How Aporeto Can Protect Your Apps from Hackers with a Cloak of Invisibility

By: Thelen Blum 10.03.2019
How Aporeto Can Protect Your Apps from Hackers with a Cloak of Invisibility

At Aporeto, we have a unique way of shielding apps from hackers. Imagine an octopus. An octopus can change the color of its skin in the blink of an eye in order to camouflage itself and evade predators. What if you could do the same with your applications? When a malicious presence enters their environment, they would be able to immediately make themselves invisible, and therefore impossible to access or attack. 

This is precisely what Aporeto facilitates to protect your apps. Aporeto runs on enterprise application servers and can be configured to control access to the whole host and the applications that the host is running. Our access control is carried out on the basis of application identity, not IP addresses to authenticate, authorize and encrypt all app and user communication. An example of this would be; “clients with ABC specific identity can connect to servers with XYZ identity.” If a client/user has the proper identity, and the server has the proper identity, then they can connect over the network.

 

Protect your apps by staying invisible to malicious actors

But what happens if a client doesn’t have the correct identity? Any communication not authorized by security policy is automatically dropped, providing your application with a cloak of invisibility. They cannot be pinged or otherwise discovered. Pinging the address will be dropped as if the server wasn’t even there. Attempting to web/telnet connect will result in the drop of the very first packet (SYN), giving the attacker the impression that there’s no one there.  

Aporeto applies this posture inside and outside of the cloud perimeter. This is the fundamental principle of a Zero Trust security model: it doesn’t matter what “zone” clients and servers reside in. If they’re not explicitly allowed, they aren’t allowed in. This is the only smart security posture to implement with dynamic enterprise applications at scale.

Attackers will always try to access precious assets. The Aporeto method offers a foolproof way to thwart them. Rapidly, with the reactivity and agility of an octopus, your app dons a cloak of invisibility, and the malicious presence can’t even see them, let alone harm them. 

Let’s go a little deeper and see how the cloak of invisibility does its work to protect your apps.

 

Default-deny, identity-based network access security posture stops attacks before they happen

At Layer 3, Aporeto controls access of network traffic to and from your applications. This is done by embedding identity as part of the connection setup. This technology prevents any unauthorized network and application probing or pinging by any unauthorized network clients, which prevents many other attacks otherwise possible. Aporeto can also encrypt your application network traffic. Aporeto cloaks your servers and applications, hiding your precious enterprise assets from intrusion, sniffing, spoofing, discovery and proxy attacks.

 

Simple and programmable alerts for any security event

 Every bit of Aporeto security metadata is accessible via human or programmable/API methods. You can automate network policy for dynamic application deployment, as well as access metadata events about configuration, topology changes, container image vulnerabilities, system and filesystem access. Aporeto gives you access throughout the application stack from the individual network port, API, process, and container – to virtual machines, Kubernetes clusters, and serverless applications, in any cloud.

Aporeto provides interfaces for event and metadata processing to issue emails, Slack alerts, and even dynamically alter network security posture based on any accessible system and application metadata.

 

Correlate Aporeto security metadata with the rest of your enterprise

Besides programmatic access to Aporeto metadata, Aporeto supports exports of any of the metadata to popular enterprise SIEM systems, including Splunk and IBM Q-Radar, allowing you to correlate security events with your other enterprise systems to detect security indicators of compromise. Aporeto’s identity-based, intent-driven SaaS platform uses your application identity to secure cloud applications to detect threats and stop network-based attacks before they happen.

The end result? Aporeto gives your apps a cloak of invisibility which affords your entire infrastructure protection against potential breaches. Distributed security policies are enforced across any infrastructure and any workload at scale including containers, Kubernetes, serverless and sever mesh. Aporeto brings identity-based control anywhere in your on-premises or cloud stack to detect threats and prevent attacks.

Learn more about how Aporeto can protect your apps in our Zero Trust Security Solution for Microservices, Containers and Cloud Whitepaper.

Recent Posts Are You Only 2 Commands Away From Credential Theft? 4 Things to Check Out While You’re in Las Vegas for AWS re:Invent 2019 Palo Alto Networks Announces Intent to Acquire Aporeto