Securing Cloud-Native Applications Jason Schmitt CEO

Cloud-Native Architecture

Microservices Security Challenges Dynamic nature of microservices invalidates existing network security approaches & reduces deployment velocity Identity, certificates, secrets, and encryption create huge operational problems API is the new resource. AuthN/AuthZ for APIs are done in business logic or not accounted for Cloud, container adoption introduce new threat vectors and new security operational models

Core Tenants of a Microservice Security Solution

Comprehensive approach is required API Three layers in microservice security stack Container runtime: host interactions Network access Why take a cross stack view? No silver bullet to security Stronger detection: Correlation of events across the stack Stronger protection: Exercise zero trust least privilege access control across the stack

Multi-attribute Identity Zero Trust AuthN/AuthZ through identity Service identity consists of Vulnerability data from image scans Metadata: Image, build data, type (frontend, backend) User identity JWT scopes assigned by OIDC compliant Identity Provider User [User identity] Service/API [Service identity] Multi-attribute Identity Service/API [Service identity]

Monolith on bare-metal Heterogenous deployments are much more complex Kubernetes cluster ECS Service mesh VM Monolith on bare-metal Private Cloud

Best Practices

Integrate security into CD pipeline Manual (impacts velocity) Production deployment with security/compliance Build Unit Test Deploy to stage Acceptance test Production deployment with security/compliance Automated Automated Automated Automated Automate deployment of security through continuous deployment (CD) pipeline so security is no longer a hindrance to deployment velocity. How? Enable declarative security policies – treat security policies as code Decouple security from infrastructure

Compute, Network & Storage on Private or Public Cloud Decouple security policies from infrastructure Authentication, Authorization and Encryption policies for Apps independent of any infrastructure VM or Container managed by your choice of Orchestration & Management tool Compute, Network & Storage on Private or Public Cloud Private DC Public Cloud

Microservice API Access Control Per-API Service to service Based on service identity User to service Based on user identity (certificate, JWT) API Service to service on behalf of user Based on service & user identity API to External Service Per-API access control Automatic TLS External Service Offload Authentication & Authorization of Microservice APIs from business logic Leverage service identity for API authorization. Distribute API authorization to all microservices.

Container image layers Vulnerability Management & Threat Detection CVE databases CD pipeline Base image App SCRATCH Container image layers Host Host interactions Static scan of container image layers and continuous comparison against CVE database Remediate CVEs ASAP Monitor system calls & correlate with network and API events to determine strong indicators of compromise

Don’t try to accomplish all this with the network! Scenario: Host A with IP 1.1.1.1 comes into existence and notifies controller. Controller notifies all host that they MAY talk to Host A (ADD permit 1.1.1.1/32). Host A talks to Host B Host A dies Controller notifies all host that they MAY NOT talk to Host A (REMOVE permit 1.1.1.1/32). Host X Controller Host A 1.1.1.1 Host Y Host B 9,997 other host

What Aporeto does

Aporeto Application Identity-Powered Security Contextual identity automatically created for every service based on: Who, what, where CI/CD and environmental metadata Intelligent behavioral profiling Threat, vulnerability and risk scoring Distributed security enforcement Adaptive policy distributed to workloads Based on unique workload identity Decoupled from network infrastructure Security control and orchestration Whitelist and control all access and behavior Authentication, authorize and encrypt everything Cloud-native security automation and orchestration Without writing code or changing network Distributed Policy Access Control Threat and Vulnerability Score Encryption Attributed Fingerprint

How Aporeto Works S2 S3 S1 x C1 S4 x P1 P2 P3 x x Azure Public Cloud AWS Security Orchestrator S2 S3 S1 x Unknown request, Default deny all C1 Containers Distributed Policy Enforcement based on Workload Identity Blocked East-West Attempt Whitelist by Policy Virtualized, Private Cloud Windows S4 Linux x P1 Authorized API call P2 Datacenter, Bare Metal P3 x Malware requests denied x M 17

Where Aporeto Fits Orchestrators Infrastructure (Public or Private) Vulnerability scanners Single Sign-On Providers Orchestrators SIEM Host OS Docker Engine App Aporeto Host OS App Aporeto Security Orchestrator CI/CD Pipeline Cloud APIs i.e AWS Infrastructure (Public or Private)

Thank you!