The Aporeto Platform

The Aporeto Zero Trust Cloud Security Platform provides comprehensive network security solutions that include: Distributed Firewall, Kubernetes Network Security and Cloud Privileged Access Management (PAM) using application identity rather than IP addresses. Aporeto allows you to build and enforce distributed identity-based policies that enable authentication, authorization, and encryption across heterogeneous infrastructure at scale. The Aporeto SaaS-based platform is built for cloud-native applications, simplifies hybrid cloud security, and delivers security at the speed of DevOps.

Leading Enterprises Trust Aporeto

How it Works

Platform page-howitworks-05

Aporeto Security Orchestrator – functions as the control panel and is responsible for the application identity broker, application identity federation, policy engine and monitoring. From here policies are distributed to all the individual workloads, in addition to the tasks of data collection and aggregation, analytics and incident response. The Security Orchestrator has powerful APIs that allow the Aporeto Platform to integrate seamlessly with a broad set of enterprise platforms into the entire infrastructure, from CI/CD pipeline, to user single sign-on (SSO), and to security operations center (SOC).


Aporeto Distributed Policy Enforcer – is deployed as either a container or as an enforcement node on an individual host or virtual machine (VM). Any workload outfitted with the Distributed Policy Enforcer and working in conjunction with the Security Orchestrator, is enabled with automated issuance and management of security policy at different layers of the stack. Distributed Policy Enforcers implement functions that include: threat monitoring, transparent network security, API authorization and authentication.


Policy Engine – is a policy framework that is centrally managed/visualized, but distributed and enforced locally on application nodes. Unique to Aporeto is the ability to compile comprehensive application identity tags about monitored applications and infrastructure – these tags are derived from enterprise identity sources (including the host, container platform, container image vulnerability scanner, and cloud provider). The policy filtering factors use these identity tags to control operating system calls, file access, and L3/4/7 network access.


Application Identity Broker – Aporeto normalizes application identity from a variety of enterprise sources (e.g. the operating system, the container host, the cloud provider, and 3rd party sources of metadata such as container image vulnerability scanner, and user OIDC identity providers) by using API calls to broker metadata about monitored applications and infrastructure. Metadata in different domains is normalized in Aporeto for securing application service network access, application API access, and server SSH access.


Application Identity Federation – Since Aporeto secures applications at the network and operating system levels with identity abstraction, Aporeto can normalize identity and security policy across a heterogeneous topology of Linux, Docker, Kubernetes, Windows servers, and human or automated users.


Monitoring – Aporeto is a security monitoring engineer’s toolkit. While you can use our visualization dashboards or export data to a SIEM system for correlation against other events, Aporeto has a variety of ways to poll for any Aporeto object metadata or security event. From flow data and graphs in the Aporeto web UI, to automated access via API or the apoctl command-line tool, to in-product programmable javascript-based automation, every relevant security event or Aporeto object metadata can be accessed programmatically.


Distributed Firewall

Aporeto provides a uniform approach to security independent of network and infrastructure complexities. Security is moved up the stack to the application level using application identity, without relying on IP addresses. Aporeto’s identity-based model enables granular microsegmentation with seamless distributed security policy management, end-to-end visualization and enforcement across heterogeneous infrastructure. Aporeto generates a unique multi-attribute contextual identity for any application component which is created and managed by the Aporeto platform. Aporeto automates security, monitors and protects applications at L3, L4 and L7 through white listing, allowing only authorized and authenticated interactions to occur. Policies remain portable and persistent across applications and workloads, clouds and clusters no matter where they reside in your hybrid cloud environment. Aporeto Distributed Firewall enables simpler operations and a more robust security solution.


Kubernetes Network Security

Aporeto provides defense-in-depth for Kubernetes and containerized workloads, with consistent policy enforcement across multiple clouds, clusters and heterogeneous infrastructure at scale. The Aporeto zero trust SaaS-based solution protects the whole node and not just the pods in a Kubernetes cluster. Aporeto provides developers with greater agility to securely deploy Kubernetes workloads or microservices across hybrid cloud environments with persistent identity-based security. DevOps teams can accelerate application deployment with security and compliance already incorporated as policy-as-code. Aporeto Kubernetes Network Security works seamlessly with other Kubernetes technologies, including all existing and cloud-native container network interface (CNI) architectures and service mesh products such as Istio. By using one tool to reduce overall security infrastructure complexity, security teams can remain agile experiencing significant ROI cost savings and accelerate product time-to-market.

Learn More

Cloud PAM

Aporeto Cloud PAM provides secure access to cloud infrastructure and resources while enforcing least privilege role-based access by leveraging your corporate identity provider (IdP) for single sign-on (SSO) to issue time bound SSH client certificates to users. Enterprise organization can eliminate the need for SSH keys management, secrets management, and use of VPNs, IP ACLs, and jump boxes, by implementing just-in-time access policies based on user identity. Every user is issued a unique, ephemeral, time-bound certificate based on his/her identity independent of the underlying user account. The Cloud PAM identity-based policy model enables organizations to provide a federated identity for each user that can be applied for access to any resource across hybrid or cloud infrastructure that uses IAM. Security teams can now granularly manage cloud credentials and restrict access to critical infrastructure and resources while simplifying the ability to meet compliance requirements. Every access request is logged, and every access must be explicitly authorized. Aporeto enables you to log centrally and export all CLI commands issued by individual users on your hosts, for easier auditing and proof of compliance.

Learn More

Aporeto Platform Compliance and Partner Certifications

Security Solutions for Your Cloud


Aporeto is accelerating our expansion to the cloud.

Aporeto is accelerating our expansion to the cloud. With Aporeto, we can secure our Linux workloads on any infrastructure with end-to-end encryption and have a path for modernizing with a security layer that is future-proofed.

Alec Chattaway

Director Cloud Infrastructure Operations

Get Started with Aporeto Today!

Key Resources