The following is a transcript of the audio file you can listen to in the player above.
Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary.
I’m Ethan Banks, it’s January 14, 2019, and here’s what’s happening. I had a briefing with Aporeto in December 2018.
Aporeto is a security startup. “Oooh, another security startup?!?” you might say, rolling your eyes dismissively. I wouldn’t roll my eyes, as I believe there’s something very interesting here. The Aporeto solution has an eye to modern infrastructure security’s future, and not the past.
A Microsegmented Context
Before I explain Aporeto, I need to explain microsegmentation. In a nutshell, microsegmentation is centralized management of whitelists applied on a workload by workload basis. Filtering at the workload gives you the “micro” and the whitelisting gives you the “segmentation.” Writing individualized workload whitelists and maintaining them would be too hard for a human to do, especially at scale, and therefore solutions like Cisco Tetration, Illumio, and VMware NSX handle this for you.
Each of the solutions I just mentioned all do what they do differently under the hood, but the end result is roughly the same. A small whitelist pushed to or very close to a workload, segments that workload from every other workload, the big idea being to keep malware out, or at least prevent malware from spreading, as well as help prevent data leaks. It’s a divide and contain strategy using central management and a policy engine to deploy at scale.
There is more we can talk about here, because it’s possible to bolt on higher level scanning and so forth depending on the microsegmentation solution, but none of that changes my point that microsegmentation is merely an evolution of the same old firewall filtering we’ve all been doing for decades in one form or another.
Is Network-Based Microsegmentation The Proper Security Approach?
Microsegmentation assumes that the network is where security should be applied. And that’s fair enough. Assuming a defense-in-depth strategy, the network is one part of the security paradigm at least. Should sticking filter lists into highly distributed firewalls be the primary security for a modern, cloud-based application with diverse workloads, though?
Aporeto argues, “No.” Aporeto sees workload security not as a network problem. If you view the network as an increasingly complex transport, which it is especially when considering hybrid and multi-cloud architectures and orchestration platforms, then securing workloads is a security problem of its own, not one to dump onto the network infrastructure in the Aporeto view.
Aporeto is an identity-based security solution. I don’t only mean user identity. I also mean workload identity. That is, when using Aporeto, workloads can only talk to each other when their identity is authenticated by fingerprint and authorized by policy.
Aporeto decouples the network infrastructure from security on the assumptions that the network is distributed and probably not wholly managed by a given organization, that workloads are ephemeral, that all actions should be authorized, and that security lifecycle should be decoupled from the application lifecycle.
I just said many words there, so let me give you a more concise focal point. Aporeto is an identity and access management security solution that expects essentially nothing of developers and little of operators to provide deep, context-aware security for workloads no matter if they are hosted locally or in the public cloud, and it does it in a form-factor agnostic way.
Hosts, containers, processes, functions, and users all get a unique cryptographic identifier in an Aporeto environment. The identifier is created from a composite of key workload features, including cloud metadata, container metadata, service account identities, orchestrator metadata, external data that might be known about the workload such as vulnerability scanning assessments, and more, including dynamic metadata such as how the application is behaving.
A centralized policy governs communications between all of these cryptographically identified actors and provides a view into what is happening in the application environment. Enforcement is derived from policy. The actions are granular. You can describe many different actions based on the workload descriptors found in the cryptographic identifier such as permit, deny, encrypt and so forth. Use as many or as few of the descriptors as you like to govern your policy.
Aporeto’s Enforcer software is what is performing policy enforcement. Enforcer runtimes live on services, container hosts, and other execution environments. In other words, there is a different Enforcer runtime depending on the workload applying policy uniformly.
Enforcer is the crucial element in the Aporeto solution. Enforcer not only handles the policy enforcement, but also baselines workloads, generating and signing the cryptographic identifier.
You need the baselining, because no humans exist that truly understand in intimate detail what comms should be allowed between workloads for an app to work. Software is required to close the loop, especially when considering the amount of metadata Aporeto knows and build policy around.
Should You Evaluate Aporeto?
In summary, Aporeto rejects traditional microsegmentation, basically scale-out firewalling that some argue struggles in ephemeral cloud environments, and replaces it with zero-trust segmentation–rich, granular identity management. Aporeto scales by attaching Enforcer runtimes to hosts, functions, and so on and by centralizing policy management.
If you’re looking for security in your diverse application environment that does much more than simple L4 filtering, you need to consider Aporeto. Several use cases they talk through, Kubernetes integration, and bonkers features like L7 API call filtering. Aporeto is definitely worth your time to investigate.
For More Information
There is a lot more technical detail we could cover about the Aporeto solution, and no doubt in my short overview, I left you with questions. I struggled to know how much to put in and how much to leave out. I’m hoping you got enough data to get a sense of whether Aporeto might be interesting for your environment so that you can investigate more.
That said, there is much more information you can watch anonymously, so no salesperson with bother you. Watch the “Aporeto Technology Overview” video on YouTube (which is honestly more of a deep dive) with Dimitri Stiliadis, CTO and Co-Founder.
That was Briefings in Brief from the Packet Pushers. For more IT podcasts, blogs and news created for engineers, visit packetpushers.net where you can subscribe for free. And for even more great information, become a member at ignition.packetpushers.net.