Aqua Blog

Native Runtime Protection for Pivotal Cloud Foundry

Native Runtime Protection for Pivotal Cloud Foundry

The Pivotal Application Service (PAS) is a distribution of Cloud Foundry Application Runtime (CFAR), part of the Pivotal Cloud Foundry suite. It is widely used especially among large enterprise organizations. Aqua now provides a full lifecycle solution for Pivotal Application Service workloads, from scanning and deployment assurance policies that we introduced last year, to new runtime controls that include behavioral and network security policies. The Aqua Security for PCF solution is available to install from the Pivotal Network.

Aqua introduced scanning for PCF early in 2018, and if you’re not familiar with PCF/PAS terminology, you’re invited to read a detailed explanation included in the above blog.

Vulnerability Scanning and App Assurance

Aqua integrates into the PCF pipeline to automatically scan Droplets for known vulnerabilities, sensitive data such as private keys, and malware, as they are pushed out to the Blobstore. Scanning is performed using a Buildpack that’s installed during the deployment of the Aqua tile. Our vulnerability scanning is based on an aggregated feed that Aqua’s security team collects from multiple sources, reconciling the latest data to ensure it’s up to date and reduce false positives.

This provides visibility into new code and code changes introduced by developers, to ensure they don’t present significant new risks. More importantly, Aqua provides flexible Assurance Policies that enable security teams to determine which issues represent unacceptable risk, and block non-compliant applications from being staged in the Blobstore.

Once in the Blobstore, Aqua will perform daily scans and apply the Assurance Policy to prevent unauthorized Droplets from running (this feature is currently in preview).

PAS Runtime Protection

Aqua has now added significant new capabilities for protecting PAS applications in runtime, the first such solution in the market. Crucially, Aqua Enforcers are deployed with BOSH on all Diego Cells in your CF cluster nodes by using a deployment add-on that automatically deploys a single Aqua Enforcer container on each Cell in your cluster, providing a friction-less process that doesn’t require any changes to existing application deployment practices, nor any manual changes or individual re-deployments per application.

The runtime policies are similar to what Aqua offers in Kubernetes/Docker environments and quite extensive. They include:

  • Drift prevention, which prevents running executables that weren’t in the original image (droplet)
  • Whitelisting and blacklisting of executables
  • Limiting container privileges, such as running privileged containers, accessing the host network, using host namespaces
  • Forensics data collection on processes, command arguments, and network activity
  • Threat mitigation measures, including port scanning, fork-bomb guard, preventing connections to IP addresses with a bad reputation
  • Automated profiling and whitelisting of processes used in the running instance, to further reduce the attack surface


You define the scope of a runtime policy (what it is applied to) based on a Cloud Foundry app name, or on a Cloud Foundry space. This allows to have different policies for different applications, for example customer-facing vs. internal, or PCI-DSS compliant apps vs. apps that don’t require it.

The result can be to create audit events and alerts, or block the action that violates the policy. In the example below, an executable was blocked as it violated the Drift Prevention control.

Pivotal Container Service Security

Network Discovery and Firewall

One of the cool features in Aqua is the ability to automatically discover the network connections within an application, list them and use them to create firewall rules that whitelist (or blacklist) connections. This can be based on IP, but also on service identities within the applications and DNS URLs – as shown below.

Non-whitelisted connections will generate alerts, and if the firewall rules are activated in Enforce mode, also blocked.

Pivotal Container service security

Diego Cell Security and Compliance

Cloud Foundry uses the Diego system to manage app containers. Diego is a self-healing container management system that keeps the correct number of instances running in Diego cells (hosts) to avoid network failures and crashes.

In addition to providing security for the application instances running in PAS environments, Aqua also secures the host infrastructure that they run on, i.e. the Diego cells. Aqua automatically scans the cells for known vulnerabilities, sensitive data such as private keys, and malware. Vulnerability scanning is based on an aggregated feed that Aqua’s security team collects from multiple sources, reconciling the latest data to ensure it’s up to date and reduce false positives. Below you can see the results of such a scan in a particularly vulnerable host:

Pivotal cloud foundry

Aqua also tests Diego cell compliance against the CIS Linux Benchmark, providing a view of its security posture against configuration best practices, patching, file system integrity, etc.

Pivotal container service security

Additionally, you can create Assurance Policies within Aqua to monitor the configuration of cells against those policies, and alert on any drift. We  also monitor user access and behavior, and  apply File Integrity Monitoring (FIM – currently in preview) to ensure there’s no tampering with the Diego cell’s file system.

The result is a clear assessment of the Diego cell’s security and compliance posture:

Pivotal container service security

Securing the Hybrid Enterprise

Cloud Foundry was initially released into the market as an open source project in 2011, and Pivotal was founded two years later to commercialize it as a multi-cloud platform. While the evolution of Docker containers and Kubernetes has taken a parallel track, the two are on a path towards convergence or at least happy co-existence.

With Aqua’s security platform for PAS environments providing full protection from development to production, we enable organizations to get unified security across both PAS environments and Kubernetes-based environments using a single pane of glass for policy management and visibility, and native capabilities suited to each mode of cloud native deployment. As organizations increase their use of Kubernetes, Aqua will also enable them to migrate more smoothly from one environment to the next.

This is also why Aqua provides security for Pivotal Container Service (PKS), for which we’ve been certified by VMware and Pivotal.

Pivotal customers can download the new Aqua Security for PCF tile directly from the Pivotal Network.

Liran Kogan
Liran was a Product Manager at Aqua Security.