Ran Ilany: The second thing that we’re doing is authenticating the communication of those workloads. That is to say, the actual identity of the workload is injected into the traffic stream so that every connection would be, first and foremost, authenticated and would then be authorized.
The whole notion here is moving from IP port and protocol to workload identity that can be authenticated at runtime. This is what we call the runtime protection.
The users of the system are mostly operation folks and not necessarily security folks; the system was designed to be simple. It is based on a SaaS model. It’s a management system that resides on the cloud. Our customers open an account on our server and download a single plugin that is deployed on the CICD pipeline.
This plugin has two purposes. The first one is to be able to import all of the container in descriptive attributes such as the hash, build, and version. You have to sign it before it goes to runtime.
The second thing that we do with this plugin is inject Service Mesh to the runtime environment so that it will be the actual infrastructure to be able to both visualize and force security policies on those runtime environments.
As I mentioned, once this is deployed with the Service Mesh and the identities of the workloads, the immediate value that the user can see is being able to identify what came from your pipeline and what didn’t. Every blue container that the system visualizes is authenticated because it came signed from the pipeline itself.
Every red artifact is something we see at runtime but didn’t come from the pipeline. It could be a developer that went to specific websites, downloads a piece of code, compiles it locally, and introduces the piece of code. It could even be a piece of code that shouldn’t be running there.
This is the number one value that our organization delivers: being able to identify what should be running versus what should not be running. Once you identify your assets, the second thing is being able to trace back everything through the pipeline.
There’s a lot of information that otherwise wouldn’t be available because there isn’t any technology that can bind between the runtime and the pipeline in such a way that will introspect everything one to one. This is the visibility perspective. Then I also mentioned the network security or the connectivity part which is also a very important part of our offering.
Every connection between the workloads and containers is authenticated based on the identity that was generated. Every connection that the system sees that is not identified is immediately suspected. This is the deterministic approach of being able to say that anything that didn’t come from my pipeline or isn’t included in the white list should not be there.