Twistlock 2.0 brings compliance controls to Docker containers

Twistlock 2.0 brings compliance controls to containers


Twistlock, founded by Microsoft alumni, aimed to bring better security to Docker containers by making containers less opaque and more readily monitored. But that was before projects under the CNCF’s wing started developing native security and introspection features.

The latest version of Twistlock, released this week, hints at where third-party container security tools are going next: compliance.

[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Twistlock 2.0 sports a tool set for regulatory compliance with containerized applications. Its new Compliance Explorer feature analyzes an organization’s containers and reports back on anything that does not follow rules, such as those defined by HIPAA or PCI. The Explorer provides a rolling 30-day history of an organization’s compliance state for containerized environments, and it allows the export of data about violations for use in other tools.

Twistlock CEO Ben Bernstein emphasized that compliance scanning includes vulnerability checks—such as looking for the use of secrets in production—but doesn’t end there. “We allow users to test compliance at three critical locations—the registry, during the CI/CD process, and in production,” he said in an email. Checking for compliance during CI/CD allows users to push back noncompliant items to the developer instead of waiting for them to go to production, he noted.

Twistlock earned kudos for previous versions of its container-protection product. Google Cloud Platform tapped Twistlock to provide container scanning and vulnerability detection for Container Registry and Container Engine. Those services also claimed to be HIPAA-compliant, but Twistlock promotes its solution as capable of accepting rule sets for most kinds of compliance, using NIST’s XCCDF language for security configuration rules.

This isn’t the first set of container compliance tools on the market. Apcera, for instance, offers such tools on its platform. But Twistlock is meant to be a more general solution that runs anywhere Docker containers are found, with a modifiable rule set for future compliance jobs.

Tools like these are meant to address the hesitancy that legacy IT organizations have about moving to containers. Those with stiff regulatory measures are likely to be slow to adopt any new technology. While in theory it’s easier to manage compliance in the cloud, it’s not always automatic, especially if you’re dealing with your own containerized stack, as opposed to a precertified service.

Twistlock’s compliance feature brings oversight to containerized apps. But it also demonstrates that third-party providers of container software (essentially, anything that’s not Docker) can bring more to the table than slight variations on already offered features. By looking at the areas where containers still haven’t made inroads, it’s possible to build products that ease container adoption.