everythingpossible - Fotolia
Informatica's cloud footprint is big. The data management software company has been in the midst of a colossal...
cloud migration, with the number of virtual machines and containers it runs reaching into the 10,000, even 20,000, range. Applying security rules to server interactions is, in a word, onerous.
"When you get to the thousands, the number of rules you need to apply, from essentially, 'Can I speak to you,' and then at the other end, 'Are you really allowed to speak to me?' -- those numbers go into millions," said Alec Chattaway, director of cloud infrastructure operations at the Redwood City, Calif., company. "Just literally applying them, maintaining them, making sure they're reviewed becomes a logistical and operational nightmare."
That was before Chattaway deployed Aporeto, a security tool for hybrid and multi-cloud IT environments that builds security policy into applications themselves. Launched late last year, the software monitors and protects applications by what's known as whitelisting, or allowing only authorized interactions to go through. It also provides a view of all the interactions made, so anything untoward -- a lurking malware attack, for example -- can be easily discerned.
"We only see the outliers," Chattaway said. "Essentially, it's much less of a worry for me, because I don't need to worry about reviews or mistakes, and all the important things are visible to me."
Protecting cloud workloads
Aporeto is a type of IT security tool that market research outfit Gartner calls a cloud workload protection platform. It is specially designed for today's hybrid IT environments, which span internal private clouds, built on physical infrastructure in an organization or in colocation facilities, and public cloud services.
Such diversified operations have "unique security needs that legacy security protection solutions do not address," wrote Gartner analyst Neil MacDonald in a report published in March. For example, applications built in the cloud have to scale elastically, so protection does, too; software built for physical machines won't easily do that. Also, in public clouds, data at rest needs to be encrypted; on premises it rarely does. And containers, popular among developers because they hasten the software building process, have potential vulnerability and configuration issues that require specialized vetting and protection.
Aporeto, the San Jose, Calif., vendor's website declares, is "a Zero Trust security solution for microservices, containers and the cloud." The term zero-trust was popularized by former Forrester Research analyst John Kindervag as an IT security model emphasizing constant verification: Anything inside or outside an organization trying to access a server first must be checked and cleared by the network.
Built-in security policy
The cloud workload protection platform Aporeto builds computer security policy -- what's allowed and what isn't -- into the components that make up applications, containers, microservices, whatever might access servers, said co-founder Amir Sharif. For example, in a three-tier software application, the policy is embedded into each of the layers -- database, web interface and business logic.
"We ingest the script that the developer wrote to define what the application ought to be doing," Sharif said.
When the components in the service doing the calling are authenticated with those in the server being called on, access is granted.
"So, component A and component B know who they're talking to, and that conversation has been allowed by policy," Sharif said.
Server workloads have very specific sets of functions to carry out and don't need to make the wide variety of connections that "endpoints" such as desktops and laptops do. That's why whitelisting is a sensible, powerful protection for servers; for much more social PCs, it's a management headache.
Added to whitelisting is a wall of encryption, Sharif said. "We then act as a proxy in the middle and encrypt the traffic, so anybody listening in the middle sees gibberish."
Also, Aporeto's cloud workload protection platform monitors all attempted connections to servers and puts that information into a time-series database, which stores data points in chronological order, giving a historical view into all interactions. "If you had a violation yesterday at 11:30 or 2 a.m., you can go back precisely to that moment and see what two applications components were implicated," Sharif said. "From there, you can do your very detailed forensic analysis based on actionable data that you have."
To learn about the benefits Aporeto's cloud workload protection platform offers organizations, read part two of this two-part case study.