Keeping data secure on the CYBELE platform
The CYBELE platform is an ecosystem of microservices providing various resources and infrastructure to clients. As with any technology or platform associated with data
collection, storage and transmission, there are many security and privacy threats that need to be considered during its deployment. To implement and ensure the secure delivery of CYBELE’s microservices, Tampere University is working on four security modules. These security modules are:
1. Certificate Authority (CA) Module: The CA is responsible for generating certificates for the participating CYBELE entities to ensure secure communication. These certificates protect data and information exchanged between the communicating entities from potential malicious adversaries. Each entity in the CYBELE platform will be issued a certificate from the CA. Once a certificate has been issued, all ensuing communication between the participating entities within the CYBELE platform will, in theory, be considered secure. This is due to the fact a certificate identifies the owner as genuine. As the CA, we utilize the Enterprise Java Beans Certificate Authority (EJBCA), a Public Key Infrastructure certificate authority software package managed and supported by PrimeKey Solutions AB.
2. User Authentication and Authorization (UAA) Module: The UAA is an open-source Identity and Access Management solution aimed at modern applications and services. It simplifies the process of securing software and services. The UAA server allows users to log in to the platform and access the services that have been assigned to them and provide support for single-sign-on (SSO). Users will be automatically signed into all external services deployed by the CYBELE platform using this SSO feature. A user is only granted access to the CYBELE platform once he/she can prove their identity.
3. Vulnerability Assessment (VA) Module: Vulnerability Assessment is described as the systematic review of the security weaknesses in any information system such as cross-site scripting, various command injections, path traversal, SQL injection, and often insecure server configuration. VA toolkits are automated tools aimed at scanning web applications and services for these vulnerabilities. To effectively test and assess the CYBELE platform for vulnerabilities, we adopt a balanced approach that requires a dose of the techniques such as Manual Inspection and reviews, Threat modelling, Code Review and Penetration Testing. However, the majority of the assessments will be accomplished using the Zed Attack Proxy web application scanner.
4. Anomaly Detection (AD) Module: AD is the Identification of rare occurrences, observations that show a distinct variance from the general population. Discovering anomalies is essential as it can dramatically affect the results of data analysis and statistical models. In service-oriented applications like CYBELE, anomalies can exist in the form of abnormal service behaviors, services impersonating other services, privilege escalation, initiation of unnecessary traffic, unusual network traffic patterns, and inter-process communication among unrelated services etc. We use Falco, a service that provides runtime security for dockerized cloud-native applications for the CYBELE platform.
Figure 1: Overview of CYBELE Security Modules