Skip to main content

Cloud Native Security and DigiCert ONE

DigiCert follows security best practices at every layer of security. DigiCert ONE is built on Kubernetes, which takes a layered approach to security, using the 4 Cs of Cloud Native security: 

  • Cloud

  • Clusters

  • Containers

  • Code

Cloud security

Your data center should align with security best practices. Network access to nodes and the API server must be controlled by a network access control list (ACL) to administer the cluster.

Cluster security

Kubernetes is entirely API-driven. As the first line of defense, use strong API authentication and API authorization mechanisms to control and limit user access to the cluster and define the actions users can perform. Kubernetes also supports role-based access control (RBAC).

Container security

Container vulnerability scanning and OS dependency security are managed within our normal operations, where we regularly scan containers for known vulnerabilities.

Code security

  • Third-party dependency security

    We scan for security vulnerabilities within third-party libraries used in our product.

  • Static code analysis

    We analyze code for potentially unsafe coding practices and common security errors.

  • Dynamic probing

    We use automated tools to stage OWASP attacks, including SQL injection, CSRF, and XSS scripting.

Application and network isolation

With network defense in mind, Kubernetes provides a platform that allows you to segment the traffic to isolate different users, applications, and environments within a cluster.

  • Ingress

    KubeProxy DNS provides a name resolution service to pods and routes to provide external access to services running on a cluster.

  • Ambassador Gateway ExtAuth module

    This module supports various authentication methods such as OIDC, SAML, two-factor authentication, and client authentication certificates. It authenticates the incoming request and adds a new signed JWT with the metadata needed to enforce the security at the application level, enabling you to isolate the publicly exposed JWT from the internal JWT and add more security.

  • Namespaces

    Each collection of containers (known as a "pod") gets its IP and port range to bind to, thereby isolating pod networks from each other on the node. The pod IP addresses are independent of the physical network that nodes are connected to.

  • Securing traffic between services on the cluster

    The ExtAuth secures the communication between the services on Ambassador Gateway, which authenticates the API request using the client id and bearer token and then forwards the request by adding security headers and metadata to the destination service.

Support for DMZ networks

DigiCert ONE does not support multiple demilitarized zone (DMZ) networks to isolate and keep potential target systems separate from internal networks. We have plans to support this in the future.

Kubernetes offers advanced scheduling techniques you can apply on nodes and pods, such as node affinity/anti-affinity, taints and tolerations, pod affinity/anti-affinity, and custom schedulers. These techniques help with scheduling on a node that is part of a multi-zone but still within a single Kubernetes cluster.

However, these techniques are not part of DigiCert ONE default configuration and require expert manual intervention. Do not alter any default configurations without first consulting DigiCert. Modifying the configuration may impair the proper functioning of the DigiCert ONE platform.