A fundamental tenet for Volterra’s application security offering is Zero Trust, which requires a verifiable identity for every application managed.
At present, applications are typically identified by a combination of IP address and port or DNS entry. However, there is no method to verify if the application is indeed the one it is claiming to be, based on its IP address or DNS entry. Moreover, IP address-based identity is not global across heterogeneous locations - private/public cloud and edge sites. In a microservices world, applications could restart or a new replica may be created, potentially in a different location, with a completely different IP address. On the server-side, a database will accept connections from any client with the user-name/password; it cannot selectively accept a connection from one application and reject another, because the database cannot identify the source of the connection, i.e., it does not have an identity for the application. To solve this problem, enterprises configure gigantic IP address lists, that instruct the database to accept connections from whitelisted IPs. This method of manually managing IP addresses does not scale when thousands of applications are deployed on the edge, still connecting back to centralized databases. The operational model to deal with changing IP addresses becomes extremely complex and brittle in a scaled environment.
Volterra’s solution is to provide an X.509 certificate-based identity tied to the application service name and application attributes. This identity is generated by Volterra’s Identity Authority, a certificate authority, provided as-a-service as part of the VoltStack Application Identity service. Since a certificate is provided to every application instance launched, the application’s identity is cryptographically verifiable. Moreover, the Volterra-provided application identity is decoupled from environment parameters such as IP address and port and is therefore globally unique.
The benefit of Application identity to enterprises is the ability to define intent aware application policies that are universally applicable across multiple deployment environments. E.g., the App of type X is prohibited from communicating with the App of type Y. This intent aware policy is applicable across public/private, network and edge clouds; there is no need to maintain a large list of IP addresses per deployment environment. VoltStack Application identity service manages the life-cycle of X.509 identity for each application instance by automatically performing certificate rotation based on CISO’s policies, reducing the burden on operational teams and eliminating human errors.
The process for generating an X.509 certificate for an application is described next.
Application’s identity is used for several purposes:
The following topics are used by Application Identity features. Click on each one to learn more:
The following How-to guide is an example of using Application Identity features: