The Fat Pipe - All of the Packet Pushers Podcasts

The following is a transcript of the audio file you can listen to in the player above. Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary. I’m Ethan Banks, it’s January 14, 2019, and here’s what’s happening. I had a briefing with Aporeto in December 2018. Aporeto is a security startup. “Oooh, another security startup?!?” you might say, rolling your eyes dismissively. I wouldn’t roll my eyes, as I believe there’s something very interesting here. The Aporeto solution has an eye to modern infrastructure security’s future, and not the past. A Microsegmented Context Before I explain Aporeto, I need to explain microsegmentation. In a nutshell, microsegmentation is centralized management of whitelists applied on a workload by workload basis. Filtering at the workload gives you the “micro” and the whitelisting gives you the “segmentation.” Writing individualized workload whitelists and maintaining them would be too hard for a human to do, especially at scale, and therefore solutions like Cisco Tetration, Illumio, and VMware NSX handle this for you. Each of the solutions I just mentioned all do what they do differently under the hood, but the end result is roughly the same. A small whitelist pushed to or very close to a workload, segments that workload from every other workload, the big idea being to keep malware out, or at least prevent malware from spreading, as well as help prevent data leaks. It’s a divide and contain strategy using central management and a policy engine to deploy at scale. There is more we can talk about here, because it’s possible to bolt on higher level scanning and so forth depending on the microsegmentation solution, but none of that changes my point that microsegmentation is merely an evolution of the same old firewall filtering we’ve all been doing for decades in one form or another. Is Network-Based Microsegmentation The Proper Security Approach? Microsegmentation assumes that the network is where security should be applied. And that’s fair enough. Assuming a defense-in-depth strategy, the network is one part of the security paradigm at least. Should sticking filter lists into highly distributed firewalls be the primary security for a modern, cloud-based application with diverse workloads, though? Aporeto argues, “No.” Aporeto sees workload security not as a network problem. If you view the network as an increasingly complex transport, which it is especially when considering hybrid and multi-cloud architectures and orchestration platforms, then securing workloads is a security problem of its own, not one to dump onto the network infrastructure in the Aporeto view. Introducing Aporeto Aporeto is an identity-based security solution. I don’t only mean user identity. I also mean workload identity. That is, when using Aporeto, workloads can only talk to each other when their identity is authenticated by fingerprint and authorized by policy. Aporeto decouples the network infrastructure from security on the assumptions that the network is distributed and probably not wholly managed by a given organization, that workloads are ephemeral, that all actions should be authorized, and that security lifecycle should be decoupled from the application lifecycle. I just said many words there, so let me give you a more concise focal point. Aporeto is an identity and access management security solution that expects essentially nothing of developers and little of operators to provide deep, context-aware security for workloads no matter if they are hosted locally or in the public cloud, and it does it in a form-factor agnostic way. Hosts, containers, processes, functions, and users all get a unique cryptographic identifier …