Aporeto: Container Security Product Overview and Analysis


See our complete list of top container and Kubernetes security vendors


Fundamental to Aporeto’s approach is the principle that everything in an application is accessible to everyone and could be compromised at any time. The company was founded in 2015 with company headquarters in San Jose, CA. The company is led by CEO Jason Schmitt, formerly of HPE, with co-founders from Nuage, Cisco and VMware.


Aporeto uses application context to enforce authentication, authorization, and encryption policies for applications. With Aporeto, enterprises implement a uniform security policy decoupled from the underlying infrastructure, enabling workload isolation, API access control and application identity management across public, private or hybrid clouds.

The Aporet product has two core components :

  • A SaaS security orchestrator for policy management and visibility of application dependencies across a heterogeneous environment.
  • An enforcer that performs distributed policy enforcement. The enforcer can be deployed as an agent, a Kubernetes daemon-set, a privileged container, a sidecar or a customer authorizer for API gateways.

Key Features

  1. Zero Trust policy enforcement for workload segmentation independent of infrastructure: Authenticate and Authorize requests both at L4 (TCP) and L7 (HTTP) between workloads or between a user and a workload. A workload can be container, process or serverless. Policy is defined centrally but enforced in a distributed manner. Policy enforcement works independent of IP addresses and applicable to workloads on public or private clouds.
  2. Service Identity: In order to authenticate and authorize a persistent workload, identity is required. Aporeto assigns workloads (container or process) a cryptographically signed service identity independent of IP infrastructure.
  3. Application visibility for compliance: Dependency maps across all applications protected by Aporeto independent of the infrastructure on which the application is deployed.
  4. Runtime visibility: For containers, Aporeto offer runtime visibility of interactions between the container and the host and enforcement of runtime policies.

Product Performance Metrics

The use of service identity independent of IP infrastructure for policy enforcement allows the solution to scale to tens of thousands of hosts. Performance overhead is very minimal for Layer 4 enforcement. Only TCP connection establishment is in the enforcer data path. Once a connection is mutually authenticated and authorized, the enforcer is no longer in the data path.


SaaS service with options for custom deployments for regulated industries


Subscription pricing model

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles