Aporeto unveils whitelist security model for application containers
A cloud-native security startup today introduced what it says is a dead simple security model for containers, which allow applications to run on any computer.
Aporeto on Tuesday unveiled a new open-source project called Trireme that simplifies application segmentation for distributed apps. The project, which works with containers from Docker Inc. or with the open source Kubernetes software for managing cloud applications on clusters of machines, “is based on a distributed architecture and is an alternate implementation of network policy that does not require any external policy controller or state, hence relieving the complexities of overlay topologies,” the company said.
In plainer English, Aporeto basically takes a whitelist approach to container security. Whereas traditional security methods are focused on blocking certain kinds of actions or bad actors, whitelisting does just the opposite, specifying which actions are permitted. Any other type of action is blocked by default.
The open-source Trireme project takes that basic concept further by making containers identify themselves to each other. For example, if a service requires Container A to talk to Container B, Trireme will insert an encrypted signature into the metadata of both containers. As soon as Container B receives packets from Container A, Trireme will recognize that signature from Container A, then validate if the communication is legitimate.
Because of the way whitelisting works, Containers A and B won’t talk to anything else. That means Trireme effectively eliminates either one as an entry point for attackers as they won’t communicate with outsiders. Even if one of the containers is somehow compromised, it can only talk to one other point in the network. Moreover, it doesn’t matter if Container A or B gets moved around the network, because Trireme only cares about container identities, not locations.
“The traditional way of thinking makes the network the natural place to impose security for distributed applications,” Aporeto Chief Executive Dimitri Stiliadis said in a statement. “Mechanisms include distributed firewalls, distributed ACLs, and SDN. Think about cloud scale, though. None of these approaches make sense. Aporeto Trireme attaches security to the application by authentication and authorization in a network-agnostic way.” Aporeto says its approach to security also protects against man-in-the-middle attacks and replay attacks.
Amir Sharif, cofounder and vice president of business at Aporeto, will demonstrate how Trireme works in a session titled “DevOps and Microservices – An In-Depth Look at Security Challenges“ at the 19th International Cloud Expo in Santa Clara, Calif., on Thursday.
Photo Credit: tekinfulden Flickr via Compfight cc
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.