Aporeto app security uncoupled from network infrastructure

Aporeto app security startup has introduced software that uses a zero-trust model to decouple security from the network infrastructure and provide application protection in hybrid cloud environments.

Aporeto's namesake product, launched this week, controls access to Docker and Kubernetes containers, network connections, virtual machines and Linux-based workloads. The system is designed to secure applications running on the corporate data center, Amazon Web Services, Microsoft Azure or the Google Cloud Platform.

Aporeto's app security approach starts by generating an identifier for each workload and a customizable policy that defines access to other services. The ID and policy stay with the workload even when it's moved.

"Once we have identity and policy, then -- using those two components -- we govern what the application does in the wild," said Amir Sharif, co-founder and VP of business development at Aporeto, based in San Jose, Calif.

Aporeto injects the identity of a workload in every SYN packet it sends to request access to a service. At the receiving end, the product checks whether the application has permission to interact with the service. If it does, then the process continues. If not, the packet is dropped. Aporeto also drops packets that do not originate from an identified source.

"This entire operation takes about three milliseconds," Sharif said. "Once the flow is established, we step out of the way."

Amir Sharif

Aporeto app security software is available  on premises or as an online service. To deploy the product, the customer installs a two-line script on each operating system running an application that needs protection. The script downloads an agent that conducts the identification and policy processes. Companies also have the option of creating a golden image of a protected environment, so it can be replicated on other systems, which avoids having to run the script on every OS.