A few items to appear in The Cyber Hut intelligence inboxes this week.
Styra Launches Cloud Native Entitlements Solution
Styra, the authorization startup behind Open Policy Agent, recently announced another solution to their kit bag. Their Cloud Native Entitlements approach seems to be aimed at bringing a distributed and replicated approach to entitlements management – but with a centralised management angle. Their whitepaper (reg required) explains how the modern enterprise will likely have applications operating in numerous locations in different models – from the “legacy” apps on-premise, to cloud and SaaS services. Having an on-premises entitlement model wont work, due to latency, accessibility and the modelling concepts that would be required. It seems what Styra are promoting, is a generic model to entitlements management based on their DAS (declarative authorization service), with the entitlements aspect introducing two extra concepts – one to synchronise LDAP/AD data into the picture and the other to allow this entitlements model to be replicated and stored on cloud-commodity hardware. This replication aspect removes the SPOF (single point of failure) issue associated with many centralised models. However it does introduce yet more synchronisation plumbing that needs to be managed as well as the necessary governance and compliance associated with policy-as-code.
Beyond Identity Raises $100m Series C
Beyond Identity, the “unphishable MFA provider”, this week announced a series C funding round of $100 million. This takes their overall funding to $205 million with a “unicorn” valuation of $1.1 billion. The funding will be used to increase research and development as well as allow expansion into new geographic territories such as LATAM and Asia-Pacific. Beyond Identity leverage public key cryptography to rid the user of passwords entirely. Coupling app and workstation integrations with a back-end risk based policy engine, they aim to rid the world of passwords for both B2E and B2C environments, as well as using the asymmetric nature of public key crypto, to provide code signing support for integrity protected DevOps environments. This latter aspect becoming more relevant in the increasing supply chain and software bill of materials world.
NSA Cisco Password Types: Best Practices
Last week the US National Security Agency released an updated best practice guide for handling and storing passwords on Cisco network infrastructure hardware. Essentially most Cisco devices can store the admin passwords in a configuration file, with options on how the password is stored. It seems there are 8 ways this can be done, called “types” – ranging from plaintext through to basic hashing and encryption scenarios, each with different settings. It seems the only one the NSA is recommending is “type 8”. Type 8 refers to the use of PBKDF2 – the password based key derivation function mk 2 – with an 80 bit salt, SHA-256 hashing and 20,000 iterations. Meaning the process is run 20,000 times before the output is created. This can slow down the ability for an adversary to perform offline hash-compare style attacks. Interestingly, there is a “type 9” in the Cisco kit bag – which refers to the use of Scrypt. NSA state not to use this, as it has not been tested against NIST evaluation criteria, even though it provides greater brute force resistance than the “type 8” configuration.
Whilst password based authentication is seemingly being phased out for B2C and B2E user environments, there are many situations where shared secret style authentication is not only necessary, it may be incompatible to move to something else, or indeed to be augmented with MFA. Network hardware is seemingly one of those environments.
Aserto Authorization Service Launches Developer Signup
Aserto, a startup focused on creating an authorization SaaS based API, announced it’s developer focused service is open for use. The Aserto model seems to be to provide a Docker image that runs “at the edge” – close to the asset bring protected – which acts as the proxy or sidecar to enforce authorization policy. It seems Aserto is based on Open Policy Agent as the underlying decision engine – which Aserto seems to have expanded to become more “Docker friendly”. Aserto is following the externalised authorization model, where the IDP (identity provider) delivering identity and authentication data, is synchronised into the authorization policy ecosystem, before that information is in turn passed down to the “edge” to help with enforcement. They also provide a range of developer friendly assets as you would expect, in the form of SDK’s and REST APIs. You can signup here.