Dimitri Stiliadis co-founded software-defined networking (SDN) vendor Nuage Networks in 2011 in a bid to help organizations improve agility and security via network isolation.
In the container world, however, network isolation alone isn’t always enough to provide security, which is why Stiliadis founded Aporeto in August 2015. On Nov. 1, Aporeto announced its open-source Trireme project, providing a new security model for containers running in Docker or as part of a Kubernetes cluster.
The name “Trireme” holds particular significance and is directly aligned with the naming of Kubernetes. In Greek, the word “Kubernetes” (“κυβερνήτης”) refers to the pilot of a ship.
“Trireme is an ancient Greek attack boat that has three rows of rowers that is usually driven by a Kubernetes,” Stiliadis, who is CEO of Aporeto, told eWEEK.
The Trireme project is an attempt to build a new type of security system for Kubernetes and Docker that relies on authentication and authorization, rather than just network isolation.
The basic challenge of application segmentation is providing the ability to restrict communications between one application and another if there is no proper policy in place that permits the communication. The overall goal of application segmentation is to reduce the potential attack surface as well as reduce the potential for collateral damage. If, for example, one application on a given host is compromised, it shouldn’t necessarily need to impact all the other applications on the same host or container cluster.
With network segmentation approaches, the solution to application isolation is to make sure that applications are placed on different network segments that can’t connect to each other, Stiliadis said. In his view, the network isolation approach doesn’t scale easily and adds increased complexity.
“The root fallacy in the network isolation approach to security is that network reachability means authorization,” Stiliadis said. “The fact that one container can somehow connect to another, however, doesn’t mean that that two containers are in fact authorized to talk to each other.”
The Trireme approach is different from network isolation, as it introduces authorization and authentication steps. The promise of Trireme, according to Stiliadis, is a transparent authentication and authorization layer that is easy for developers to use and doesn’t change the underlying applications.
The way Trireme works is it first associates an identity with an application or a particular service. That identity can be a Kubernetes label or Docker manifest information, as well as user-defined attributes. Stiliadis explained at the simplest level, a policy is created that defines when containers are able to connect to other containers as identified by a given attribute.
The second container validates the signature and the attributes against the policy to determine if a connection request will be granted, Stiliadis said. He emphasized that in the Trireme approach two container workloads will only be able to communicate with each other if they have the right identity and if the policy allows the connection to occur.
In Kubernetes, there are a number of security constructs already in place with the recent 1.4 milestone, and more capabilities are set to debut. Work is ongoing in the Kubernetes community for a technology called Pod Security Policy, which aims to protect users from running containers that are not secure. According to Stiliadis, the Trireme approach is somewhat different from the Pod Security Policy in that Trireme is an effort to enable end-to-end authorization.
The Trireme project is still in its early days, and there are other things that Stiliadis wants to do both in terms of open source and for his commercial company Aporeto.
“As a company we have a series of other things that we’re doing in order to build an actual product, but we’re not ready to announce the details yet,” he said.
As an open-source effort, Stiliadis however is encouraging developers to participate in the Trireme project. Additionally, he noted that he has already started to talk to the CNCF about the project and how it might fit in.
“There is a lot of room for community participation,” Stiliadis said. “We see Trireme as a way to start the conversation with the community about how to properly approach security for micro-services.”
Originally published on eWeek
European Parliament votes to adopt Digital Markets Act and Digital Services Act, but campaigners warn…
Indian economic crime agency Enforcement Directorate raids dozens of locations across India belonging to China's…