Easy Application Network Encryption and Access Control Without Re-coding Your Application

By: Mark Jimenez 11.14.2019
Easy Application Network Encryption and Access Control Without Re-coding Your Application

Enterprises have to support legacy client-server applications they have built over the years, porting and transforming them to run in today’s dynamically provisioned and scaled topologies. Depending on the industry, these applications will handle sensitive data such as PCI DSS, PII, and PHI. For these compliance reasons, all data in transit needs to be encrypted end-to-end. The industry standards calls for transport layer security (TLS) for these applications, and without Aporeto that means making changes to software. 

How do you dynamically secure and encrypt data end-to-end in network application flows without any changes to your application code?

Load balancers can terminate TLS, but this may not be secure enough for some organizations that have the compliance requirements of end-to-end encryption (e.g. PCI, HIPAA, etc.). Terminating encryption just at the load balancer exposes unencrypted data in the zone between load balancer and server, and enterprises adopting a Zero Trust security posture need to extend encryption all the way to the server behind the load balancer. Involving the load balancer as an active participant in client-to-server encryption is cumbersome regarding certificate  management and unnatural, breaking the client-to-server concept with a two-sided, intervening device.

At Aporeto, we have worked with multiple customers with this security use case. Aporeto enables any client/server application to be TLS encrypted with zero code changes. The end result: meet encryption security compliance and let your developers focus on business logic, not security.

Creating an Aporeto Network Policy for encryption and access control is easy – with the on-host Aporeto Enforcer software installed on your application host, you can call out your choice of processes, containers, or ports by Aporeto identity tags derived from your operating system, and (if present), your container platform, cloud, or any other third party via APIs. In this example below of Aporeto Network Policy, we are encrypting between a client and server via tags. Aporeto lets you use any application identity in policy for encryption and access control.

Application identity on your terms – use any tags in Aporeto Network Policy for network encryption and access control.

 

For a connection-terminating load balancer between the client and server, we just need to configure Aporeto with some basic networking information regarding the load balancer and the application.

The following is the Aporeto YAML configuration used to create the Aporeto service object that represents the transmission control protocol TCP load balancer. The experience in configuration via the user interface can be seen below. Aporeto can support load balancers that communicate via TLS or TCP.  

 

APIVersion: 0

data:

  services:

    – IPs:

        – 172.31.130.211

        – 172.31.4.25

      TLSType: None

      annotations:

      associatedTags:

        – service=mylbtest3

      exposedPort: 7106

      hosts:

        – internal-lbtest3-1743880535.us-west-1.elb.amazonaws.com

      name: service_mylbtest3_7106_to_8106

      port: 8106

      selectors:

        – – $namespace=/aporeto/lbtest3

          – $identity=processingunit

          – $type=HostService

          – ‘hs:name=tcp:8106’

      type: TCP

identities:

  – service


  Aporeto configuration for application load balancers.

 

Now, when client-to-server traffic traverses the load balancer, Aporeto will transparently network encrypt as well as network authenticate & authorize endpoints for the connection. Unauthorized clients will be denied access whether the attempts are made through the load balancer, or directly, bypassing the load balancer. Aporeto performs bi-directional/mutual application identity authentication, access control via identity and policy, and TLS encryption in front of the application, with or without a load balancer, without requiring application code changes.

In this blog, we walked through how Aporeto can authenticate, authorize, and encrypt communications across any client/server application, even across a connection terminating load balancer, with zero code changes to your software. Aporeto can be easily configured for strong encryption, service-to-service & user-to-service access control, and load balancers, letting you focus on the bigger security picture for applications throughout your enterprise.

Aporeto allows you to define encryption access control between application services and with users. Using application identity you can apply this same security posture automatically as your applications scale as much as you need to. You can achieve automated, secure multi-cloud application architectures, with Aporeto.

For more information on how Aporeto can use identity to help you quickly secure applications anywhere and meet compliance, read our whitepaper: Aporeto and PCI DSS Compliance, or Request a Demo to see Aporeto in action today!

Recent Posts Are You Only 2 Commands Away From Credential Theft? 4 Things to Check Out While You’re in Las Vegas for AWS re:Invent 2019 Palo Alto Networks Announces Intent to Acquire Aporeto