Posted on

Multi-Cluster Kubernetes Management and Access

As cloud and Kubernetes have become a standard, security remains one of the top inhibitors to modern application development. To reduce security risks, organizations can’t manage access control on a cluster-by-cluster basis. And not finding a scalable approach leads to misconfigurations, vulnerabilities, and failed compliance audits.

Let us travel back in time and picture a fort. Forts were huge with massively thick walls, doors, watch towers and a moat to protect them from attacks. There were several layers of defense to keep attackers at bay. An attacker might swim across the moat but still had to climb the high walls before entering the fort. Thus, an attacker might compromise a single layer, but having several layers makes it difficult for an attacker to enter the fort.

Posted on

Increase Security With Ephemeral Access Control [On-Demand]

Workforces today are dynamic, with employees, contractors, freelancers, and other third parties constantly changing roles, projects, or moving companies. This makes it difficult for IT teams to manage access controls in a timely manner and opens the door for hackers to take advantage of over-provisioned users and accounts that should have been deactivated. To counteract this issue, ephemeral access controls set temporary access rights that remove the need to manually revoke credentials. 

Watch this webinar recording to learn about the security benefits of switching to an ephemeral access control model and how this can help eliminate the burden placed on IT and Security teams. Importantly, we will discuss what ephemeral access control solutions exist today that can be integrated into your current security stack.

Posted on

Designing Secure Authentication and Identity Management

Editor's Note: The following is an article written for and published in DZone's 2021 Application Security Trend Report.

Organizations and individuals face an ever-increasing threat from a wide variety of actors. Threats can come from nation states, organized crime gangs, or even determined individuals. These attacks come in the forms of ransomware, which can cripple your business and cause data loss or data exfiltration. Beyond ransomware, more insidious attacks like the SolarWinds supply chain attack can impact a large number of organizations beyond the initial attack victim. A supply chain attack looks for weak links in the business process — in this case, pursuing a network monitoring vendor whose software is widely used and inherently needs to run with high privileges. 

Posted on

The Developer’s Guide to Relationship-based Access Control

If you’ve never heard of ReBAC (relationship-based access control), that’s fine. It’s not too difficult and we’ll walk you through it. Chances are, you’re already using this model in your current applications! Allow us to tell you why ReBAC is such an interesting model for access control and how you can start implementing it.

What is ReBAC? 

Relationship-based access control is a model where access decisions are based on the relationships a subject has. When the subject (often a user, but possibly also a device or application) wants to access a resource, our system will either allow or deny this access based on the specific relationships the subject has.

Posted on

RBAC Controls: The Key to Hardening a Kubernetes Cluster

If you’re using Kubernetes, you understand the importance of the API server. Referred to as 'the core of Kubernetes’ control plane' in the platform’s own documentation, the API server enables users, cluster elements, and external components to communicate with each other. Each of those communication instances constitutes a REST API call for which the API server is responsible. The API server subsequently treats everything in Kubernetes as an API object, the platform notes elsewhere on its website. As such, administrators can use the API to manipulate the state of pods, namespaces, and other API objects.

This functionality makes it imperative for administrators to keep the API locked down. To do that, they need to realize that the API generally comes exposed on every deployment for management purposes. This default configuration makes it possible for an unauthenticated actor to interact with publicly exposed Kubernetes clusters and manipulate what’s considered to be a valid request. They could then change some of the settings and configure the API to approve requests in a way that allows for malicious activity such as connecting to or downloading files from suspicious websites.

Posted on

Architectural Approaches To Authorization in Server Applications: Activity-Based Access Control Framework

This article is about security. I’ll focus on this in the context of web applications, but I’ll also touch on other types of applications. Before I describe approaches and frameworks, I want to tell you a story.

Background

Throughout my years working in the IT sphere, I’ve had the opportunity to work on projects in a variety of fields. Even though the process of authenticating requirements remained relatively consistent, methods of implementing the authorization mechanism tended to be quite different from project to project. Authorization had to be written practically from scratch for the specific goals of each project; we had to develop an architectural solution, then modify it with changing requirements, test it, etc. All of this was considered a common process that developers could not avoid. Every time someone implemented a new architectural approach, we felt more and more that we should come up with a general approach that would cover the main authorization tasks and (most importantly) could be reused on other applications. This article takes a look at a generalized architectural approach to authorization based on an example of a developed framework.

Posted on

Access Control in Nebula Graph: Design, Code, and Operations

Access Control List (ACL) is not alien to database users and it is a significant part of data security. Like other database vendors, Nebula Graph takes data security seriously and now supports role-based access control.

In this article, we will detail user management with roles and privileges of Nebula Graph.

Posted on

Stay Safe on GitHub: Security Practices to Follow

GitHub is undoubtedly the largest and most popular social development platform in the world. According to its 2019 State of the Octoverse Report, GitHub is home to over 40 million, and the community keeps expanding every day.

