Blog Post

7 Ways GroundWork Delivers Bulletproof Infrastructure Monitoring

January 27, 2021

Lately, security has become top of mind across infrastructure monitoring customers. This is no surprise considering the widespread reports about supply-chain vulnerabilities and embedded compromises rampant in popular network monitoring software. In light of this, we want to underscore how seriously we have always taken our security processes, and how we cultivate a culture based on a foundation of sound security protocols.

We strive to be good stewards of our customer’s data and take great pains to ensure we are always on the bleeding edge of security best practices. A chain is only as strong as its weakest link, which is why we integrate secure processes into the development and deployment of GroundWork, and immediately respond to feedback and suggestions from customers. In this post we outline 7 ways in which our security policies manifest within the platform and our company culture.


Independent Docker Containers

We chose to develop GroundWork 8 on Linux with Docker containers because it gives us the ability to isolate the application from the operating system, and more easily protect the data we gather from outside actors. Linux is also more capable of being run securely than other operating systems. It’s not invulnerable, but the native security capabilities are much stronger.

Docker also allows us to block access to data. Data is only available to applications on the container network, which we can tightly control by restricting the access points to encrypted channels.


Reduced Superuser Privileges

Installing software usually requires privileged access, called root access, or superuser access on Linux. To reduce the number of users with root access, we removed the requirement for root access when installing or managing GroundWork software components. Root access is only needed to install Docker. All other functions can be accomplished with a more limited account which makes compromising the system much more difficult.


Secure Supply Chain

Most of the supply-chain attacks we have heard so much about lately were caused by poorly executed internal processes. At GroundWork we combat this by creating a shared culture of accountability and implement extensive protocols that make compromises easier to detect. Because we use open source components there are a lot more eyes making sure that there are far fewer vulnerabilities in our code.

We also scan all of our containers for known vulnerabilities, patch them when necessary, or code around the vulnerability if it can’t be patched. Our rapid release cycles mean we can put out patched versions of specific individual containers quickly, and our scripted upgrades make it easy to keep GroundWork patched to the latest version.


Secure Delivery

When you receive a version of GroundWork from us to install, that version is automatically packaged and verified coherent, meaning it is what we think it is. We then generate a signature that you can validate when you download it. One of the benefits of being a monitoring company is that we know right away if the signature or the package are changed when they shouldn’t be. We also double check each package automatically before we start the install or upgrade process. The goal is to make sure we are delivering only and exactly what we intend to deliver.


API Token Control

Access to GroundWork’s API is secured by tokens. API access covers both Read/Write and Read Only uses, and if you need to regenerate an access token, you can do so manually or automatically using the master cypher. All GroundWork services use unique tokens with the same master cypher, so you can change inter-process encryption with a single update.


Directory Authentication

GroundWork allows you to set up robust directory authentication without complicated configuration or additional modules. User access is secured through integrations with secure directory services such as Active Directory or LDAP/S, and if a directory is compromised, user ID and password authentication is available as a fall-back.


Role Based Access Control

Authorization within GroundWork is based on roles, which control access to the various sections of the application, as well as groups of monitored infrastructure. Roles can be mapped to directory containers, allowing you to seamlessly assign roles in your directory. Access to specific features, links, and monitored resources can also be mapped to roles, making user management simple and effective.

Trust your monitoring to GroundWork

Security is a shared challenge. It’s up to everyone to make sure that they play their part to ensure protocols are followed and each link of the chain is maintained. We believe this means putting our customers interests first, proactively addressing exploits, and responding quickly to potential vulnerabilities. By working in collaboration with our customers we have built a shared culture of security that helps us all remain accountable and as safe and secure as we can reasonably be.

Need a secure monitoring solution fast?

Get unlimited oversight of your environment with the most powerful version of GroundWork for 90 days. Enjoy free support, no commitment, no credit cards, no limits.

Speak to a security expert today.

GroundWork Open Source

Other Posts...

Looking Inside TLS Certificates

The Difficulty of Dealing with Certs

In the last decade, it has become increasingly important to secure websites and applications using HTTPS instead of HTTP. A GroundWork Monitor installation is no exception, so in GroundWork 8, using HTTPS to access the system is the default setup, and you can add TLS certificates to it that you generate or purchase. See Adding Certificates to HTTPS for more information on doing so. TLS (Transport Layer Security) is the successor to the now-obsolete SSL (Secure Sockets Layer), and TLS certificates support the companion protocol that uses modern cryptography to ensure your HTTPS data on the wire cannot be usefully seen by or altered by third parties.

When dealing with certificates, there are many technical questions about how to efficiently and effectively manage the security setup on a web application. While GroundWork does offer several ways to manage certs and system naming, it’s important at the start to make sure you have the right certificates to begin with. To that end, this post describes a small tool we have developed to assist in this process. Future blog posts and documentation pages will cover additional aspects of the security setup on GroundWork systems.

Read More

Detecting Sunburst Network Traffic

What is Sunburst?

Recent news reports of widespread infiltration of IT systems and the possibility of exfiltration of data are very concerning, and always brings up the questions:

  • How did this happen?
  • What can be done to prevent this from happening to us?
  • How can we monitor our own systems to ensure they are not currently compromised?

In case you haven’t already seen a description, “Sunburst” is malicious code which attaches itself to legitimate libraries, installs itself as a service, then reaches out to command-and-control remote network infrastructure to prepare a second stage of attack: to move throughout the environment and compromise or exfiltrate data. Pretty nasty stuff, and we should all be concerned.

Read More