Aporeto uses a centrally-managed distributed security engine to authorize interactions between application resources cryptographically authenticated by Trust Profiles. Aporeto auto-generates policies in accordance with application runtime behavior and application intent described in orchestration metadata and manifests, such as Dockerfile, eliminating any extra developer effort to inform policy. These policies are reviewed, modified, and verified by InfoSec teams.





The Aporeto security model only allows interaction between application components where they are explicitly allowed, rather than assuming that all communications are allowed unless expressly prohibited. The whitelist approach and real-time application component interaction mapping allows for a verifiable security posture for the organization. InfoSec teams now have the capability to ascertain business threats and regulatory compliance at any time and in lockstep with CI-CD practices.
Because of this whitelist security approach, the organization has the option of implementing flat L2/L3 networks and eliminating the management complexity associated with east-west firewalls, overlay networks, tunneling, ACLs, and other network segmentation methods. Moreover, because Aporeto does not assume any network topology, this security approach works on any infrastructure and any cloud. Finally, because Aporeto secures applications through distributed authentication and authorization, it works at any scale, whether your workload is running on one or one million servers.


We are in the midst of the transition from client-server architectures to serverless designs. VMs and containers represent transitionary midpoints along this trajectory, with each step increasing network endpoints by an order of magnitude. Correspondingly, these while static and steady endpoints are becoming ephemeral.

The combination of rapid increases in endpoints and quick network topology changes challenge network-centric security. Manual security practices, implemented for static environments are ill-suited for automated CI-CD environments and fast moving DevOps teams.

Secure Kubernetes in Five Minutes

Each node in your distributed application needs to have an Aporeto Enforcer. The Enforcer verifies identity and authorizes actions. Installing a new Aporeto Enforcer is as easy as:
  • Multi-cluster, multi-availability zone, multi-cloud
  • Download the Enforcer binary on every server where your application runs
  • Register your servers
  • Go to town - securely!
  • Simple, Scalable, Secure

    Aporeto secures your distributed app using authentication and authorization - without any impact to developer or operational workflows. Each service or resource in your distributed application that is secured by Aporeto has a cryptographically-signed identity. Using an intuitive policy model, Aporeto only allows data exchange between application components when there is an explicit authorization policy. Give Aporeto a shot. Once you get a hang of it, you will notice how it simplifies your cloud infrastructure, scales with your application, and provides security, visibility, and auditability as you have never seen before.

    One Account, Multiple Roles

    Aporeto accounts have two general roles: platform access and administrative management. Your Aporeto platform account only allows you to issue certificates for people or api consumption. You can also use it to configure access to your LDAP server. Your administrative account allows you to control access to the platform with certificates. Certificates grant access to the platform through mutual TLS authentication. Aporeto does not store any credential information or user data. To deny access to an existing user, you may revoke her or his certificate(s).