Application-aware Security, Part 1: Working in a Zero Trust Environment

By: Amir Sharif 04.04.2019
Application-aware Security, Part 1: Working in a Zero Trust Environment

Aporeto’s Zero Trust Operating Model

The Aporeto Platform is the single pane of glass to the Aporeto solution and can be offered as a SaaS product or hosted on premise. The Platform scales horizontally, supports up to tens of thousands of physical or virtual hosts/nodes and is self-healing for redundancy. Each participating host runs an Aporeto Enforcer which stand in for the TCP/IP stack and permits or denies a Processing Unit (Linux process or Docker container) from performing actions within the system. A Zero Trust Model is used, so a Processing Unit (PU) cannot perform any actions unless it has been explicitly given permission to do so by an Aporeto Network Policy.

Chain of Trust

Each PU must be trusted by the Aporeto Platform. The chain of trust is established by first requiring that each physical or virtual host register and run the Aporeto Enforcer service. Registration is with the Aporeto Identity Access Management (IAM) system, which may be run locally or in the Aporeto SaaS cloud. Aporeto will either store the registration information in its built-in IAM or federate with popular IAMs such as Google cloud, Amazon cloud, or a corporate LDAP-compliant IAM such as Active Directory. After being registered, Enforcer generates a public-private key pair locally, keeps the private key private, and sends an X.509 digital certificate containing the newly created public key and Chain of Trust.

Overview of the Aporeto Platform using Enforcers to implement Zero Trust Policies

Each PU must be trusted by the Aporeto Platform. The chain of trust is established by first requiring that each physical or virtual host register and run the Aporeto Enforcer service. Registration is with the Aporeto Identity Access Management (IAM) system, which may be run locally or in the Aporeto SaaS cloud. Aporeto will either store the registration information in its built-in IAM or federate with popular IAMs such as Google cloud, Amazon cloud, or a corporate LDAP-compliant IAM such as Active Directory.

After being registered, Enforcer generates a public-private key pair locally, keeps the private key private, and sends an X.509 digital certificate containing the newly created public key and unique information that identifies the host to the Aporeto CA where it is signed and sent back so the host.

Once the Aporeto Enforcer, running on each host, has established a strong, cryptographic a chain of trust with the Aporeto CA, it is ready to use its signed X.509 certificate to sign a Trust Profile for each PU running on that host. The Trust Profile is automatically sent on behalf of the PU when it attempts to perform operations on the Aporeto Platform.

Object Tags

Each Processing Unit (PU) has a collection of tags associated with it that come from 5 different sources: object attributes, attributes defined by the user when starting a Docker container attributes that are auto-defined by the Aporeto Enforcer, attributes from user authentication tokens, and other user-defined attributes. These tags are swept up and included in the Trust Profile that Aporeto automatically generates for each PU.

 


Next week, we will discuss the second phase of this 3-part series on Application-aware Security. Stay tuned!

Recent Posts Simple by design; Automating per-namespace isolation with Aporeto and OpenShift Five Things to Check Out at VMworld 2019 and Visit While in San Francisco The Evolution of the Serverless Era (and redefining security to keep up)