Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Trireme Open-Source Security Project Debuts for Kubernetes, Docker

    By
    Sean Michael Kerner
    -
    November 1, 2016
    Share
    Facebook
    Twitter
    Linkedin
      cluster security

      Dimitri Stiliadis co-founded software-defined networking (SDN) vendor Nuage Networks in 2011 in a bid to help organizations improve agility and security via network isolation. In the container world, however, network isolation alone isn’t always enough to provide security, which is why Stiliadis founded Aporeto in August 2015. On Nov. 1, Aporeto announced its open-source Trireme project, providing a new security model for containers running in Docker or as part of a Kubernetes cluster.

      The name “Trireme” holds particular significance and is directly aligned with the naming of Kubernetes. In Greek, the word “Kubernetes” (“κυβερνήτης”) refers to the pilot of a ship.

      “Trireme is an ancient Greek attack boat that has three rows of rowers that is usually driven by a Kubernetes,” Stiliadis, who is CEO of Aporeto, told eWEEK.

      Kubernetes in the technology world is an open-source effort, originally created by Google and now operated under the auspices of the Linux Foundation’s Cloud Native Computing Foundation (CNCF), for container orchestration and management. The Trireme project is an attempt to build a new type of security system for Kubernetes and Docker that relies on authentication and authorization, rather than just network isolation.

      “With just a few thousand lines of code, we can do application segmentation irrespective of network infrastructure and without the use of a firewall or VLANs,” Stiliadis said.

      The basic challenge of application segmentation is providing the ability to restrict communications between one application and another if there is no proper policy in place that permits the communication. The overall goal of application segmentation is to reduce the potential attack surface as well as reduce the potential for collateral damage. If, for example, one application on a given host is compromised, it shouldn’t necessarily need to impact all the other applications on the same host or container cluster.

      With network segmentation approaches, the solution to application isolation is to make sure that applications are placed on different network segments that can’t connect to each other, Stiliadis said. In his view, the network isolation approach doesn’t scale easily and adds increased complexity.

      “The root fallacy in the network isolation approach to security is that network reachability means authorization,” Stiliadis said. “The fact that one container can somehow connect to another, however, doesn’t mean that that two containers are in fact authorized to talk to each other.”

      The Trireme approach is different from network isolation, as it introduces authorization and authentication steps. The promise of Trireme, according to Stiliadis, is a transparent authentication and authorization layer that is easy for developers to use and doesn’t change the underlying applications.

      The way Trireme works is it first associates an identity with an application or a particular service. That identity can be a Kubernetes label or Docker manifest information, as well as user-defined attributes. Stiliadis explained at the simplest level, a policy is created that defines when containers are able to connect to other containers as identified by a given attribute.

      “When a container makes a request to connect to another container, Trireme grabs the attributes and signs them digitally,” he said. “We then attach that signature to the TCP SYN packet to essentially overlay a security process to the network connection.”

      The second container validates the signature and the attributes against the policy to determine if a connection request will be granted, Stiliadis said. He emphasized that in the Trireme approach two container workloads will only be able to communicate with each other if they have the right identity and if the policy allows the connection to occur.

      In Kubernetes, there are a number of security constructs already in place with the recent 1.4 milestone, and more capabilities are set to debut. Work is ongoing in the Kubernetes community for a technology called Pod Security Policy, which aims to protect users from running containers that are not secure. According to Stiliadis, the Trireme approach is somewhat different from the Pod Security Policy in that Trireme is an effort to enable end-to-end authorization.

      The Trireme project is still in its early days, and there are other things that Stiliadis wants to do both in terms of open source and for his commercial company Aporeto.

      “As a company we have a series of other things that we’re doing in order to build an actual product, but we’re not ready to announce the details yet,” he said.

      As an open-source effort, Stiliadis however is encouraging developers to participate in the Trireme project. Additionally, he noted that he has already started to talk to the CNCF about the project and how it might fit in.

      “There is a lot of room for community participation,” Stiliadis said. “We see Trireme as a way to start the conversation with the community about how to properly approach security for micro-services.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×