[Start of recorded material 00:00:00]
Jason: Hello, and welcome to Aporeto, zero trust security for microservices, containers and cloud. I am Jason Schmitt, CEO of Aporeto, and today I’ll take you through an overview of what Aporeto is all about. We at Aporeto are focused on the fundamental tension between the past and the future of security. If you think about the past you think about legacy servers and monolithic applications where security was complex, manual, static, and more importantly, network and perimeter-centric.
But as enterprises moved to the cloud and adopt more cloud-native technologies, such as containers, microservices architectures and serverless computing, security needs to be much more automated and scalable in order to unlock the speed and agility that’s desired in the move to the cloud. Yet cloud-native technologies are invisible to perimeter security. So we believe in order to secure these new infrastructures and new architectures you have to design for zero trust. And by zero trust what we mean is assume that anything can be breached at any time and that everything is accessible to everyone. And taking that posture allows you to take a more progressive view of how to secure these technologies in a cloud-native world.
If we look at microservices architectures in particular, they introduce still more security challenges into the picture. Microservices by their very nature are dynamic, which can invalidate security that assumes everything is static. Some of the supporting technologies like container runtimes and other serverless sorts of architectures introduce new attack vectors that aren’t really thought about during the development process and certainly are quite new to the average security operational model. Identity and management of PKI infrastructure necessary to try to implement authentication at a very granular level within APIs or within microservices is very difficult for security teams to understand and very expensive for development teams to operate. And as API becomes the new resource in this microservices world authentication and authorization for everything has to be either done in business logic or offloaded to infrastructure that doesn’t really understand these technologies.
We found that security in this cloud-native environment creates a whole new set of requirements for microservices security. If you start at the fundamental level, network security has to be thought of a little bit differently. It’s effective to segment the network and isolate workloads when infrastructure is static. But in this world it’s much more dynamic and has to be looked at a bit differently. You want to encrypt everything from end to end, and you want granular access controls in order to accomplish this in the dynamic microservices world.
Going further up the stack, the container runtime itself and the vulnerabilities that exist and the behavioral attributes of the security of this environment has to be looked at in a particular perspective, where continuous vulnerability management is important. Not only image hygiene for the containers and things that are running in this environment but system runtime protections and alerts that call attention to things that are out of the ordinary that aren’t visible to legacy security systems is important on top of this network security layer.
But going even further you really have to think about the application itself and how it’s identified independent of the network and independent of the infrastructure. A unique identity is really needed for every service. And the infrastructure necessary to create and issue and manage and revoke and rotate certificates and identities around these applications and services endpoints is critical.
And then when you think about how granular APIs become in this new world, you need the ability to have not only visibility into APIs but how they’re authenticated and authorized at an API level for APIs within your own applications, when you bring in user authorization context, as well as access to third-party services.
All of this from top to bottom is really necessary to secure microservices and have a full lifecycle context from the CI/CD pipeline and development all the way to runtime detection and the ability to respond to that in real time. Because of the unique nature of security in a cloud-native environment, as well as the requirements for microservices security, at Aporeto we’ve created an approach that enables security to be decoupled from the infrastructure and not dependent on the network. Because we base it on an application identity that’s created and managed automatically by the Aporeto platform.
This contextual identity is based on the who, what and where of an individual process, container or virtual machine. It pulls in metadata from every available source – from the CI/CD pipeline to environmental metadata about where this is running – as well as bringing in important security context, behavioral profiling of the process or the virtual machine or the container itself as well as vulnerability information brought in from external vulnerability sources. This application identity is then used as the control point for distributed policy enforcement that allows you to have adaptive policy that’s more aligned with the workload and decoupled from the network infrastructure and the infrastructure itself.
When you combine this application identity as a control point independent from infrastructure with distributed security policy enforcement you enable unique security visibility and orchestration capabilities for cloud-native applications. At a basic level what this allows you to do is whitelist and control all access and behavior of every service API, virtual machine or container within your application. Authentication, authorization and encryption is done transparently without having to build this into business logic. And you can create true cloud-native security automation and orchestration in conjunction with all the other security infrastructure you have without writing code or changing the network.
The Aporeto application ID, along with distributed policy enforcement, then creates key capabilities for authenticating and authorizing and encrypting everything in the microservices environment. Threat and vulnerability management in context with the application identity allows continuous container vulnerability analysis as well as runtime threat detection and integration into security ops workflows.
Network security capabilities are added transparently onto an application without writing it in business logic. And granular API security is created with the full PKI and user identity and application identity infrastructure and services necessary to implement that on an existing application or augment it and offload it from development to speed development and integration of zero trust security into an application during development.
The Aporeto architecture is based on two key components. The Aporeto security orchestrator holds the policy engine and the identity management infrastructure for creating, distributing and managing the application identities out to all the components controlled by the Aporeto security platform. The Aporeto Enforcer then sits on each host as a user-space process or as a container in a container environment. Working with any infrastructure – public or private or hybrid cloud – as well as any leading orchestrator to enforce distributed policy according to all the context of the application identity.
The Aporeto security orchestrator – also via API – integrates with a number of external security systems and development environment systems to get environmental security metadata or to report out security alerts to security ops workflows. Here you see several examples of customer success stories in using the Aporeto platform to accomplish a variety of security challenges in multi-cloud and multi-container environments. In a large software company our customer used us to transparently authenticate, authorize and encrypt everything across private and public cloud. An online payment transaction solution used us to accelerate PCI compliance by securing everything in a multi-cluster environment – both to protect things as well as to make auditing and compliance simpler. In a large professional services organization a typical use-case has been protecting a high-value application or a legacy application with lesser or not well understood security controls to keep it isolated and doing it independent of network configuration.
Finally, let’s talk about Aporeto’s key use cases in workload isolation, container threat and vulnerability management and API access control. Aporeto accomplishes network segmentation or micro-segmentation as well as workload isolation without configuring or reconfiguring the network. We do this by decoupling the policy enforcement from the network infrastructure by basing it on the application identity control point. It allows us to automate policy enforcement across any environment – multi-cloud, multi-cluster or any combination of private and public cloud – also while offloading encryption from the applications. So if an application exists in these environments and has any sort of isolation encryption or authentication and authorization requirements we can satisfy that with the Aporeto platform.
For containers, Aporeto provides a complete threat and vulnerability management solution, first with continuous vulnerability management for container images, both in terms of providing scanning infrastructure as well as real-time policy that draws in vulnerability data as part of real-time network and access control policy decisions.
Aporeto also monitors runtime events on the host as well as on the container infrastructure and alerts security teams of potential malicious activity. This is based on both out of the box behavioral baselines as well as runtime behavioral analysis of the running processes, virtual machines and containers. This runtime policy enforcement in combination with the application identity again allows interesting security enforcement and automation independent of the infrastructure. Integration with external systems, such as SIEM, security orchestration and automation, as well as IT service management systems allows it to be a complete piece of overall security operations program, all while providing the automation infrastructure for doing incident response security automation within the cloud-native technologies.
Lastly, API access control for microservices through the Aporeto platform provides granular authentication and authorization for any service endpoint or API. We do this by using both user identity and application identity context to secure user-to-service, service-to-service or service-to-external service communications with full authentication authorization of all of those communications. We use open standards and integrate with user identity providers and single sign-on providers to be able to put together a combination of user and service identity for complete API access control.
Aporeto’s zero trust security for microservices enables you to accomplish uniform security across multi-cloud and multi-cluster environments, saving developers’ time from having to implement complex authentication and authorization and reducing network complexity and cost. But most importantly, you end up with simpler security. Thank you very much.
[End of recorded material 00:11:32]