Centrally Managed and Portable Security Policies for OpenShift-Orchestrated Kubernetes Clusters have two benefits for enterprise customers. Firstly, they accelerate application migrations from on-premise settings to AWS. Secondly, they seamlessly span private data centers to AWS for applications running in a hybrid setting.
The Aporeto Methodology
Our methodology is to employ a uniform security model for OpenShift workloads distributed in private data centers and on AWS.
Traditional approaches to cloud security have a multitude of problems:
- Disparate technologies across clouds increase complexity.
- A combination of security groups and virtual firewalls in AWS are needed to secure East-West and North-South traffic. This makes keeping the right security posture difficult with dynamic workloads like those orchestrated by OpenShift.
- There is an increased attack surface because IP centric rules do not span multi-cloud environments; moreover, there is the risk of overlapping IP addresses that confuses security governance.
- In most cases, enterprises rely on coarse-grain security rules which increase the threat surface.
- Containers break AWS security groups since multiple containers exist on the same host.
- Multi-cloud workloads span multiple IP domains, breaking visibility.
Aporeto avoids these problems in innovative ways:
- Aporeto deploys as a daemon-set in your OpenShift cluster. Aporeto auto-discovers workloads and dynamically generates cryptographic identity per workload.
- Identity is derived from container tags/labels and EC2 instance metadata, providing context on where the application is running.
- By ingesting OpenShift YAML files, Aporeto defines policy-as-code because application dependencies are well understood.
- Alternatively, Aporeto can suggest whitelist security policies after visualizing application dependency maps to help you lock your application down and keep its behavior as it was intended.
The Key Benefits of Securing Red Hat OpenShift Hybrid Workloads with Aporeto are:
- Seamless migration and secure connectivity of OpenShift workloads, spanning on-premise and AWS clouds.
- Strong network segmentation for protecting applications, using cryptographic workload identity that is independent of network topologies or IP addresses.
- Continuous application deployment with compliance, with security policy-as-code.
- Simpler security operations and reduced complexity. Fewer components to manage. Security policies are portable and applicable across heterogeneous environments.
- Transparent encryption for hybrid cloud workloads with zero code changes.
For more information, take a look at these other articles on our website: