Apprenda 6.5 Toughens Security for the Most Demanding Organizations


By Atos Apprenda Support

apprenda 6-5

The largest companies in the world demand ever-increasing security requirements to protect their data centers from unlawful attacks. Apprenda has always made security a top priority, and our customizable, on-premise solution is able to meet the regulations and standards of the Global 2000.

But in our latest release, Apprenda 6.5, we pulled out all the stops to make security a key differentiator in the enterprise Platform as a Service (PaaS) market.

In a recent post at The New Stack, Apprenda co-founder and Global Client CTO Matt Ammerman outlined the pillars of cloud native security. Version 6.5 incorporates these three tenets of enterprise PaaS security:

  • Limit Platform Attack Vectors: Whether malicious behavior is internal or external in origin, the platform is shared and attacks should be isolated by default and easy to lock down.
  • Implement Standards: Application design does not end at the last line of code, and platforms need to take on the role of ensuring standards for security, patching, licensing, and compliance.
  • Leverage Existing Operations: Large organizations have designed role specification and expertise over the years to ensure, among other things, compliance and security. The news continues to suggest that perhaps developers are not always great database administrators. In addition, operations continuously invest in best-of-breed tools to enhance security. Cloud platforms need to integrate and use those features.

Apprenda development continues to be driven by customer requests around their existing and continuous investments in key technologies and in delivering the security, compliance, and operational fit they need for mission-critical workloads.

The Apprenda platform has always delivered innovative cloud features tailored for a customer’s infrastructure and application investment decisions. Apprenda 6.5 continues this tradition as the only cloud platform built to allow the Global 2000 to define their own security policies (instead of ours) with an array of new features.

These new platform investments and features in Apprenda 6.5 include:

• TLS Encryption of Internal Platform Traffic: Application traffic needs to be secure in highly regulated industries. Apprenda already encrypts traffic from external users to the platform (i.e., external traffic). With Apprenda 6.5, operators can deploy the platform in a highly secure environment where all application traffic is encrypted by default. On top of internal application traffic encryption, enterprise security also has the ability to encrypt both data-in-transit and data-at-rest for platform file servers and databases to create a hardened PaaS environment.

• Auditing and Compliance Checks: While logs and audits are not something that come up before an organization adopts enterprise PaaS, they are highly requested features once PaaS is implemented. In 2015, Apprenda counted some of the largest audit firms among its customers who, of course, have implemented world-class auditing standards for IT that we have now incorporated into our platform. In Apprenda 6.5, auditing is available for both developer and operator actions in a separate, read-only database for operators. Platform auditors can now view records that include (but are not limited to) user changes, user actions, authentication, log overrides, password changes, and account updates. Add-ons include all the relevant details to identify the user account that performed the operation, the time of the operation, and the resource that was modified.

• Oracle 12c Support: Data persistence is crucial for container-based orchestration, and Apprenda has always treated the data tier as a first-class citizen. Most Apprenda customers keep their mission-critical data in products from leading vendors in the RDBM space like Oracle. With Apprenda 6.5, guest applications can now leverage Oracle 12c through the Apprenda platform’s storage infrastructure. Oracle pluggable databases (PDBs) provide the logical and physical partitioning for multi-tenancy. In addition, platform operators and database administrators in central IT have the option to move Oracle 12c data partitions off platform.

• Red Hat Enterprise Linux 7 (RHEL 7) and CentOS 7 Support: Red Hat’s market share for enterprise distributions of Linux is between 65% and 80%. Beyond existing and new investments, the Global 2000 has honed processes in their Trusted Computing Base (TCB) over the years. Apprenda has added support for the newest of Red Hat’s operating systems (taking advantage of new improvements in OS security) as our customers have started to move from testing to implementing these versions. No organization should introduce security risks by adopting a vendor-dictated platform stack (or software appliance) that uses an unsanctioned operating system.

• Support for Custom Versions of Tomcat and JBoss: Similar to the operating system, organizations have already developed methods and invested money in testing, modifying, and taking other measures to make their Java application servers part of the trusted computing base. Further, application servers are one part of a connected ecosystem of middleware that is implemented in the data center. Apprenda has always aimed to support the widest breadth of application servers, including JBoss and Tomcat. Now Apprenda 6.5 supports custom versions of Tomcat and JBoss so enterprises can define their own sanctioned standards and versions for app server security and use them for hosting mission-critical workloads without developers having to change a single line of code.

• Cisco Application Centric Infrastructure (ACI) Integration: In order to deliver a PaaS that falls under ITAR, EAR, HIPAA, SSAE16, and other compliance types to our customers, Apprenda needed to adopt the best network security solution for cloud applications and microservices. Cisco ACI allows developers to provision applications to the Apprenda platform in a locked-down zero trust model. As the applications need more resources, the network compensates. Policy controls are granular enough to handle all egress and ingress traffic among app tiers. Network engineers should not have to be versed in the application deployments and placement, and enterprise developers should not come anywhere close to configuring a VLAN. Apprenda’s integration with Cisco ACI delivers on the promise of the digital enterprise by allowing developers to consume the leader in software-defined networking (SDN) solutions while also giving network engineers the control they need, delivering an IT stack-wide solution for control and compliance enablement.

• Cisco Metapod Integration (OpenStack): According to Gartner, organizations have two modes of IT. Mode 2 is distinguished by its customer focus and agility in delivering IT solutions. The additive product approach to traditional virtualization has become overwhelming (and expensive) for those trying to build new infrastructure clouds in their data centers. Metapod provides a managed OpenStack layer that gives Apprenda programmable infrastructure that it can use to stand up new services (e.g. NoSQL) or auto-scale the Apprenda grid.

• Enhanced JMX Support for Java Applications: To monitor elastic workloads in JMX, a platform needs to keep track of dynamic connections to new, sometimes temporary, instances. Apprenda has added JMX subscriptions to allow developers to define the KPIs they are interested in monitoring and how often they want Apprenda to retrieve them. This allows JMX trees to capture granular data for the application, even as the number of instances scales up and down. The JMX subscriptions are highly available and can be used with tools like JConsole. Through the use of securables, Apprenda can even control which developers have the ability to enable JMX monitoring for an application component. In this use case, securables allow operators to dictate which developers can access specific functions like defining JMX subscriptions and viewing KPI data coming from the JMX client.

• Reserved/Maintenance Mode State for Apprenda Nodes/Servers: Apprenda nodes/servers can be placed in a “reserved” or “maintenance” state. This functionality allows platform operators greater control over automatic workload deployment, especially when adding nodes/servers to or removing nodes/servers from the platform. The differences between each state, and how they can aid in your PaaS security plan, are described here:

  • Reserved Mode: An operator can remove the node from future deployment strategies, which means it will not be considered a valid target when your platform is deploying new workloads. Operators will have the ability to move workloads from a reserved server, which could be helpful during an attack scenario and enterprise security wants to quarantine the intrusion activity without affecting production workloads.
  • Maintenance Mode: In this state, the platform redistributes its workloads to other acceptable servers and will remove the server from deployment strategies. The node will have no workloads hosted on it (new or old), which gives operations the ability to perform maintenance on the node they see fit. This is helpful for both routine and immediate software security patches running on the node.

These features make Apprenda 6.5 the most compatible enterprise PaaS on the market and the one the Global 2000 can count on to play a significant role in securing their data centers.

Questions about 6.5? Let us know in the comments below or send us a note on our contact page. And if you’re interested in seeing Apprenda in action, please register for our next open demo on February 3rd.



Atos Apprenda Support