Group items tagged

"Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit. Let's Encrypt is a service provided by the Internet Security Research Group (ISRG). The key principles behind Let's Encrypt are: Free: Anyone who owns a domain name can use Let's Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let's Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let's Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let's Encrypt is a joint effort to benefit the community, beyond the control of any one organization."

"The new Docker Registry 2.0 was released on April 16th, 2015. It was completely rewritten in Go with added support for the new Docker Registry HTTP API V2 (thus only working with Docker 1.6+), promising to provide faster and more secure distribution of images. If you work with Docker and for some reason decided not to use the public Docker Hub, a private Docker Registry is an essential part of your architecture. But even if you don't have private images, you will likely need to use your own registry in production/testing for efficiency. The default installation, however, runs without encryption and authentication. I was wondering what's involved in securing it. There is an official tutorial on how to configure TLS on a registry server. TLS/SSL is absolutely necessary for any secure setup, but I also wanted to enable an authentication mechanism. The Configuration Reference document describes two authentication options supported by Docker Registry itself: so-called silly and token solutions. The silly one is apparently only useful for very limited development use-cases. The token solution seems to be more serious, but because of the lack of documentation (at the time of writing), I decided to find an alternative approach to secure it. In this article I'm going to show you how to set up the Docker Registry 2.0 with username/password authentication and SSL using the official Docker Registry image and a custom configured nginx as a proxy server."

"The motivation for adding security to Apache Hadoop actually had little to do with traditional notions of security in defending against hackers since all large Hadoop clusters are behind corporate firewalls that only allow employees access. Instead, the motivation was simply that security would allow us to use Hadoop more effectively to pool resources between disjointed groups. Larger clusters are much cheaper to operate and require fewer copies of duplicated data."

"Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos."

Delegation tokens play a critical part in Apache Hadoop security, and understanding their design and use is important for comprehending Hadoop's security model.

"FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers. FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks. Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server. Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool."

"FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools. FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks. FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization. Benefits FreeIPA: Allows all your users to access all the machines with the same credentials and security settings Allows users to access personal files transparently from any machine in an authenticated and secure way Uses an advanced grouping mechanism to restrict network access to services and files only to specific users Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules Enables delegation of selected administrative tasks to other power users Integrates into Active Directory environments"

"Java 8 also brings many security improvements that are as important as the new language features. Of particular interest are the improvements to the TLS stack, implemented in the Java Secure Socket Extension (JSSE) component. Why? Because Java 7 and earlier do not give you enough control over TLS termination. As a result, it was simply not possible to terminate TLS at the Java level and achieve sufficient security. The deficiencies have been addressed in Java 8. Several other key improvements ensure that Java now provides a very good TLS stack. Many of the changes will take effect as you change the JRE, even with older applications."

En SCT, luego de muchos intentos, renunciamos a implementar algo así... y acá está hecho. Excelente: This allows restriction of access privileges by role to ensure granular security at a per-field level. View, search, initialize or update DataSource fields requiring specific roles with automatic consequences in the UI.

"Users aren't the problem with security. It's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things."

"Per Thorsheim, Microsoft's Dr. Cormac Herley, the UK's NCSC, the Chief Technologist at FTC, I and many others are working hard to kill password expiration. Password expiration is when an organization requires their staff to change their passwords every 60, 90 or XX number of days. Password expiration is also a great example of how security professionals fail by simply repeating old myths or focusing on just mitigating risk, forgetting about the cost or impact of those mitigating controls. Here's is why password expiration must die."

"Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. While Docker provides a central registry to store public images, you may not want your images to be accessible to the world. In this case, you must use a private registry. The Google Container Registry runs on Google Cloud Platform, so can be relied upon for consistent uptime and security. The registry can be accessed through an HTTPS endpoint, so you can pull images from any machine, whether it's a Google Compute Engine instance or your own hardware."

"Splunk Enterprise is the industry-leading platform for operational intelligence. Collect and index any machine data from virtually any source in real time. Search, monitor, analyze and visualize your data to gain new insights and intelligence. Index everything for deep visibility, forensics and troubleshooting. Work smarter as you and your team share searches and add knowledge specific to your organization. Create ad hoc reports to identify trends or prove compliance controls. Create interactive dashboards to monitor for security incidents, service levels and other key performance metrics. Analyze user transactions, customer behavior, machine behavior, security threats and fraudulent activity, all in real time."

"The microservices architectural style simplifies implementing individual services. However, connecting, monitoring and securing hundreds or even thousands of microservices is not simple.A service mesh provides a transparent and language-independent way to flexibly and easily automate networking, security, and observation functions. In essence, it decouples development and operations for services.The Istio service mesh is split into 1) a data plane built from Envoy proxies that intercepts traffic and controls communication between services, and 2) a control plane that supports services at runtime by providing policy enforcement, telemetry collection, and certificate rotation.The near-term goal is to launch Istio to 1.0, when the key features will all be in beta (including support for Hybrid environments)The long-term vision is to make Istio ambient."

"An open platform to connect, manage, and secure microservices."

"tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet."

"Secure, Manage & Extend your APIs and Microservices The open-source management layer for APIs, delivering high performance and reliability."

"Support for Debian, RPM, RubyGem and Python packages. Public and private package repositories with powerful tooling, security and automation."