Hopr named in the 2023 Gartner® Emerging Tech: Security - The Future of Cyber Is AMTD report

Kerberos For The Cloud (K4C)

K4C provides AMTD threat protection for public-facing workloads and API endpoints that interact with external organizations.

Animated graphic depicting moving targets in Kerberos for the Cloud

“The Kerberos security pattern is well-proven. What Hopr has developed is a novel implementation of Kerberos that will enhance protection of cloud workloads.”

Senior Director, Global Technology Analyst

Hopr is a Trusted Session Broker

Secure East-West and North-South traffic with a zero trust
automated moving-target defense

Cerebus three-headed guard dog icon
AMTD built for public -facing workloads
K4C extends the AMTD used in XTRA with a proven Kerberos security pattern for session trust verification by Hopr.
Reduce cyber risk from external sources
Over 90% of API attacks occur on public-facing APIs. K4C disrupts a threat actor's attack plans.
External enterprises register with Hopr
Third parties, such as suppliers, register with Hopr, then receive and configure their own K4C sidecars to connect with your public-facing enterprise workloads.
Trust Verification at every session
Hopr separately verifies trust in workloads of two organizations before providing a session key to enable their encrypted tunnel.
Securely transact with external organizations
The security provided by K4C is comprehensive when all third-parties are involved in building verifiable zero trust connections.
Simple, low-friction DevOps deployment
K4C is easy to deploy with a  “low code” DevOps friendly  YAML configuration in the  CI/CD pipeline.

Four easy steps to prevent attacks on public APIs

External partners, suppliers, and other "third parties" may lack the security disciplines needed to protect your business. Requiring them to use K4C protects them and you, without imposing higher costs or require code changes.
DevOps register with Hopr icon
Register with Hopr

Have your suppliers and other external partners register with Hopr and deploy Hopr K4C sidecars with their workloads. This is necessary to connect with your organization’s workloads using K4C.

DevOps YAML file icon
Edit a YAML file

Make sure K4C is enabled in your Hopr license. DevOps deploy K4C sidecars just the same as XTRA. Edit a  YAML file to select a specific CHIPS algorithm and configure any other Envoy proxy configurations.

Abstract graphic icon of sidecar deployment
Deploy the sidecar and workload

Run the YAML file to pull the K4C-enabled sidecar from Hopr’s container repository and deploy it in the same infrastructure pod with its host workload.

Graphic illustration of two containerized workloads in live operation
Test and go live!

Once deployed, the K4C sidecar begins protecting your public facing  workload API endpoint and its messages/data immediately. A new hardened tunnel is built with trusted external workloads at every session.

K4C Extends XTRA to Work with Public-facing Workload and API Endpoints

abstract graphic icon depicting unsecured transport in a network
Extends XTRA for public-facing workloads
K4C is built on XTRA and extends its use to untrusted external workloads via the Kerberos security pattern.
Grahic icon of K4C showing two workloads and Hopr as trusted third party
Separate organizations register to use K4C
K4C is separately configured and deployed by different organizations for their public-facing workloads.
Abstract graphic icon of a containerized workload with uncertain identity trust
Prevents untrusted public connections
Without Hopr trust verification, untrusted external workloads are prevented from connecting to public facing API endpoints.
Abstract icon of two automated workloads connected by a hardened tunnel
End-to-end encryption
Separate hardened tunnels to Hopr are built without a key exchange and used to verify identity trust in each public-facing workload before they receive their session key.
Abstract graphic icon of a containerized workload with rotating credentials.
Automated rotation
K4C incorporates CHIPS to automate the high frequency rotation of workload credentials for both enterprise and third-party workloads that need to communicate.
Simple and future-proof
Like XTRA, K4C does not rely on PKI. This eliminates the complexity and cost of multiple cloud services for both enterprise and third-party workloads.

Kerberos for the Cloud FAQ

Why do my suppliers and external partners need to register with Hopr?

To have verifiable trust, your partners must have a K4C sidecar with their own configured CHIPS algorithm. For security reasons, algorithms are not shared outside your enterprise.

Can K4C work if the third-party workloads  operate in cloud environments that are different than the ones an enterprise uses?

Yes. K4C can broker trust and establish workload session in any cloud environment and client and server workloads do not have to be in the same environment.

Does K4C meet zero trust principles?

Of NIST’s seven Zero Trust principles, K4C meets six of them. The principle that is not met (by choice) is “monitoring.” Due to our desire to lower customer cyber risk, none of our code touches customer data.

How is K4C different from XTRA?

K4C is identical to XTRA with one exception. K4C has the added capability to connect with Hopr to enable identity trust verification with external (public-facing) workloads operated by outside organizations.

We don’t use Kubernetes infrastructure, will K4C work with other infrastructure solutions?

Yes. K4C can be deployed with any containerized system (e.g., Kubernetes, Docker Swarm). It can also work with containers deployed in VM architectures.

How much staff overhead is necessary to deploy and maintain K4C?

Very little. K4C is simple for DevOps and DevSecOps engineers to deploy to production. They only need to edit a familiar YAML file to configure a sidecar container and deploy it. Once deployed maintenance is infrequent.

What contact does K4C have with my company data?

None of Hopr's proprietary code is in contact with company data as it moves through the sidecar. The code that performs message routing and encryption/decryption is open source software that is well-maintained.

How does K4C assure a trusted workload identity?

With K4C, Hopr operates as a trusted identity verification agent and session broker. Before external workloads connect with each other. Hopr separately verifies trust in each organization's workload using their MAID and the decryption of their messages to Hopr.

Don't see your question above?
Schedule a FREE discovery call.

Discover a winning defense

Schedule a 15-minute discovery call with one of our experts to discuss your use case and learn how Hopr's automated moving-target defense can prevent cyber attacks on your business.
Schedule a Call
Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.