As the number of cyber threats to networks and applications increases so does the number of startups offering new ways to combat them.
The latest is Aporeto, a San Jose, Calif., which this week launched a solution it says in some cases can do away with traditional security components such as firewalls, VPNs and gateways in hybrid and multi-cloud environments. Instead, an agent protects applications through identity, authorization, context and encryption.
“The benefits are stronger security across the board, simpler operations because it de-couples security from the infrastructure and the network, and it’s zero-touch for developers,” Amir Sharif, the company’s vice-president of business and a co-founder, said in an interview.
An unnamed Canadian credit card processor is an early customer, he said.
Aporeto says its solution can scale and secure Kubernetes containers, microservices, and Linux services. End to end encryption protect applications without network segmentation or what it calls “cloud ops gymnastics.”
All a developer or administrator needs to do is add a two-line script for the agent to the application, which registers the solution with Aporeto.
“We do authentication by automatically generating application identity,” said Sharif. Its agent runs on every operating system to monitor processes, correlating them with the application they belong to. The agent gleans metadata from the orchestration layer, from the operating system and from the cloud infrastructure, plus any other data the network administrator or developer may want. “It effectively creates a fingerprint for that particular application component, and that fingerprint survives as long as that component is up and running.”
That fingerprint is used for identity: If an application component doesn’t have the fingerprint access is denied. If it is approved there is a policy look-up to check if the access is approved. In this way there is authentication, authorization, and identity.
“We have zero ties to the network or the underlying cloud infrastructure,” Sharif said, “allowing the companies [customers] to use any cloud service provider they want and still have a consistent security framework across the board, no matter where the application is running.”
Aporeto can be purchased as SaaS or on-premise service. It lists at US$1,000 per operating system (server) per year.
In a possible use case, Sharif said, an organization that runs two synchronized instances of an application for redundancy could do away with an overlay network, firewall rules, access control list, gateways, and VPN tunnels that would normally be used.
Another possible use case is the migration of an application to the cloud but linking back through microservices to on-prem workloads. A typical model, he said would be “lift and shift” – replicating the on-prem architecture with virtual firewalls, virtual subnets and virtual VPNs. Instead, virtual machines can be ported to a cloud service provider and the application protected with Aporeto and policies. The migration could also be done faster and less expensively than a traditional architecture, Sharif said.
Co-founder and CEO Dimitri Stiliadis was the co-founder and CTO of Nuage Networks, which makes a virtualized services platform.