How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with InfluxData
0 likes344 views
The document discusses the integration of Aporeto and InfluxDB to secure cloud-native workloads by providing a consistent security model that requires no code changes and allows for fine-grained security policies. It emphasizes automated security policy generation, real-time visibility, and the need for strong access control across Kubernetes environments. InfluxDB is highlighted for its capabilities in managing a secure history of workload events with high availability and performance.
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with InfluxData
- 1. Securing Cloud-native Workloads with Aporeto and InfluxDB
- 3. Stronger Security. Simpler Operations. Zero Touch for Developers.
- 4. What DevSecOps want from Cloud-native Security 3. One consistent model (span sites and clouds) 4. No changes to source code (don’t slow us down) 6. Codify Security (Integrate into my CI/CD toolset) 2. Protect application components (assume zero internal or external trust) 1. No IP address range gymnastics (Over 50% of rules could be obsolete) 7. Clear security visibility (real-time & historical for debug) 8. Zero touch end-end encryption (applied with a security rule) 5. Auto-generate Security Policies (observe running application)
- 5. Uniquely identify each application component, use enforcers, and auto-generated security policies Host Host Root CA Security Policies How Aporeto Works Management
- 6. Why a Time Series Database Database Requirements: Secure history of events • Events type: ○ Process//Container events ○ Flow // Connection events Nginx container External client Database process Container up event (t=1s) Container down event (t=4s) Container up event (t=5s) Process up event (t=1s) Allow flow event (t= 1.5s) Allow flow event (t=3s) Allow flow event (t= 1s) Deny flow event (t= 3s)
- 7. • Cassandra • MongoDB • HBase Metrics Database Selection Criteria • Time-series with fast ingestion rate • High Availability • Easy to Use • High Availability model • Performance • Low Complexity • Licensing Model • Extensibility • As a service and on prem Database Requirements What We Looked At Why InfluxDB
- 8. Let’s Have a Beer https://github.com/aporeto-inc/apobeer.git
- 9. Web Server Pick a Beer Price a Beer Beer Database Buy a Beer Block Diagram Random Number NGINX Containers ZONE 1 ZONE 3ZONE 2 Redis Browser Constant Traffic Python Script Internet Price Database Redis
- 10. Web Server Pick a Beer Price a Beer Beer Database Price Database IP Address based Security Does not Work Numerable Unintended Access Routes – Zero Visibility Hard to Figure Out which IP-Address Rules Need to Be Changed Random Number NGINX Containers Redis ZONE 1 ZONE 3ZONE 2 Redis Browser Constant Traffic Python Script Internet
- 11. Web Server Pick a Beer Price a Beer Beer Database Price Database Fine-grained security for each application component, wherever it runs Stronger, Always Current, No Unintended Access Paths Easy to Administer, Zero Changes to Code Random Number NGINX Containers Redis Redis Browser Constant Traffic Python Script Private
- 12. Pod Container Container Pod Container Container NetworkPolicy NetworkPolicy Network Plugin Linux iptables or BPF Node Kubernetes Network Access Control Bernard
- 13. Feature Kubernetes Kubernetes with Aporeto Compatible with Kubernetes NetworkPolicy resources Y Y Control ingress & egress traffic Y Y Control Traffic based on TCP/IP addresses and ports Y Y Control traffic based on strong component identities N Y Easily request data encryption between pods N Y Automatically generate editable security policies N Y Uses a highly scalable Kubernetes network plugin N Y Easiest way to set up and keep security settings current N Y Real-time and historical visibility of security & alerts N Y Span Kubernetes and non-Kubernetes Environments N Y Consistent security across Kubernetes Clusters N Y Better Kubernetes Network Access Control with Aporeto
- 14. Summary: InfluxDB & Aporeto InfluxDB Aporeto • Secure history of all flows and workload events • High Availability cluster • Performance • Low Complexity • Licensing Model • Extensibility • Based on Identities of Application Components • Enforced by Aporeto Enforcer + Access Policies • One consistent security model • Fine-grained security for individual services • Access based on multiple factors beyond User-ID • Easy to administer and keep current • Unrivaled security posture visibility Private