Google invests heavily in security for their internal infrastructure. They talk about their initiatives publicly which helps educate the wider community and is likely beneficial to the company, too. Recently, Google released a whitepaper outlining their approach to securing communications between all their internal applications using an in-house developed protocol called ALTS (Application Layer Transport Security). The principals on which this protocol has been developed reflect Aporeto’s approach to securing containers and microservices and to our open source library, the Trireme Project. As a security startup, this is a validation of our approach to security. Let me explain why.
Aporeto’s approach has always been rooted in decoupling security from the network infrastructure, allowing for higher automation without compromising security for your applications. The Application Layer Transport Security paper highlights three common principals that helped us achieve this goal:
- Transparency: Security must be transparent to the application, allowing developers to focus on application development. This requires the ability to transparently encrypt, authenticate and authorize any communication without application changes. At Aporeto, we leverage mutual TLS with ECDSA for key exchange which is cutting-edge in encryption technology.
- Identity model: IP addresses are no longer persistent entities in dynamic public cloud environments, making them meaningless for visibility and security policies. With Aporeto, all communication authentication, authorization and visibility is made through trusted and persistent identities tied to a container or microservice. This model facilitates seamless micro-service elasticity, load balancing and rescheduling without compromising on security.
- Simplicity at scale: Any solution Google adopts must be simple to operate even when securing a massive infrastructure. Here are a couple of principals we have adopted and are highlighted in the Application Layer Transport Security paper:
- A trusted identity is assigned to every application component through an attestation process utilizing PKI (public key infrastructure). Managing PKI at scale is not easy. But all certificate distribution, rotation and revocation in the Aporeto system is done automatically, without user intervention.
- There are no policy propagation requirements. Enforcement of policies is always local to the host and with no dependencies with the rest of the system. This helps our solution scale tremendously.
For some time, Aporeto has been the lone voices educating the market on why these principals are fundamental to solving security for cloud native applications. It is an exciting leap forward to have Google share similar observations and amplify this message. If you would like to learn more about this topic and how Aporeto offers these capabilities, please register for our webinar here. We look forward to seeing you on the 8th of February to learn more!