DevSecOps is a Process... A Continual One...Without a beginning and without an end.
Security really is a process and not a series of products. We point to a series of recommended processes and best practices and point you to recommended products and services that simply get the job done. Done does not mean complete. Done means at that point in time. As the goalposts move, you have to be prepared to move with them.
At the heart of our Zero Trust Strategy for applications is our flagship product, XtremeCloud Single Sign-On (SSO) . It enables very strong authentication, provides a point of integration for device security, and it is the core of any agency's user-centric policies to guarantee least-privileged access. We provide Conditional Access capabilities with a Policy Decision Point (PDP) for fine-grained authorization access to resources based on user identity, environment, device health, and risk. These are verified at the point of access with our Policy Execution Points (PEP).
Continuing the theme of Zero Trust Strategy is the bundling of Aspen Mesh with our XtremeCloud SSO product. We do not bake in the burdensome details of TLS/SSL encryption, or consume valuable CPU cycles conducting cryptographic operations, in our XtremeCloud SSO containers. The highly-efficient Aspen Mesh sidecar runs in the same pod as our SSO containers, initiates the mutual TLS (mTLS) operation, and encrypts Kubernetes service-to-service traffic. We achieve non-repudiation for requests and eliminate the likelihood of man-in-the-middle (MITM) attacks. The burden of digital certificate management is drastically reduced through integration with Let's Encrypt.
We have left-shifted the security at both compile time and at run-time with Kubernetes Cluster security checks of running pods, run-time policy checks of attempted access within and external to the Kubernetes Clusters , and continuous Docker image scanning for common vulnerabilities and exposures (CVE) using quay.io.
As an open source provider, our wide use of open source components mandates a complete and thorough vulnerability and exposure scanning at source code compile time and subsequent Docker images builds of our Active-Active multi-cloud applications.
Additionally, for Risk Assessment purposes, all of our supported Docker images that we deliver are continuously scanned for Common Vulnerabilities and Exposures (CVE). Our Docker images are only built with carefully-controlled Red Hat Universal Base Images (UBI), providing a strong foundation using Red Hat software. When new vulnerabilities or exposures are identified, we will proactively alert your team and assist you by providing an updated image from our Eupraxia Labs Container Catalog (ELCC) on Red Hat's Quay.io registry .
We also shift left in the CI/CD cycle by deploying advanced security in your Kubernetes Clusters using Alcide.
Our CyberSAFEContinuum umbrella of solutions provides a series of applications distributed across multiple Cloud Service Providers (CSP), hybrid, or an on-premise private cloud that:
Includes a world class Identity and Access Management (IAM) product - XtremeCloud Single Sign-On (SSO) that also protects its own microservices endpoints with OAuth2 flows, as well as any third-party or homegrown APIs. With our latest 4.0 release of XtremeCloud SSO, we support FIDO2 and WebAuthN to allow passwordless logins. Strong authenticators like Windows Hello, Apple TouchID, and the Yubico Yubikey are fully supported.
Includes relational databases that provide bi-directional replication (BDR) Active-Active multi-master replication (MMR) - XtremeCloud Data Grid-db with data-at-rest security provided by the Cloud Service Providers (CSP) with Hardware Security Modules (HSM).
Provides a transport-level secure XtremeCloud Data Grid-web for fully distributed and replicated caches.
Provides a Lightweight Directory Access Protocol (LDAPv3)-based directory user store that provides: application settings, user profiles, group data, policies, and access control information - XtremeCloud Data Grid -ldap.
Provides integration with Microsoft Active Directory (AD) for federated user identity management.
Limits the actions a container can take by using AppArmor , a very effective Linux kernel security model (LSM) that is less complex than SELinux.
Provides CSP-based Kubernetes worker nodes that are hardened per Center for Internet Security (CIS) Guidelines and Benchmarks.
Provides a clean Kubernetes Cluster, using Alcide, that dramatically reduces the surface attack vectors that can be exploited by malicious code that was inadvertently deployed to your cluster.
AppArmor in an Azure Kubernetes Services (AKS) Cluster.
With our knowledge of the major Cloud Service Providers (CSP) including Microsoft Azure, Google Cloud (GCP), Oracle Cloud (OCI), IBM Cloud, and Amazon Web Services (AWS), we can provide you with, or assist you with, the myriad of multi-layer security capabilities that are available to you.