As developers in this deeply interconnected community use open source code to build software, Github security should be a top priority. This is because extensive code re-use increases the risk of distributing vulnerabilities from one dependency or repository to another. As such, every contributor should focus on creating a secure development environment.

Posted on

How to Access Sensitive and Regulated Data Through Microservices and APIs

We’re seeing more businesses utilize microservices, service meshes and APIs to break down large, static applications and merge legacy systems with modern IT platforms. These agile and flexible application structures have changed the way we exchange data and are typically the method of choice when sharing data with external parties.

Microservices architecture is ideal for developing and updating mobile applications because it can simplify data sharing. In fact, according to recent research from Advanced Market Analytics “mobility and app proliferation is the primary factor augmenting the demand for API management” and they also point out “API security issues” as a potential constraint to growth. 

Posted on

Four Ways to Keep Kubernetes’ Secrets Secret

We have talked a lot about the speed at which DevOps innovation has moved and how security has consistently struggled to catch up. Kubernetes is quickly putting this idea to shame and stretching security teams to their limit. In just five short years, Kubernetes has exploded in usage, but security wasn’t always at the front of everyone’s minds.  

One of the most shocking recent Kubernetes developments was the discovery of the most severe Kubernetes vulnerabilities ever, CVE-2018-1002105, which we discuss further here.  The silver lining here is that the vulnerability led to the realization that Kubernetes developers need better security practices.  To be fair, security, as with DevOps, is a process of continuous improvement. In this blog, we will discuss best practices for securing Kubernetes.

Posted on

Origin Authentication and RBAC in Istio with Custom Identity Provider

The concept of access control can be boiled down to two factors: authentication (AuthN) and authorization (AuthZ). While authentication determines the identity of a client based on the data presented to the identity provider (e.g., Google and Microsoft AD), authorization determines whether an authenticated principal may interact with the resource.

Istio supports Token-based end-user authentication with JSON Web Tokens or JWT. In terms of Istio, the process of authentication of the end-user, which might be a person or a device, is known as origin authentication. Istio allows you to validate nearly all the fields of a JWT token presented to it. Since JWT is an industry-standard token format, the origin authentication feature of Istio is compatible with OpenID connect providers such as Auth0, Google Auth, and Key Cloak.

Posted on

Building an ABAC Policy Using APIs and Java SDK From Machina Tools


Determining what data a user, application, or device can access can be one of the most important decisions an organization faces. You don’t have to be a healthcare or financial institution to be responsible for customer data. But to maintain customer trust, your organization may want to treat all customer data as such.

The data access problem is complex. Elements of policy may be driven by IT, human resources, legal, or even by finance. Policies might be enforced at different points depending on where data travels and how it is consumed. Policies might be enforced at the network layer through remote-access systems, at the database layer, within cloud infrastructure, or at endpoints like email and files. Most of these platforms inherently implement a permissive security policy.

Posted on

The Simple Path to Protecting and Controlling Your Application Data

Whether you’re a software development team lead at a prestigious financial institution assigned to redact personally identifiable information (PII) before releasing the next bankruptcy report, or you're part of a development shop that has just been contracted by a large healthcare organization to help update their systems to meet HIPAA requirements, chances are you’ve been asked to obfuscate sensitive data.

Protecting sensitive data is not an uncommon requirement when building applications. In a recent survey, 71% of companies indicated they utilized encryption for some of their data in transit; 53% utilized encryption for some of their data in storage.

Posted on

Why Attribute-Based Access Control Will Become the Standard Model for Large Enterprises

Today, data is often characterized as the new oil of the digital age. Organizations are leveraging their data to enhance operational efficiency, better the customer experience, increase revenue, and boost growth. In addition, virtually every organization is now collecting data, whether it be from banks and financial institutions or healthcare organizations and industrial manufacturers.

Not only are these businesses all about collecting data, but they are also collecting it from a wide variety of sources at an accelerated pace, resulting in an increasingly complex data environment. Not to mention the business complexities collecting data brings like privacy protection, IP protection, and brand protection. However, data is only useful if it can be securely shared and leveraged across not only an entire organization but also across business partners and third-party suppliers. 

Posted on

Breaking Down the DevSecOps Approach

To keep pace with today’s on-demand world, organizations have shifted toward modern development practices like DevOps to immediately deliver products and services to their customers. DevOps merges software development and software operations teams, so they are no longer “siloed” under one roof. With DevOps, the development and operations teams work in concert to more cost-effectively operate and evolve applications at high speed to meet marketplace customer demands.

However, many organizations are realizing that security must play an integral role in ensuring that continuous delivery practices also embrace good security processes. What good is delivering applications at such a rapid pace if sensitive customer information is left in jeopardy?