Cloud Native Security and DigiCert ONE
DigiCert follows security best practices at every layer of security. DigiCert ONE is built on Kubernetes, which takes a layered approach to security, using the 4 Cs of Cloud Native security:
Cloud
Clusters
Containers
Code
Cloud security
Your data center should align with security best practices. Network access to nodes and the API server must be controlled by a network access control list (ACL) to administer the cluster.
Cluster security
Kubernetes is entirely API-driven. As the first line of defense, use strong API authentication and API authorization mechanisms to control and limit user access to the cluster and define the actions users can perform. Kubernetes also supports role-based access control (RBAC).
Container security
Container vulnerability scanning and OS dependency security are managed within our normal operations, where we regularly scan containers for known vulnerabilities.
Code security
Third-party dependency security
We scan for security vulnerabilities within third-party libraries used in our product.
Static code analysis
We analyze code for potentially unsafe coding practices and common security errors.
Dynamic probing
We use automated tools to stage OWASP attacks, including SQL injection, CSRF, and XSS scripting.
Application and network isolation
With network defense in mind, Kubernetes provides a platform that allows you to segment the traffic to isolate different users, applications, and environments within a cluster.
Ingress
KubeProxy DNS provides a name resolution service to pods and routes to provide external access to services running on a cluster.
Ambassador Gateway ExtAuth module
This module supports various authentication methods such as OIDC, SAML, two-factor authentication, and client authentication certificates. It authenticates the incoming request and adds a new signed JWT with the metadata needed to enforce the security at the application level, enabling you to isolate the publicly exposed JWT from the internal JWT and add more security.
Namespaces
Each collection of containers (known as a "pod") gets its IP and port range to bind to, thereby isolating pod networks from each other on the node. The pod IP addresses are independent of the physical network that nodes are connected to.
Securing traffic between services on the cluster
The ExtAuth secures the communication between the services on Ambassador Gateway, which authenticates the API request using the client id and bearer token and then forwards the request by adding security headers and metadata to the destination service.
Support for DMZ networks
DigiCert ONE does not support multiple demilitarized zone (DMZ) networks to isolate and keep potential target systems separate from internal networks. We have plans to support this in the future.
Kubernetes offers advanced scheduling techniques you can apply on nodes and pods, such as node affinity/anti-affinity, taints and tolerations, pod affinity/anti-affinity, and custom schedulers. These techniques help with scheduling on a node that is part of a multi-zone but still within a single Kubernetes cluster.
However, these techniques are not part of DigiCert ONE default configuration and require expert manual intervention. Do not alter any default configurations without first consulting DigiCert. Modifying the configuration may impair the proper functioning of the DigiCert ONE platform.