A Discussion on Container Security with Twistlock CEO Ben Bernstein

We recently visited with Twistlock CEO Ben Bernstein to talk about his company’s Twistlock Container Security Suite and the recent announcement of its relationship with Google through the Twistlock for Google Cloud Platform integration with Google Container Engine and Container Registry.

Twistlock came out of stealth earlier this year and on November 10 the company announced the general availability of its Twistlock Container Security Suite as well as a new collaboration with Google that integrates the Twistlock solution with the Google Cloud Platform (GCP), providing container image scanning, access control functions, and the ability to enforce runtime security policies to protect containerized applications running on GCP.

Bernstein has 15 plus years of experience in enterprise software, specifically in relation to security technologies. He is a Microsoft veteran and trained in the Israeli Intelligence Corps.

ADM: How did Google and Twistlock start their relationship, given Twistlock came out of stealth earlier this year?

Bernstein: The Google team is very up to date on all startups in the eco-systems that are relevant to Google products. Specifically earlier this year Google took notice of some of our open source contributions to the Docker distribution, and the discussions started “bottom up” style.

ADM: Does the need for a solution like yours mean containers are inherently insecure?

Bernstein: No, Containers include many layers of code, such as the Linux distribution layer, application frameworks like Node.js, Ruby on rails, Python, and Java, as well as custom-developed application programs. Many of these may include various versions of open source libraries, which could contain vulnerabilities. 

Twistlock’s technologies help you spot these vulnerabilities before containers are put to use in production. In addition, Twistlock can detect container misconfigurations, which may be due to a human error. In short, containers are not inherently insecure, but within the lifecycle of a container, there are many places mistakes can happen which could lead to vulnerabilities that could be exploited. 

ADM: Can Twistlock guarantee that containers are secure?

Bernstein: Twistlock can help a great deal, but we can’t guarantee. For instance, we can ensure that certain configuration best practices are followed, such as those recommended by the CIS benchmark. Twistlock can also ensure that all known vulnerabilities exist in the containers are caught and remediated before it is deployed. 

Twistlock can also ensure that you have real-time visibility into which version of a library code is deployed at which containers - this allows you to carry out update actions across all of your running containers. In addition, Twistlock can also catch compromises via 0-day exploits if the container starts to exhibit suspicious behavior. However, Twistlock can’t always catch all the 0-day vulnerabilities that may exist in the various layers of the container code. In fact, no technology today can catch all conceivable 0-day vulnerabilities. 

ADM: Is Google endorsing Twistlock as the preferred way to secure containers?

Bernstein: The integration will make it easier for users of Twistlock and the Google Cloud Platform to use both tools to manage their applications. The container space is rapidly evolving and it’s important various tools in the ecosystem work together well.

ADM: If you use Twistlock, does this mean that you can now safely use containers without VMs?

Bernstein: Running containers with or without VMs have respective pros and cons. If you run multi-tenant containers within a single VM, you will still have to face the same segregation, threat protection challenges that you might face with running containers on bare metals. Twistlock’s technologies can deliver extra layer of protection for customers running containers with or without VMs. 

ADM: What do people do today to secure containers without the Twistlock solution?

Bernstein: There are a number of manual tasks organizations can execute to detect vulnerabilities and defend against run time threats. Twistlock automates much of those tasks, making it possible to secure containers in a large scale deployment without impeding the agility and efficiency benefits of container computing.

ADM: Is this limited/special integration only for Google, or will this be available for other clouds?

Bernstein: Twistlock on Google Cloud Platform does have certain integration points designed specifically to work with Google Cloud. However, they do not affect the core functions of the Twistlock product. Twistlock Container Security Suite is available for other clouds as well as capable of being deployed on premises by an enterprise.