Network isolation isn’t the only way to secure application containers anymore, so Aporeto unveils a new security model for containers running in Docker or as part of Kubernetes cluster
Dimitri Stiliadis co-founded software-defined networking (SDN) vendor Nuage Networks in 2011 in a bid to help organizations improve agility and security via network isolation.
In the container world, however, network isolation alone isn’t always enough to provide security, which is why Stiliadis founded Aporeto in August 2015. On Nov. 1, Aporeto announced its open-source Trireme project, providing a new security model for containers running in Docker or as part of a Kubernetes cluster.
The name “Trireme” holds particular significance and is directly aligned with the naming of Kubernetes. In Greek, the word “Kubernetes” (“κυβερνήτης”) refers to the pilot of a ship.
“Trireme is an ancient Greek attack boat that has three rows of rowers that is usually driven by a Kubernetes,” Stiliadis, who is CEO of Aporeto, told eWEEK.
Kubernetes in the technology world is an open-source effort, originally created by Google and now operated under the auspices of the Linux Foundation’s Cloud Native Computing Foundation (CNCF), for container orchestration and management.
The Trireme project is an attempt to build a new type of security system for Kubernetes and Docker that relies on authentication and authorization, rather than just network isolation.
The basic challenge of application segmentation is providing the ability to restrict communications between one application and another if there is no proper policy in place that permits the communication. The overall goal of application segmentation is to reduce the potential attack surface as well as reduce the potential for collateral damage. If, for example, one application on a given host is compromised, it shouldn’t necessarily need to impact all the other applications on the same host or container cluster.
With network segmentation approaches, the solution to application isolation is to make sure that applications are placed on different network segments that can’t connect to each other, Stiliadis said. In his view, the network isolation approach doesn’t scale easily and adds increased complexity.
“The root fallacy in the network isolation approach to security is that network reachability means authorization,” Stiliadis said. “The fact that one container can somehow connect to another, however, doesn’t mean that that two containers are in fact authorized to talk to each other.”
The Trireme approach is different from network isolation, as it introduces authorization and authentication steps. The promise of Trireme, according to Stiliadis, is a transparent authentication and authorization layer that is easy for developers to use and doesn’t change the underlying applications.
The way Trireme works is it first associates an identity with an application or a particular service. That identity can be a Kubernetes label or Docker manifest information, as well as user-defined attributes. Stiliadis explained at the simplest level, a policy is created that defines when containers are able to connect to other containers as identified by a given attribute.
“When a container makes a request to connect to another container, Trireme grabs the attributes and signs them digitally,” he said. “We then attach that signature to the TCP SYN packet to essentially overlay a security process to the network connection.”
The second container validates the signature and the attributes against the policy to determine if a connection request will be granted, Stiliadis said. He emphasized that in the Trireme approach two container workloads will only be able to communicate with each other if they have the right identity and if the policy allows the connection to occur.
In Kubernetes, there are a number of security constructs already in place with the recent 1.4 milestone, and more capabilities are set to debut. Work is ongoing in the Kubernetes community for a technology called Pod Security Policy, which aims to protect users from running containers that are not secure. According to Stiliadis, the Trireme approach is somewhat different from the Pod Security Policy in that Trireme is an effort to enable end-to-end authorization.
The Trireme project is still in its early days, and there are other things that Stiliadis wants to do both in terms of open source and for his commercial company Aporeto.
“As a company we have a series of other things that we’re doing in order to build an actual product, but we’re not ready to announce the details yet,” he said.
As an open-source effort, Stiliadis however is encouraging developers to participate in the Trireme project. Additionally, he noted that he has already started to talk to the CNCF about the project and how it might fit in.
“There is a lot of room for community participation,” Stiliadis said. “We see Trireme as a way to start the conversation with the community about how to properly approach security for micro-services.”
Originally published on eWeek