A Connector for
App Workloads Anywhere

Worried about a large attack surface? Or a high risk of insider threats? Or complexity with Kubernetes? Or complicated identity federation? Or rising cloud services costs?
You can reduce all of these with a simple, cloud native, connector.
Here’s the simple version of how it works:
Artistic graphic of a flying red dart towing a red and gray bullseye target through the clouds
Hopr Connect explain it like I'm five graphic 1
Hopr Connect explain it like I'm five graphic 2
Hopr Connect explain it like I'm five graphic 3
Hopr Connect explain it like I'm five graphic 4
Hopr Connect explain it like I'm five graphic 5
Hopr Connect explain it like I'm five graphic 6
Hopr Connect explain it like I'm five graphic 7
Hopr Connect explain it like I'm five graphic 8
Hopr Connect explain it like I'm five graphic 9
Hopr Connect explain it like I'm five graphic 10
Hopr Connect explain it like I'm five graphic 11

You can protect your workloads with a simple connector.
Ours has superpowers!

Abstract icon of a workload in a rotating circle with a star and checkmark

Decentralized Machine Identity

  • Each WoSP contains it’s  own “cert-free” identity  manager.
  • Dependencies on external IAM services are eliminated.
  • Endpoint identities are verified at each connection.
hidden in plain sight

Codes Hidden In Plain Sight (CHIPS™) Technology

  • Builds identical secrets at two endpoints anywhere on the internet.
  • Secrets are ephemeral and built on-demand for each connection.
graphic icon for Synchronous Ephemeral Encryption

Synchronous Ephemeral Encryption (SEE™)

  • A protocol that builds comprehensive end-to-end encrypted channels.
  • No key exchange occurs.
  • Trusted ingress messages pass message decryption.
Graphic icon of workload credential rotation

High Frequency Rotation

  • Workload identity and ephemeral key rotate frequently.
  • Keys vanish after connection ends.
  • Workload access credentials are an automated moving target.

"Hopr has a timely solution that is well-positioned for a long run."

Global IAM Research Analyst

"This is awesome"

DevOps Engineer

"There is nothing like this in the entire world"

CISO, Global Data Services Provider

"This is very clever. Just what industry needs."

VP Healthcare Analyst, Global IT Research Firm

Hopr Connect makes
High-trust, Ultra-secure,
On-demand Connections Between Workloads
Anywhere

Abstract graphic of two workload sharing data securely with Hopr WoSPs and an AMTD
Workload Security Proxies (WoSPs) operate as "sidecars"
with each Workload
Abstract graphic icon of a containerized workload with rotating credentials.
Abstract graphic of a workload with a green certificate emblem
Verify identity trust
Initial trust of a workload identity occurs at deployment of a Hopr “sidecar” with it's host workload and the identity is verified at each communication session.
hidden in plain sight
Sidecars build their secrets
CHIPS™ technology enables two sidecars to build identical symmetric keys whenever a new communication session begins. Secrets remain in the sidecar.
icon image of a padlock with code symbols
Complete end-to-end encryption without a key exchange
Hopr's SEE™ protocol builds end-to-end encrypted communication channels without a key exchange. Only trusted messages reach their endpoints.
Abstract graphic icon of a workload   connected to Hopr algorithm
Automated High Frequency Credential Rotation
Workload identities and secrets rotate automatically at a high frequency to prevent discovery, theft, and misuse for a cloud native automated moving target defense (AMTD).
abstract graphic of a workload deflecting two attacks
Discard untrusted messages
All messages that fail decryption on arrival at a sidecar are immediately logged and discarded. They never reach the intended endpoint.
abstract graphic of three interconnected workloads
Workload Identity Chain of Trust
Workload identities develop an immutable chain of trust based on their history of communication sessions with other workloads.

Lightweight WoSP Components

Identity Manager

A Hopr WoSP receives an initial Machine Alias ID (MAID) credential at deployment, and then manages and rotates the credential frequently based on the host workload’s communication sessions.

Secrets Manager

Secrets are built 'on demand' from one or more CHIPS™ algorithms. The same algorithm in each WoSP runs at the start of a communication session and generates identical secrets at each  workload.
A graphic illustration of the fived components that are used in a Hopr WoSP

See the WoSP in operation

Click the image at left to watch a 3:36 (min:sec) recorded demo of Hopr WoSPs protecting workload endpoints, end-to-end encrypting messages, and refusing access from untrusted connections.
Learn How It Works

Connecting across environments can be simple

Connecting applications and services across different container environments is often complicated by a series of configuration, errors, and testing that add cost and increases cyber risk. Hopr eliminates the complexity, lowers costs, and reduces risk with a simple lightweight proxy container image that is easily deployed by DevOps.
API Threat Protection Icon
01
Get Hopr WoSPs

Register with Hopr to receive access to our WoSP container repo, license, and key. Complete self-serve onboarding through the Hopr Help Center (yes it’s that simple!).

