Aporeto Integration Brings Identity-Based Microsegmentation to Prisma Cloud

Oct 13, 2020
4 minutes

This post is also available in: 日本語 (Japanese)

In December of 2019 Palo Alto Networks acquired Aporeto, a startup with an innovative approach to reducing the threat of lateral attacks using identity-based microsegmentation. Since that acquisition, our teams have been hard at work integrating the technology into Prisma Cloud. With the latest release, the technology will be available as a new module called Identity-Based Microsegmentation.

The Aporeto integration into Prisma Cloud gives our customers a Cloud Native Security Platform that offers the most comprehensive security for any application across any public cloud.


Why Microsegmentation is Important

Enterprises have shifted their cybersecurity methodology to ask when will a breach happen instead of if one will occur. When there is a breach, the best option is to contain the blast radius to prevent lateral spread, and preventing the attacker from getting access to a high-value asset. With the rise in cloud adoption and the move to dynamic, cloud native infrastructure, containing these lateral attacks is more challenging than ever.

As an example, here are two attack scenarios: 

  1. A compromised web application in your cloud environment is in a virtual private cloud (VPC) that also has connectivity back into your private data center. If the attacker has network reachability within that VPC, then potentially back into your private data center, the blast radius of such an attack is fairly large.
  2. A compromised web application or container inside a Kubernetes cluster may give an attacker the ability to move laterally within a node, across nodes between namespaces or potentially across Kubernetes clusters.

Microsegmenting your application infrastructure at scale, across any cloud, with a Zero Trust methodology – that is, assuming the network is always compromised  – is the best approach to preventing lateral attacks. And it is the approach we are moving toward as an industry. Thanks to the Aporeto integration, we offer a novel approach to microsegmentation that is decoupled from the underlying network infrastructure: Identity-Based Microsegmentation.


Why Identity-Based Microsegmentation  

Network segmentation technologies have traditionally relied on IP as the identifier. This approach worked when infrastructure was static and managed by a networking team. Reliance on public cloud and the shift towards elastic and immutable cloud native infrastructure breaks IP-based policies – and status quo network security operations workflows. 


Illustrating Identity-Based Mircosegmentation architecture
Illustrating Identity-Based Mircosegmentation architecture


How It Works

Identity-Based Microsegmentation in Prisma Cloud is based on four principles:

  1. Decouple security from the network by assigning every workload a cryptographic identity. This identity becomes the perimeter, as opposed to IP address. 
  2. Discover and learn application communication, both inside and across clouds. Prisma Cloud then maps this information in real-time with workload identity context, not IP and port.
  3. Distribute policies to end-points but manage them centrally. Policies can be auto-generated for you or you may choose a more declarative approach to defining and testing segmentation policies without impacting runtime. 
  4. Authenticate then authorize each connection request using distributed, identity-based enforcement – thus segmenting the applications.   


User Benefits

With Prisma Cloud Identity-Based Microsegmentation, network and cloud security teams can address the needs of dynamic cloud native applications:

  • Reduction in total number of rules: Prisma Cloud utilizes an allow-list approach combined with identity. The use of an identity reduces the overall number of rules needed for policy enforcement. As applications scale up or down, other workloads do not need policy updates.
  • Purpose-build microsegmentation for multi-cloud and hybrid-cloud environments: East-west traffic segmentation between workloads in heterogeneous environments traversing multiple IP domains is no longer an issue since IP reachability no longer assumes application access. 
  • End-to-end visibility into application dependencies: Visibility into applications across any cloud is now possible because the common workload identifier is abstracted from infrastructure.


Managing Identity-Based Microsegmentation in Prisma Cloud.
Managing Identity-Based Microsegmentation in Prisma Cloud.


Request Access to The Live Preview of Identity-Based Microsegmentation

Over the coming weeks, Identity-Based Microsegmentation will be available in Prisma Cloud Enterprise Edition as a live preview. You can get more details about this module through our product page or download our latest eBook

In addition to the Aporeto integration, you can learn about all of the enhancements in this latest release during our upcoming digital fireside chat on October 20. Palo Alto Networks product leadership and other industry experts will discuss trends in cloud native security as well as our overall product vision – register here .


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.