The best way to understand something is to see it in action. So here’s a concrete example of the Aporeto platform in use, which demonstrates how Aporeto’s application identity-based approach to cloud security is vastly superior to a traditional IP address security model.
An Application Identity-Based Approach
Assume three users or processes want to access a Linux system or a Hadoop cluster. Aporeto will monitor the running application and use advanced analytics on the information collected to understand the intent of the application automatically, then generate the security policies that represent a healthy, working application. Once the automatic discovery phase is complete, SecOps personnel can view the security policies as well as edit them, to fine-tune the security of the overall application.
The users of the system are known by more than just their user-ID. Additional contextual information is used to create a Trust Profile for each user.
See the diagram below. Trust is unidirectional, so in this example, the user aslt.desal (in the top-left) can access the Linux system, but the Linux system cannot communicate with aslt.desal unless that Access Policy is defined. The Linux system can access the Hadoop cluster on behalf of aslt.desal, but aslt.desal cannot access the Hadoop cluster directly. Application Policies makes it easy to setup and maintain end-to-end security across all of the components of the cloud-native application.
Overcoming Problems Inherent in the Old Security Perimeter Model
To summarize, the Aporeto platform eliminates problems inherent in the old security perimeter model of securing applications by using application identity. Rather than using thousands of static rules and configuration settings across various vendor’s firewalls, IPS, WAF, NAC, and VPN gateways, SecOps personnel can now leverage Aporeto. Aporeto does not require any changes to source code. It watches application component interactions and uses machine learning to automatically generate Network Policies that are enforced by the Aporeto Enforcer which runs on each physical or virtual host as a proxy in front of the TCP/IP stack. The end result is unsurpassed end-to-end security, ease of deployment, visibility and control of the security posture for an application.
Reduce Complexity, Cost and Risk
Thanks to the reduced complexity that comes from using the Aporeto Zero Trust Cloud Security solution, DevSecOps personnel can focus on activities that advance the business, rather than wrestling with the problems inherent in the old, network-oriented application security model and role-based access controls (RBAC). Once Aporeto is in use, the organization’s security posture changes right away. It goes from being unclear and difficult to maintain, to being current, easy to maintain, and verifiable – lowering costs, improving security, mitigating organizational risk, and increasing velocity of innovation of the organization to better serve customers and out-maneuver competitors.
To learn more about Aporeto’s platform, watch our demo here. Learn about the key features and use cases of the Aporeto platform in our product brief. Additionally, Aporeto’s application identity approach to cloud security enables distributed policy security enforcement across Kubernetes multi-cluster and multi-cloud, with end-to-end visibility, centralized management, and automated container runtime protection. Learn more in our whitepaper Defining Security for a Kubernetes Deployment.