An average DevOps can complete this step in a less than a day

motorcycle with sidecar
02
Edit a YAML file

We provide DevOps with YAML templates and instructions to get started. DevOps edit a handful of configuration values.

They select a specific CHIPS™ algorithm to achieve identical secrets generation with other trusted workloads.

app with sidecar
03
Deploy to production

The YAML is run in the CD pipeline and a WoSP is pulled, configured, and deployed with a host workload.

Some simple tests verify proper operation before live operation begins.

Once live, all capabilities of Hopr Connect are immediately effective.

app with sidecar tested
04
Monitor operations

Hopr provides a dashboard for information on WoSP-workload activity and connections.

WoSP logs of failed connections from untrusted sources are also available to customers within their network.

Cloud Native AMTD Advantages

Alternate to British "Keep Calm and Carry On" poster. Keep Calm and Automate Security
Ultra-secure communications
Symmetric keys remain within WoSPs where they are built. They are never exposed to theft of misuse in a key exchange.
Increase cost and IT efficiency
Decentralized identity and secrets management reduces cost of centralized IAM services and reduces cost of application security engineering.
Strong workload endpoint protection
The SEE™ protocol ensures only trusted messages reach endpoints, MITM attacks are prevented, and untrusted connections are rejected.
High-trust workload connections
Workload identity trust is verified at each connection by confirming the rotating identity and secret.
Protects the business ecosystem
Hopr Connect works with public-facing endpoints to connect to third parties using a "Kerberos for the cloud" protocol.
Protection across all environments
Protects endpoints across all container and VM environments without federating complex external IAM services.
Graphic icon of two connected containerized workloads

Try Our Tech

We offer a FREE plan so that you can use Hopr Connect to evaluate it for your use case with no time limit. Deploy Hopr WoSPs with your containerized apps and perform up to 5,000 communication sessions per month at no charge.

Onboarding is self-serve and WoSP config and deployment is a simple DevOps process.

Technical FAQ

What synchronizes key generation to ensure identical secrets are produced?

Synchronous Ephemeral Encryption (SEE™) is a patented protocol that is self-synchronizes connections between endpoints. Synchronization occurs at the start of a connection without a key exchange.

What happens when identical WoSPs do not build identical secrets?

Without successful decryption, a received message will fail. This could happen due to timing differences in credential rotation. If this occurs with a trusted workload, then we re-build the secret and re-send the message.

Is the CHIPS™ algorithm in a WoSP safe?

The "CHIPS™ algorithm" is highly variable and unique. Algorithms in a WoSP can number in the hundreds-of-thousands. It is unlikely that threat actors will guess or find your particular algorithm within the library of very large number of algorithms.

At what layer of the network stack is encryption performed?

Hopr Connect can be configured to encrypt data at either layer 4 or layer 7 of the OSI network stack. Layer 4 supports network load balancers (NLB) and layer 7 supports application load balancers (ALB). Both WoSPs in a connection must use the same layer for encryption.

How does SEE™ differ from mTLS?

SEE™ builds comprehensive end-to-end encrypted connections over the entire route between trusted workloads.

mTLS is not supported everywhere in the cloud an may terminate at "identity domain boundaries" between workloads where PKI certificates lose their acceptance and trust.
‍
mTLS in the cloud also relies on automated PKI certificates which lack verification of workload trust when issued. And each certificate issued is an entirely new identity.

Does the CHIPS algorithm provide enough dynamism in the seed for the key?

There is a significant amount of dynamism (variability) in the seed elements used in CHIPS algorithms. It begins with a vast number of URLs where dynamic information can be found, and increases with the many possible locations at an URL.

It increases further because algorithms have many possible structures to alter or modify the dynamic elements. This includes nearly two-dozen variables, each of which has many possible values.

Is the encryption used in Hopr Connect quantum safe?

Yes, symmetric encryption (used by Hopr Connect) is expected to be quantum safe for about a decade after quantum computing breaks asymmetric encryption. Hopr Connect uses a FIPS 140-2 and -3 cryptographic library. AES256 and is quantum resistant. An additional degree of quantum resistance is provided by the short lifetime of SEE™ keys, bringing it closer to being quantum safe.

How much overhead does Hopr Connect add to the operation of Client-Server API calls?

The overhead added occurs only when connections begin. Hopr Connect adds 2 messages to the overall message count for each workload.

If two workloads were to interact in a session of 100 API calls and responses, then the additional overhead for the security provided by Hopr Connect would be 4%.

Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.