang said. “This demonstration showed our product could be adapted to the VMware container environment.”
Container security startup Lacework last month also cited a focus on runtime within a Docker environment. The company noted its platform is “fully container-aware” and takes baseline readings on container behaviors, tracks and monitors container provenance, automatically provides security for each container, and can run within a container.
“We protect Docker containers once deployed by tracking all runtime activity inside and outside the container,” explained Isabelle Dumont, VP of marketing at Lacework.
Loose VMware integration
Huang said the current NeuVector work was “not a deep integration” and just a “first stab.”
“We have a very loose integration initially, and along the way we may go deeper with the integration,” Huang explained.
In a move to help deployment, Huang did note that the NeuVector product was purely a containerized solution and uses the same technologies used in Kubernetes. He explained this allowed for a small resource footprint and familiarity for developers already working in a container environment.
“Product security does not go very deep. To make this really work in a production environment we can provide a much deeper level of protection for application containers,” Huang said. “When used in conjunction with those established security measures, we provide a better product set for enterprises.”