Sysdig buys 'policy as code' startup Apolicy to automate compliance and governance

Freshly minted DevOps unicorn Sysdig Inc. is spending some of the money it raised recently to buy a startup called Apolicy.IO Inc. that specializes in “infrastructure as code” security.

The company today announced its intent to acquire Apolicy, saying it will bolster its own secure DevOps capabilities with compliance and governance enforcement via “policy as code.”

Sysdig sells tools for securing container environments that are used to host modern software applications that can run on any computing platform. Its main product is Sysdig Monitor, a cloud-native intelligence platform that helps manage large deployments of containers. It does so by listing the different network connections to each instance within a cluster, displaying the traffic each one handles and the bandwidth being used.

Sysdig’s other main tool is Sysdig Secure, which works by tapping into the data produced by system calls generated in a container environment. Those are the requests that application components send to the operating system on which they run when certain key actions need to be performed.

The acquisition of Apolicy adds infrastructure-as-code security to Sysdig’s capabilities. Developers are increasingly using IaC to gain more operational control of the infrastructure on which their applications run.

IaC refers to the practice of using configuration files to manage information technology infrastructure, rather than physical hardware configuration or interactive tools. Traditionally, managing IT infrastructure used to be a cumbersome, manual process where server hardware was physically put in place and configured manually for each application and operating system. IaC is a more efficient and consistent way of managing IT infrastructure that dramatically speeds things up.

Sysdig says that though IaC is effective, it can also be easy to overlook the security side. It explains that misconfigurations in IaC are common, as evidenced by the numerous high-profile cloud breaches that hit the headlines.

The idea with IaC security is to automate and enforce compliance and governance by applying policies as code, so as to validate configuration files and production environments and ensure they are identical. If a runtime deviation occurs, it will be discovered automatically and remediated at the source to ensure it doesn’t happen again.

That’s what Apolicy will bring to the table. It enables developers to apply consistent policies and best practices across multiple IaC environments, Sysdig said. It also provides DevOps and security teams with a more consistent, unified view of their security requirements. Apolicy enables auto-remediation too, allowing DevOps teams to instantly map any runtime error to the IaC source file. The error can then be fixed with a simple pull request.

Finally, Apolicy allows teams to consolidate alerts by identifying which production instances are affected by a specific IaC error, so they can prioritize which ones to fix based on application context, Sysdig explained.

“Most breaches are caused by configuration errors, so customers want a single platform that detects configuration errors pre-deployment and identifies drift in production,” said Sysdig Chief Executive Suresh Vasudevan. “Sysdig delivers a secure DevOps workflow for infrastructure and workloads and automatically closes the loop from production to source by fixing issues identified at runtime.”

Image: Sysdig