Aporeto app security startup has introduced software that uses a zero-trust model to decouple security from the network infrastructure and provide application protection in hybrid cloud environments.
Aporeto's namesake product, launched this week, controls access to Docker and Kubernetes containers, network connections, virtual machines and Linux-based workloads. The system is designed to secure applications running on the corporate data center, Amazon Web Services, Microsoft Azure or the Google Cloud Platform.
Aporeto's app security approach starts by generating an identifier for each workload and a customizable policy that defines access to other services. The ID and policy stay with the workload even when it's moved.
"Once we have identity and policy, then -- using those two components -- we govern what the application does in the wild," said Amir Sharif, co-founder and VP of business development at Aporeto, based in San Jose, Calif.
Aporeto injects the identity of a workload in every SYN packet it sends to request access to a service. At the receiving end, the product checks whether the application has permission to interact with the service. If it does, then the process continues. If not, the packet is dropped. Aporeto also drops packets that do not originate from an identified source.
"This entire operation takes about three milliseconds," Sharif said. "Once the flow is established, we step out of the way."
Aporeto app security software is available on premises or as an online service. To deploy the product, the customer installs a two-line script on each operating system running an application that needs protection. The script downloads an agent that conducts the identification and policy processes. Companies also have the option of creating a golden image of a protected environment, so it can be replicated on other systems, which avoids having to run the script on every OS.
Competing with Cisco Tetration, VMware NSX
Aporeto's product competes with Cisco's Tetration network analytics engine and VMware's NSX, which is virtual networking and security software. Tetration provides extensive visibility into network operations while NSX is often used to split a virtual network into logical sub-networks to prevent unauthorized communication across unrelated entities -- a process called microsegmentation.
"Functionally, we do have overlap with NSX and Tetration, but the model is completely different," Sharif said.
Aporeto's list price is $1,000 per year per server instance.
Since its founding in 2015, Aporeto has raised $14.5 million in two rounds of funding led by Norwest Venture Partners.