Cloud Native Security OpenShift Commons Briefing Amir Sharif Co-Founder amir@aporeto.com
Cloud Native Applications Challenge Security Change Frequency x 10x 100x 1,000x Legacy (Pets) Servers VMs Cloud Native (Cattle) Containers Serverless Microservices, distributed Monolithic, centralized Cloud Native Security Requirements: Automated and scalable Infrastructure & platform independent Part of the DevOps pipeline SDN / SW Firewalls / Middle-boxes Complex & semi static Network centric HW Firewalls Manual control x 10x 100x 1,000x End Points 1
Secure This: Cloud Native Apps in Theory Load Balancer West
Secure This: Cloud Native Apps in Practice DB Replication DB Replication Load Balancer Load Balancer Load Balancer West Central East Firewall Partner Network Legacy Infrastructure External Services
Secure This: Cloud Native Apps in Practice VPC 1 DB Replication VPC 1 DB Replication VPC 1 Virtual Appliance Virtual Appliance Virtual Appliance SDN SDN SDN KMS NAT Load Balancer ACL West VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway ACL Central VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway Complex, Fragile, Fundamentally Insecure KMS ACL East KMS VPC 2 API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services 4
Cloud Security Pillars Segmentors ACLs Firewalls SDN VLANs Encryptors Disaggregated Tools No Established Best Practice IPSec SSL TLS VPN Secrets Managers Certificate managers KMS Vault Developers Enforcers Policy RASP Image scanners Virus scanners
How Cloud Security Should Be Solved The Open Internet Design Everything can communicate with each other unless explicitly prohibited. F A X X B C Needed: Whitelist Security No communication is allowed unless policy allows it. F A B C E X D E D Results: Existing security complexity, fragility, costs Benefits: Better security with radical simplification, commoditization Requirement: Identify, scalable, distributed policy, and enforcement 6
Micro-Identity and Policy Management Who Where What Policy Metadata Reputation Service Resource Behavior Trust Profile Security Posture
Policy: Scalable Auth-n, Auth-z in the Cloud env=prod app=payroll connect encrypt env=prod data=confidential Good companies create customer value. subject verb object context a context b context n allow read encrypt context i context j context m 8
Aporeto Operational Model on any infrastructure @ any scale Authentication Authorization Application Segmentation Encryption Encryption, Secrets Mgmt. Service / Process Monitoring Enforcement Real-Time Policy Monitoring, Enforcement Resource 9
Enterprise Cloud Security For legacy apps, microservices, and serverless architectures Isolators Unifier Encryptors Secrets Managers Enforcers
Aporeto Cloud-Native Security End-to-End Authentication, Authorization, Encryption Distributed Applications Comprehensive control Automated, application-aware policy Ext Svc Visibility and monitoring Any Infrastructure Simple Scalable Secure
Transparent Application Authorization State Information Attributes Env = Prod App = Web Image=nginx Request Sign & Attach Attributes Cluster 1 Encrypt (optional) State Information Attributes ApplicationType=Prod Instance=DataBase Policy Accept from (App = Web) & (Env = Prod) Valid Validate based on policy Cluster 2 Adding nodes is an O(1) operation source and destination identified by application context
Use Case 1: Native Kubernetes Policies Network Policies Aporeto Security Policies 13
Use Case 2: Aporeto Security Policies Network Policies Aporeto Security Policies with richer context * * Aporeto has policy superset 14
Use Case 3: Egress Network Policy Support Network Policies Aporeto Security Policies with richer context * + Egress policies * Aporeto has policy superset 15
Use Case 4: External Services Policy Support Network Policies Aporeto Security Policies with richer context * + Egress policies + Access policies for external services * Aporeto has policy superset 16
Use Case 5: Multi-Availability Zone Security ELBs, NAT, NAT6 Private Data Center Direct Connect Internet Containers Microservices Public Cloud (AWS) Existing Model Complex Security Policy Configurations Spanning Diverse Operational Models, Administrative Domains
Use Case 5: Multi-Availability Zone Security Policy Internet Containers Microservices Private Data Center Public Cloud (AWS) Aporeto Automated, Fine-Grained, End-to-End Control Workloads Identified by Properties, not Network Location
Secure This: Cloud Native Apps in Practice VPC 1 DB Replication VPC 1 DB Replication VPC 1 Virtual Appliance Virtual Appliance Virtual Appliance SDN SDN SDN KMS NAT Load Balancer ACL West VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway ACL Central VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway Complex, Fragile, Fundamentally Insecure KMS ACL East KMS VPC 2 API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services 19
Aporeto: The End-to-End Solution Cloud Native, Legacy, and Hybrid Environments DB Replication DB Replication Load Balancer Load Balancer Load Balancer West Central East API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services
The Benefits reduced attack surface verifiable security posture lower cost, less complexity on any cloud, at any scale
Aporeto Architecture Network APIs File System Encryption Secrets 3 rd Party Pluggable Enforcers Analytics & Policy Management Identity
23
Try it: console.aporeto.com 24
Simple, Scalable, Secure