Aporeto: An AWS Partner
As one of the AWS Partner Networks (APN), Aporeto integrates with AWS to help enterprises efficiently deploy, manage, and secure applications at scale on Kubernetes, Docker, Linux, Mesos, and others. Aporeto utilizes the AWS Identity Document – an API-accessible cryptographically signed metadata available on all AWS instances – as contextual identity.
Implementing AWS Cloud Security
The contextual identity is inherited by workloads which can be a process on an EC2 instance or a container/pod running on an EC2 instance. The contextual identity combines with additional static metadata from the workload. Aporeto utilizes this workload identity as means to authorize all network communications between workloads within a Virtual Private Cloud (VPC), across VPCs independent of their region or availability zone, and across hybrid cloud environments.
Application-Aware Security for AWS
Aporeto provides critical security capabilities required for cloud applications, including network security, runtime protection, and API access control. These security capabilities are powered by application identity instead of IP addresses. This distinctive approach allows customers to abstract away infrastructure complexities and apply uniform security policies in hybrid cloud environments.
Etherparty: A Case Study
One example of the outcome of this partnership is Etherparty, an AWS customer, who has unique and complex security needs. The company’s solution is built with containers and is orchestrated with Kubernetes on Amazon Elastic Compute Cloud (Amazon EC2). The solution depends on Hardware Security Module (HSM)-based keys for secrets management in their highly-secure application architecture.
This architecture is replicated in multiple AWS Availability Zones (AZs). The core HSM service is located in two proprietary data centers, and Etherparty must ensure that no rogue services or containers attempt to access their HSM services. Because container IP addresses are constantly changing, Etherparty opted to use Aporeto to generate cryptographic application identity to authenticate and authorize HSM requests. Aporeto auto-generates application identity through three steps:
- Monitor for new processes and containers workloads;
- Collect metadata from the orchestrator, operating system (OS), and other available resources;
- Generate unique list of key value pairs, inject nonce, and cryptographically sign.
Successful AWS Cloud Security Integration
Using Aporeto’s integration to provide additional AWS cloud security, Etherparty now has stronger protection with identity-based security for Zero Trust environments, and simpler operations by reducing appliance maze and options for a flat L3 network. Etherparty is also enjoying Zero Touch for developers with no process, framework, or code changes.
To learn more about implementing the Aporeto solution to provide AWS cloud security, read our AWS Integration Guide here.