E-Xact are a credit card transaction gateway company that services some of North America’s largest banks. Etherparty are a blockchain-based smart contracts company that settles and confirms financial transactions. Both of these dynamic, cutting-edge companies realized that the old-fashioned way of approaching cloud security wasn’t going to cut it. Their unique security requirements demanded the agile, Zero Trust approach of Aporeto.
E-Xact’s latest solution is built exclusively with containers and is orchestrated with Kubernetes. The Kubernetes clusters are running on AWS EC2 instances. E-Xact manages the Kubernetes instance at this point but foresees migrating to either AWS ECS or EKS to offload infrastructure management tasks.
To satisfy audit requirements, the Kubernetes-orchestrated application needs to mimic a traditional 3-tier application. Altogether, there are 60 Kubernetes pods in each availability zone. This architecture is replicated in 3 different availability zones. The backend database (MongoDB) has to be synced in all AZs.
E-Xact also has a set of brown-field services in their data center into which this Kubernetes-based solution must be integrated. Moreover, the solution must be integrated with external services and E-Xact’s partner network:
E-Xact’s complex security requirements were divided into five parts:
These security requirements mean that traditional (IP-based) network security presents a number of challenges:
The E-xact use case demonstrates how and why the nature of cloud security is changing. They couldn’t rely on the old way of doing things. Things would have meant:
Instead of this, with Aporeto, E-Xact were able to get:
Like E-Xact, Etherparty had unique and complex security needs. The company’s solution is built with containers and is orchestrated with Kubernetes on AWS EC2. The solution depends on HSM-based keys for secrets management in their highly-secure application architecture.
This architecture is replicated in multiple availability zones. The core HSM service is located in two proprietary data centers. The company must ensure that no rogue services or containers attempt to access their HSM services.
Because container IP addresses are constantly changing, Etherparty has opted to use Aporeto to generate cryptographic application identity to authenticate and authorize HSM requests. Aporeto was the perfect fit for Etherparty, because it allowed them to generate cryptographic application identity to authenticate and authorize HSM requests. Aporeto auto-generates application identity through three steps:
This system worked like a charm for Etherparty.
These are just two examples of how Aporeto is helping companies meet their security needs. To read more, view our infographic or visit aporeto.com to learn more about how we can help a variety of different businesses.