A startup whose founders include the former CTO of Nuage Networks has taken a radically simple approach to container security — so simple that it’s almost hard to believe the scheme actually works.
Dmitri Stiliadis, the former CTO and now CEO of Aporeto, admits the last part freely.
“It’s so simple that I’ve been asking for months now: Why are we the first ones to do this?” he says.
It turns out Aporeto might not be first with its idea, but it appears to be the first company to put the idea out in open source form — a project called Trireme, which the company launched today — and the first to try building a business around it.
Aporeto takes a white-list approach, which is becoming common in newer security schemes. Traditional security would try to block certain actions or bad actors; a white list is the opposite strategy, in which the operator specifies which actions are permitted. Anything else gets blocked by default.
Trireme, which consists of just 5,000 lines of code, applies that concept by making containers identify themselves to one another.
Suppose a service requires Container A to talk to Container B. As Container A gets created, Trireme inserts an encrypted signature in its metadata. When Container B starts receiving packets, Trireme would recognize the signature from Container A and would validate whether the communication is within policy rules.
There’s a bit more to it (more about that below), but conceptually, it’s that simple. Trireme reduces security to label-matching.
Because this is a white list setup, Containers A and B won’t talk to anybody else. That theoretically removes either container as an entry point for attackers, because neither container should be willing to communicate with any outsiders. Even if one container is compromised, there’s only one other point in the network that it can talk to.
And it doesn’t matter if Container A or B moves around in the network (or, more properly, if they get destroyed and then recreated elsewhere). The Trireme scheme only cares about the identities of the containers, not their locations.
Aporeto’s launch today is mostly about Trireme and its integration with Kubernetes and Docker. The startup isn’t yet talking about its business plans, which involve more ambitious work around operations-based security, Stiliadis says.
Stepping Away From the Network
The inspiration for Aporeto came from Stiliadis’ job at Nuage. The company was early to get into software-defined networking (SDN), but officials were finding that customers weren’t necessarily interested in network virtualization for its own sake.
“The real problem they were trying to solve was an isolation and security problem. They were turning to the network to solve security problems,” Stiliadis says.
He left Nuage a year ago, shortly after Nokia announced the acquisition of Nuage parent Alcatel-Lucent. By December, he’d started Aporeto with founders Satyam Sinha, vice president of engineering, and Amir Sharif, who’s running the business side.
They didn’t have Aporeto’s technology mapped out at the time. Like many other entrepreneurs, they were playing off of the opportunity to rethink security in the age of cloud-native applications — applications that would be segmented into containers rather than presented as one complex mass.
Security, until now, has been network based. “They deal with IP addresses, and firewalls try to do things based on this guessing game,” Stiliadis says. “That doesn’t scale for the new world of all these distributed applications and microservices.”
Moreover, container-based applications are easy to shut down and are meant to be easy to move. This means you’ve got a lot more endpoints in the network than before, and they’re being created at a faster rate. So, security for the cloud shouldn’t depend on infrastructure at all, Stiliadis says.
Stiliadis is quick to admit that he comes from that old-school, network-based model of security. “I did that, right? I’m contradicting myself because I learned. I’m getting better as I age,” he says. “The reason I had to leave where I was, was that I couldn’t hear another conversation about service chaining.”
The Less Simple Parts
Considering Trireme’s simplicity, you might wonder if anyone else has come up with the same idea. Stiliadis found an NSA paper from the 1990s describing something similar, using labels in IP packets. But in a more relevant context, Google has dropped hints about running this kind of security inside its own network, Stiliadis says.
What Trireme really does is move the acts of authentication and authorization into the application. In other words, an application no longer contacts the network to verify a partner’s identity or to get permission to talk to another server.
Containers aren’t doing this authentication and authorization all by themselves, though. Trireme instantiates itself as a sort of software gatekeeper in front of each container. So, going back to the example above, what’s really happening is that Container B’s Trireme guard is receiving packets from Container A and, like a nightclub bouncer, is verifying that the incoming packets are “on the list.”
The scheme reduces security to label-checking, but how do the labels get onto the containers in the first place? That’s where the integration with Kubernetes comes in, because the software’s most recent release makes accommodations for network policy. Trireme can insert these labels as Kubernetes places these containers.
Trireme is now available on Github.