UPDATED 23:29 EDT / NOVEMBER 01 2016

NEWS

Aporeto unveils whitelist security model for application containers

A cloud-native security startup today introduced what it says is a dead simple security model for containers, which allow applications to run on any computer.

Aporeto on Tuesday unveiled a new open-source project called Trireme that simplifies application segmentation for distributed apps. The project, which works with containers from Docker Inc. or with the open source Kubernetes software for managing cloud applications on clusters of machines, “is based on a distributed architecture and is an alternate implementation of network policy that does not require any external policy controller or state, hence relieving the complexities of overlay topologies,” the company said.

In plainer English, Aporeto basically takes a whitelist approach to container security. Whereas traditional security methods are focused on blocking certain kinds of actions or bad actors, whitelisting does just the opposite, specifying which actions are permitted. Any other type of action is blocked by default.

The open-source Trireme project takes that basic concept further by making containers identify themselves to each other. For example, if a service requires Container A to talk to Container B, Trireme will insert an encrypted signature into the metadata of both containers. As soon as Container B receives packets from Container A, Trireme will recognize that signature from Container A, then validate if the communication is legitimate.

Because of the way whitelisting works, Containers A and B won’t talk to anything else. That means Trireme effectively eliminates either one as an entry point for attackers as they won’t communicate with outsiders. Even if one of the containers is somehow compromised, it can only talk to one other point in the network. Moreover, it doesn’t matter if Container A or B gets moved around the network, because Trireme only cares about container identities, not locations.

“The traditional way of thinking makes the network the natural place to impose security for distributed applications,” Aporeto Chief Executive Dimitri Stiliadis said in a statement. “Mechanisms include distributed firewalls, distributed ACLs, and SDN. Think about cloud scale, though. None of these approaches make sense. Aporeto Trireme attaches security to the application by authentication and authorization in a network-agnostic way.” Aporeto says its approach to security also protects against man-in-the-middle attacks and replay attacks.

Amir Sharif, cofounder and vice president of business at Aporeto, will demonstrate how Trireme works in a session titled “DevOps and Microservices – An In-Depth Look at Security Challenges at the 19th International Cloud Expo in Santa Clara, Calif., on Thursday.

Photo Credit: tekinfulden Flickr via Compfight cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU