How Aporeto Fulfils Forrester’s Zero Trust eXtended (ZTX) Ecosystem Criteria

By: Thelen Blum 10.17.2019
How Aporeto Fulfils Forrester’s Zero Trust eXtended (ZTX) Ecosystem Criteria

In an insightful recent report, Forrester made reference to a “categorical realization from both security vendors and security pros that perimeter-based security has failed.” At Aporeto, we have been discussing this failure for the past two years. Forrester uses the term “Zero Trust eXtended (ZTX) Ecosystem” to refer to the security landscape that enterprises should be seeking. 

Zero Trust, Forrester rightly points out, is rising in prominence because it protects enterprises from advanced threats and the severity of breaches by radically increasing visibility, supports new operational models like various cloud services, and because it helps facilitate compliance. But Zero Trust is about more than just network segmentation. It is also about applying Zero Trust principles to data, users, workloads, devices, and the entirety of the network landscape. It requires implementing real security automation and orchestration (SAO), and leveraging virtualization to maintain visibility into the entire digital business ecosystem. Only by fulfilling criteria such as these can a security solution be said to produce a genuine ZTX ecosystem. (For full details, get information on the Forrester Report here).

The Aporeto platform fulfils all of the criteria laid out in the Forrester report. All three of our products – our Distributed Firewall, Kubernetes Network Security and Secure Access to infrastructure and applications – fulfil Forrester’s Zero Trust eXtended (ZTX) ecosystem criteria. See the chart below that maps Aporeto’s capabilities to the Zero Trust Security Framework described by Forrester.

Click on chart to enlarge image.


We decouple security from the network, moving it up the stack. We restrict user access to apps and infrastructure on the basis of identity, and ensure workload and user isolation for easier compliance. Zero-touch transparent encryption is provided for data in transit for all workloads, and we implement policies that prevent data from being exfiltrated. Every single workload possesses a unique cryptographic identity, enabling security policies to be portable and persistent across a heterogeneous infrastructure. Granular policy management can be implemented at L3, L4 and L7.

Aporeto enforces distributed policies across all workloads, including containers, Kubernetes, serverless, server mesh, and VMs. We enforce Service Auth for users using IdP (ex: Okta, Ping) of choice for AuthN and AuthZ which is transparent to users. Keyless SSH access facilitates simplified user access to infrastructure. Aporeto also eliminates VPNs and provide single-sign on (SSO) user access to web apps. User access to any app or infrastructure is based on information provided by the IdP combined with unique workload identity, and all communication must have AuthN-AuthZ performed for access, regardless of device.

This setup allows for full visibility and security management, across any hybrid cloud infrastructure, all from within a single tool. Because identity is comprised of metadata from several sources, we compile comprehensive user and threat intel feeds with analytics for up-to-date robust security, and we log all user CLI commands centrally for easy compliance and audits. Security orchestration can be either SaaS-based or on-premises, and automated orchestration occurs across any infrastructure or workload at scale. Aporeto integrates with all major SSO IdPs, vulnerability scanners, SIEMs, CI/CD pipeline and Cloud APIs for a comprehensive Zero Trust cloud security solution.

Learn more about how Aporeto can help your enterprise establish a Zero Trust security model in our whitepaper Zero Trust Security Solution for Microservices, Containers and Cloud.

Recent Posts Aporeto Launches New Identity Federation Capabilities for Kubernetes Pods and Istio Service Mesh, Delivering Security as Code to Accelerate DevSecOps Easy Application Network Encryption and Access Control Without Re-coding Your Application Aporeto Named to 2019 CNBC Upstart 100 List of Most Promising Start-Ups