AWS Container Security Use Cases with Aporeto Showcasing E-Xact Transactions and Etherparty

By: Amir Sharif 11.06.2018
AWS Container Security Use Cases with Aporeto Showcasing E-Xact Transactions and Etherparty

E-Xact are a credit card transaction gateway company that services some of North America’s largest banks. Etherparty are a blockchain-based smart contracts company that settles and confirms financial transactions. Both of these dynamic, cutting-edge companies realized that the old-fashioned way of approaching cloud security wasn’t going to cut it. Their unique security requirements demanded the agile, Zero Trust approach of Aporeto.

E-Xact’s latest solution is built exclusively with containers and is orchestrated with Kubernetes. The Kubernetes clusters are running on AWS EC2 instances. E-Xact manages the Kubernetes instance at this point but foresees migrating to either AWS ECS or EKS to offload infrastructure management tasks.  

To satisfy audit requirements, the Kubernetes-orchestrated application needs to mimic a traditional 3-tier application. Altogether, there are 60 Kubernetes pods in each availability zone. This architecture is replicated in 3 different availability zones. The backend database (MongoDB) has to be synced in all AZs.

E-Xact also has a set of brown-field services in their data center into which this Kubernetes-based solution must be integrated. Moreover, the solution must be integrated with external services and E-Xact’s partner network:

E-Xact’s complex security requirements were divided into five parts:

  1. Isolation of Kubernetes pods to mimic a 3-tier traditional application.
  2. Well-defined ingress and egress communication points.
  3. Isolation of inter-pod communications.
  4. Traffic encryption.
  5. PCI-DSS Level 1 and SOC 2 Type II regulatory compliance.

These security requirements mean that traditional (IP-based) network security presents a number of challenges:

  • Highly complex setup with multiple solutions painstakingly cobbled together.
  • Rapidly changing IP addresses and network topology driven by container scale-up and scale-down operations, making it difficult, if not impossible to maintain the proper security posture at all times.
  • DevOps development practices enabled high-velocity feature delivery schedules; however, developer velocity was impeded by traditional security complexity and inelegance.

The E-xact use case demonstrates how and why the nature of cloud security is changing. They couldn’t rely on the old way of doing things. Things would have meant:

  1. Fragile security dependent on constantly changing IP addresses and network topology.
  2. Complex operations needed to maintain proper configurations in dynamic environments.
  3. Developer frustration, confusion, and pushback to keep up with security and infra requirements.

Instead of this, with Aporeto, E-Xact were able to get:

  1. Stronger protection with Identity-Based security for Zero Trust environments.
  2. Simpler operations by reducing appliance maze and option for a flat L3 network.
  3. Zero-touch for developers – no process, framework, or code changes.
  4. Cap-Ex and Op-Ex savings.

Like E-Xact, Etherparty had unique and complex security needs. The company’s solution is built with containers and is orchestrated with Kubernetes on AWS EC2. The solution depends on HSM-based keys for secrets management in their highly-secure application architecture.

This architecture is replicated in multiple availability zones. The core HSM service is located in two proprietary data centers. The company must ensure that no rogue services or containers attempt to access their HSM services.

Because container IP addresses are constantly changing, Etherparty has opted to use Aporeto to generate cryptographic application identity to authenticate and authorize HSM requests. Aporeto was the perfect fit for Etherparty, because it allowed them to generate cryptographic application identity to authenticate and authorize HSM requests. Aporeto auto-generates application identity through three steps:

  1. Monitor for new processes, containers workloads.
  2. Collect metadata from the orchestrator, OS, and other available resources.
  3. Generate a unique list of key value pairs, inject nonce, and cryptographically sign.

This system worked like a charm for Etherparty.

These are just two examples of how Aporeto is helping companies meet their security needs. To read more, view our infographic or visit to learn more about how we can help a variety of different businesses.

Recent Posts Palo Alto Networks Acquires Aporeto Palo Alto Networks Announces Intent to Acquire Aporeto Aporeto – Flexible and Secure by Default