ESG SOLUTION SHOWCASE

Employing Application Identities to Secure
Server Workloads with Aporeto

line
Author: Doug Cahill, Senior Analyst | July 2018

ESG’s research reveals that, in 24 months, VMs will still comprise 41% of all production server workloads, containers 33%, and bare metal servers the remaining 26%.

Abstract

Hybrid clouds are now the not-so-new normal of the modern data center. But what is new is the increasingly diverse mix of technologies and platforms that comprise hybrid clouds and complicate cybersecurity programs seeking a uniform security approach across these environments. An example of this are microservice-based applications managed by orchestration platforms that automate the application lifecycle from pre-deployment to runtime. Securing the application components and containers of such microservices application stacks, along with other elements of hybrid cloud environments, requires an application workload- and API-centric strategy. Aporeto takes an application identity-based approach well aligned with the attributes of modern infrastructure to protect hybrid clouds from unauthorized access, a range of vulnerabilities, and threats.

icon-shift

Infrastructure Shifts Challenge Cybersecurity Strategies

Fundamental changes in the complexion of the modern data center, and the methodologies employed to provision and manage them, are challenging physical perimeter-oriented cybersecurity programs. These changes have led to an amorphous definition of today’s perimeter, one that is based on both ephemeral entities and physical demarcations.

Application Container Adoption Is Yielding a Heterogenous Mix of Server Workload Types

More organizations are employing containers to deliver their applications, with 56% of organizations who participated in ESG’s research having already deployed application containers into production.1 Another 24% of participating organizations indicated that they are currently testing application containers and plan to deploy them to production in the next 24 months. Application containers will coexist, however, with both virtual machines (VMs) and bare metal servers for the foreseeable future, resulting in a lasting heterogenous mix of server types. In fact, ESG’s research reveals that, in 24 months, VMs will still comprise 41% of all production server workloads, containers 33%, and bare metal servers the remaining 26%.

Production Server Workloads: 24-month Outlook

icon-virtual-machine

41%

Virtual Machines

icon-shipping-container

33%

Containers

iconsserver

33%

Bare Metal Servers

57% of organizations currently have 21% or more of their workloads running on public cloud infrastructure.

Workloads Are Shifting to Public Clouds

Organizations are deploying more server workloads in public cloud platforms. According to research conducted by ESG, 57% of organizations currently have 21% or more of their workloads running on public cloud infrastructure. There is a clear shift of production server workloads to public cloud platforms, with 55% of research respondents noting that they will have the same percentage, 31% or more, of their workloads in a public cloud over the next 24 months.

Cloud-resident Workloads Create a Visibility Gap

The shift of server workloads and application containers to public clouds has resulted in cybersecurity professionals expressing concern over lack of visibility. This concern is rooted in the inability of physical network-based security controls to provide inspection into intra- and inter-workload activity as well as an organization’s use of the APIs that deploy and manage cloud services and infrastructure. And often these workloads are being used by application developers outside of the purview of IT, a manifestation of shadow IT. ESG explored the specifics of this visibility gap, with research respondents sharing that their top concerns include:

icon-eye.png

Identifying software vulnerabilities and workloads with insecure configurations.

icon-waypoint-map

Establishing an audit trail of system level, privileged user account activity, and the use of cloud APIs.

icon-error

Detecting anomalous activity on server workloads, in the east-west traffic between workloads, and in API calls.

Further contributing to the visibility gap is the use of separate controls for separate environments leading to inconsistent policies and cybersecurity posture across infrastructure. While 70% of participants in ESG’s research stated they use separate controls for cloud-based resources and on-premises VMs and servers the same percentage, 70% shared they intend to unify controls for all workload types across public clouds and on-premises resource. Such a unified approach that is agnostic to server workload types and underlying infrastructure will assure improved visibility and, by extension, an improved cybersecurity program.

icon-open-in-browser.png

Employing an Application-centric Approach to Securing Modern Infrastructure

Given the shift in infrastructure, cybersecurity solutions for protecting hybrid clouds must meet the following requirements.

Infrastructure-agnostic

Today’s data centers are increasingly multidimensional with respect to not only a heterogenous blend of server types including bare metal servers, VMs, and containers but also the use of multiple cloud service providers (CSPs). In fact, according to research conducted by ESG, 81% of organizations who consume infrastructure-as-a-service (IaaS) services do so from more than one CSP.2 As such, securing modern infrastructure requires an approach that is agnostic to the underlying infrastructure environment. An example of the need for abstracting platform differences is host-based firewalls, or security-groups, which are implemented differently in public cloud platforms, leading to error-prone implementations.

A workload- and API-centric security approach should be based on a “trust but verify” set of policies that grants access and audits usage.

Workload- and API-centric

While physical network security controls, such as firewalls, continue to serve a critical role in securing the physical perimeter of hybrid cloud environments, an organization’s public cloud footprint needs to be protected with workload- and API security controls and practices. A workload- and API-centric security approach should be based on a “trust but verify” set of policies that grants access and audits usage. Foundational to securing cloud services is establishing the role of server workloads, their relationship to other workloads and services, and their respective risk profile.

