A cloud-native security startup today introduced what it says is a dead simple security model for containers, which allow applications to run on any computer.
Aporeto on Tuesday unveiled a new open-source project called Trireme that simplifies application segmentation for distributed apps. The project, which works with containers from Docker Inc. or with the open source Kubernetes software for managing cloud applications on clusters of machines, “is based on a distributed architecture and is an alternate implementation of network policy that does not require any external policy controller or state, hence relieving the complexities of overlay topologies,” the company said.
In plainer English, Aporeto basically takes a whitelist approach to container security. Whereas traditional security methods are focused on blocking certain kinds of actions or bad actors, whitelisting does just the opposite, specifying which actions are permitted. Any other type of action is blocked by default.
The open-source Trireme project takes that basic concept further by making containers identify themselves to each other. For example, if a service requires Container A to talk to Container B, Trireme will insert an encrypted signature into the metadata of both containers. As soon as Container B receives packets from Container A, Trireme will recognize that signature from Container A, then validate if the communication is legitimate.
Because of the way whitelisting works, Containers A and B won’t talk to anything else. That means Trireme effectively eliminates either one as an entry point for attackers as they won’t communicate with outsiders. Even if one of the containers is somehow compromised, it can only talk to one other point in the network. Moreover, it doesn’t matter if Container A or B gets moved around the network, because Trireme only cares about container identities, not locations.
“The traditional way of thinking makes the network the natural place to impose security for distributed applications,” Aporeto Chief Executive Dimitri Stiliadis said in a statement. “Mechanisms include distributed firewalls, distributed ACLs, and SDN. Think about cloud scale, though. None of these approaches make sense. Aporeto Trireme attaches security to the application by authentication and authorization in a network-agnostic way.” Aporeto says its approach to security also protects against man-in-the-middle attacks and replay attacks.
Amir Sharif, cofounder and vice president of business at Aporeto, will demonstrate how Trireme works in a session titled DevOps and Microservices – An In-Depth Look at Security Challenges at the 19th International Cloud Expo in Santa Clara, Calif., on Thursday.
Photo Credit: tekinfulden Flickr via Compfight cc