Yesterday’s Firewalls are Today’s Permeable Membranes

Newspapers stacked across a desk.

Aporeto is taking a bold approach to revolutionize security

Data creation and data flow are exploding. Correspondingly, there has been no shortage of data breaches or funding in cybersecurity startups focused on protecting networks and data across the enterprise. Meanwhile, the cloud is offering new ways of connectivity and productivity. But a lot of companies are still approaching the new cloud landscape with legacy solutions and outdated approaches.

Source: Aporeto

The results are disastrous.

Traditional security solutions are not meeting today’s needs. Many enterprises are left exposed as they Swiss cheese their firewalls to make the applications work.

Fortunately, companies like Aporeto are taking a bold approach to revolutionize security in today’s rapidly-changing cloud environments.

The trust landscape in the cloud-native era

Many organizations are adopting hybrid cloud infrastructures; in fact, cloud IT infrastructure revenues surpassed traditional IT infrastructure revenues for the first time in the third quarter of 2018, according to the IDC. This transition is introducing new challenges to data communication protection. Traditional firewall and security companies are taking their legacy solutions that protect on-prem servers and repurposing it for traffic in the cloud. There’s a platform shift underway and, as with all other platform shifts, repurposing legacy solutions for new environments rarely works.

The challenge of securing public, private, and hybrid clouds is even more complex with the adoption of containers, serverless, and other cloud-native technologies. Traditional network security cannot keep up with today’s advanced threats and auto-reconfigured infrastructure.

Yesterday’s traditional firewall is today’s “permeable membrane”

Traditional firewalls used to work well in a closed environment, where data was self-contained within the four walls of the on-premise network. Today, you need to regulate the data traffic, determine what it is, and where it’s going in the cloud. Let’s take “east-west” traffic. In the networking context, this is data traffic from server-to-server within a company’s data center.¹ Some traditional security vendors are attempting to secure the cloud as if it is “east-west”, but that’s taking a legacy solution/approach to a different environment. The result is something very clunky, labor-intensive, expensive and, well, just not efficient nor adequate for today’s needs.

As enterprises move to hybrid clouds with distributed workloads, it becomes essential to abstract security away from the infrastructure while retaining the capability of central visibility and management. Source: Aporeto

Businesses today have data going to and from the cloud, on-premises, and on different devices

With multiple ingress and egress points of traffic within an organization, data is moving all over the place. Multiple internal applications can sit across multiple servers across physical locations around the world and on different devices.

Static IP addresses do not work in cloud environments: Traditional firewalls provide protection using a table of IP addresses to verify apps and partners. In today’s hybrid-cloud environments, which are highly dynamic, geographically dispersed, and constantly changing, IP tables simply cannot keep up.

Enterprises themselves are “punching” holes in their firewalls by opening too many ports that allow more connections into the network. As such, by allowing multiple traffic sources, these firewalls end up creating inherent risks. For example, instead of securing a few ports, there are now dozens of ports that need to be secured. Sometimes a port is opened up for a 3rd party but doesn’t get closed when the relationship ends. And security maintenance can’t keep up.

Results of this Swiss cheese security? Increased vulnerability.

Hackers know these weaknesses and take advantage of the numerous holes/ports that have opened up. More weak points and gaps in the armor give hackers a large attack surface.

How Aporeto is recasting cloud and network security

Aporeto saw all these challenges and developed a scalable identity-based access control solution for microsegmentation in the cloud. Aporeto’s identity model uses cryptographic methods to fingerprint each workload and merges it with user identity as needed.

Simply defined, microsegmentation is the idea of segmenting workloads based on the access that they should have. This creates virtual trust zones across your data center and cloud deployments; and, in doing so, you can isolate workloads and protect them individually or as groups. Aporeto provides the ultimate segmentation for modern applications using cryptographic workload identity rather than IP addresses. This allows them to take a Zero Trust approach to security where nothing is afforded access until they are verified through a cryptographic id.

The cloud is changing network traffic with applications sitting on different servers in different locations at various times. This is where the traditional firewall crumbles and becomes a semi-permeable membrane. Aporeto protects applications across multi-cluster or multi-cloud environments — all powered by Aporeto’s application identity. Unique identities for each application resource allow Aporeto to automatically create protection policies — regardless of where the application is running. It’s security for a hybrid-cloud world.

Aporeto’s stellar founding team

While Aporeto isn’t the only company to appreciate the need for a new approach to network application protection, their founding team is the only one with the unique combination of experience to execute on it. Their extensive networking experience is key. Co-founders Amir Sharif (VP Marketing and Business and Development), Dimitri Staliadis (CTO) and Satyam Sinha (VP Engineering) all have it. They come from a carrier telecommunications background where they have experience building networks that support massive concurrency, which is necessary to execute Aporeto’s Zero Trust solution where every single user and app is re-verified every time it needs access to something. Coupled with Aporeto’s CEO Jason Schmitt’s experience and expertise in security, Aporeto has the right leadership team to tackle the new challenges facing cloud security.

Future horizons

Our team was fortunate enough to be able to lean on technologists at Comcast NBC Universal to prod, pressure test, and explore the capabilities of Aporeto’s technology. After a successful proof of concept and extensive due diligence, we decided to invest in their unique approach to identity-powered segmentation. We are excited to partner with Aporeto and look forward to their ongoing innovation transforming enterprise security.

[1] “North-south” traffic usually refers to external traffic i.e. client to server traffic.

Yesterday’s Firewalls are Today’s Permeable Membranes was originally published in The Forecast on Medium, where people are continuing the conversation by highlighting and responding to this story.