Hybrid Cloud - Securing with PKCS and Code Sign

PKCS and Code Sign – Security in Hybrid Environment

IT World has adopting DevOps to have a continuous development of the patches. This brings a radical change in the current software processes. The adoption of DevOps tools has its basis in moving from a fixed update/ upgrade window or predefined times for release of business benefits to adopting a “Kanban” kind of approach with Sprints enabling prioritisation and reducing gap from business asks to achieving results.

The advent of Hyperscaler – Like Azure/ Google/ AWS with scalability and on click deployments with advancements in automation using Infrastructure as a Code (IAC) concept has leveraged the continuous integration and deployments being available. This is being enhanced with upgrades to present technology of virtualisation to Containers/ Kubernetes and further to serverless computing.  Thereby providing the missing link of code integration and automated release.

This DevOps-Hyperscaler combination provides business with lower TAT for their features and functionalities and heterogeneous platform compatibility. This opens a new vulnerabilities of existence of rogue codes (programs run by authors), leakage of revenue (orphan or multi-versions running at the same time) and reduced the confidentiality of the proposed setup.

An approach to mitigate the code risks could be done by adoption of encrypted code sign using the age old PKI approach. This can be introduced at a point after the code is developed and before the actual deployment of the code in infra environment. This stage is typically called a build stage, where the IAC (infrastructure as a code) is made ready for deployment. This will prevent rogue codes and orphan systems to be prevented from running.

Today, every Operating System/ Virtualisation platforms/ Hyperscaler understand the KMS (key management system) and are compliant to the PKCS (Public Key Certificate System). This can be leveraged to ensure there is no revenue leakage by revoking the keys of decommissioned setup. Each IT Asset like binaries/ OS/ VM/ Data stores can be added to the PKCS environments during provisioning and removed (key expired) post decommissioning.

Potential confidentiality threats of Data leakage and rogue programs can also be address by enabling the Kerberos protocol in hybrid cloud environment, thereby explicitly allowing subsystems to take authorisations for Intra-systems connectivity. Auditing trails can be generated to keep track of duration for which IT Subsystems are allowed to work, generating alerts for any attempts without authorisations. Even in the case of data loss outside the encryption domain, is will by default rendered unreadable due to the non-availability of decryption keys.

PKCS is widely followed in the web world with the use of 3rd party CA issuing digital certificates as a measure against phishing attacks. All secure websites use it and the Third party CA provide a guarantee for Identity protection, almost all operating systems are PKCS and Kerberos compliant. Users and their privileges are configured in AD and LDAP systems available with system administrators. Enabling PKCS in Domain controllers and LDAP systems ensure that the users reach the authorised locations in the Hybrid environment. All Hyperscaler allow the federation for the IAM extensions. For sub-contractors, PKCS can be enabled using the Public CA available of using the blockchain mechanism for private exchange of authorisation