Spotlight: Deep Application Container Controls

The broad adoption of application containers across hybrid clouds has yielded a rich set of functional requirements, as shared by participants in ESG’s research (see Figure 1). Thematically, these requirements represent a need to reduce attack surface area, control inter-container communication, detect anomalies, and protect secrets.

Figure 1. Most Important Capabilities to Protect Production Containerized Applications

With respect to container security specifically, which of the following are the most important capabilities to protect your organization’s production containerized applications? (Percent of respondents, N=427, three responses accepted)ve to its
competition? (Percent of respondents)

Source: Enterprise Strategy Group

DevOps Automation-oriented

The continuous integration and continuous delivery (CI/CD) methodology of DevOps represents an opportunity to incorporate security as an immutable aspect of how modern infrastructure is secured. Integrating security into the CI/CD tool chain automates the introduction of security controls, assuring that new workloads and containers are protected at each stage of the dev-test-dev and build-ship-run continua. Such a DevOps orientation to securing hybrid clouds requires security controls that integrate natively with orchestration platforms such as Kubernetes.

icon-protect

Introducing Aporeto: Leveraging Application Identities to Protect Server Workloads

The notion of an application’s identity is the foundational construct to how Aporeto approaches protecting server and API-driven services from compromise. Identities evolve as Aporeto learns more about runtime characteristics and provides the basis for granting access, monitoring for threats and vulnerabilities, and assessing and reporting on risk (see Figure 2).

Application Identities Provide Context for
Access, Auditing, and Alerting

Aporeto incorporates static and dynamic workload and environmental data to establish and evolve the identity of an application, the equivalent of an application’s fingerprint, representing an Attribute Based Access Control (ABAC) approach to application identity. Static data includes metadata provided by orchestration platforms and CI/CD pipelines that provide information on the role and nature of an application container or process. At runtime, Aporeto monitors the live behavior of an application workload to establish a normalized baseline of system activity such as processes, networking flow, vulnerabilities, services being accessed, and more to then detect anomalies that could be indicative of a compromise. Application identities are cryptographically signed, travel with workloads and containers for distributed policy management, and are employed as the basis for strong authentication between workloads and services. This closed-loop approach allows application identities to be updated dynamically, protecting the server workload during its lifecycle.

Figure 2. Properties of Application Identity

fzigure-a

The combination of segmentation, encryption, logging, and auditing reduces the scope of an organization’s infrastructure that is subject to compliance with certain industry regulations...

Enforcing Zero Trust with Least Privileged Access Controls

Aporeto’s implementation of a zero-trust security model is one that employs both a least privileged implementation and auditing for a “trust but verify” approach. The solution employs application-layer micro-segmentation as a means to control inter-workload and container authentication and access so that only those servers and containers that need to access one another are authorized. In turn, micro-segmentation effectively isolates workloads from unrelated entities that could otherwise be employed by adversaries as an attack vector.

The solution further reduces the risk of the lateral movement of threats by encrypting the traffic between workloads and container with all east-west traffic also logged for auditability. The combination of segmentation, encryption, logging, and auditing reduces the scope of an organization’s infrastructure that is subject to compliance with certain industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

icon-refresh-shield

Vulnerability Analysis, Threat Monitoring, and Remediation

Aporeto employs a continuous approach to identifying vulnerabilities from build-time to runtime by scanning container images for known software vulnerabilities and by integrating with third-party vulnerability assessment platforms, including those provided by Qualys and Tenable. Workloads and containers are further protected during runtime by detecting network and system-level activity that is anomalous relative to prior behavior and a workload’s identity. In response, Aporeto provides the ability to remediate risk by quarantining affected containers. Logs and alerts for such events can be propagated to security information and event management (SIEM) platforms for further analysis and integrated into ITSM systems for ticket workflow management.

icon-survey

Cloud API Auditing and Alerting

Aporeto also secures the use of internal and external APIs by playing the role of intermediary with an approach similar to the way in which inter-workload communication is treated. Aporeto’s solution offloads authentication and authorization for APIs from the application utilizing the same zero-trust white-list model utilized for workload isolation. A user or a service requesting access to an API presents its identity and, based on assigned scopes, will be authorized specific permissions to operate on the API. By being aware of the profiles of requesting users, and the context of the services being called by APIs, Aporeto enforces authorization policies across different service types, including user-to-service, service-to-service, and service-to-external-resources.

The Bigger Truth

When new technology is first adopted by enterprises, most organizations typically employ controls specific to that new technology for management as well as security. This default paradigm results in the use of different solutions and processes for different environments used by different teams. As a new technology becomes a more significant part of the infrastructure, coexisting with pre-existing stacks, organizations face a strategic imperative to adopt a unified approach to realize operational efficiencies and assure a consistent security posture across disparate infrastructures. Application containers are a contemporary example of this evolution. Aporeto offers a solution that is indexed on securing application containers via integration with Kubernetes while extending an application identity-based approach for protecting the heterogenous mix of workloads and services that comprise today’s hybrid cloud environments.

Application Identity-Powered Security

Source: ESG Master Survey Results, Trends in Hybrid Cloud Security, Mar 2018. All ESG research references and charts in this Lab Review have been taken from this research report.

Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, Dec 2017.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.