7 Ways GroundWork Delivers Bulletproof Infrastructure Monitoring
January 27, 2021
Lately, security has become top of mind across infrastructure monitoring customers. This is no surprise considering the widespread reports about supply-chain vulnerabilities and embedded compromises rampant in popular network monitoring software. In light of this, we want to underscore how seriously we have always taken our security processes, and how we cultivate a culture based on a foundation of sound security protocols.
We strive to be good stewards of our customer’s data and take great pains to ensure we are always on the bleeding edge of security best practices. A chain is only as strong as its weakest link, which is why we integrate secure processes into the development and deployment of GroundWork, and immediately respond to feedback and suggestions from customers. In this post we outline 7 ways in which our security policies manifest within the platform and our company culture.
Independent Docker Containers
We chose to develop GroundWork 8 on Linux with Docker containers because it gives us the ability to isolate the application from the operating system, and more easily protect the data we gather from outside actors. Linux is also more capable of being run securely than other operating systems. It’s not invulnerable, but the native security capabilities are much stronger.
Docker also allows us to block access to data. Data is only available to applications on the container network, which we can tightly control by restricting the access points to encrypted channels.
Reduced Superuser Privileges
Installing software usually requires privileged access, called
root access, or
superuser access on Linux. To reduce the number of users with root access, we removed the requirement for root access when installing or managing GroundWork software components. Root access is only needed to install Docker. All other functions can be accomplished with a more limited account which makes compromising the system much more difficult.
Secure Supply Chain
Most of the supply-chain attacks we have heard so much about lately were caused by poorly executed internal processes. At GroundWork we combat this by creating a shared culture of accountability and implement extensive protocols that make compromises easier to detect. Because we use open source components there are a lot more eyes making sure that there are far fewer vulnerabilities in our code.
We also scan all of our containers for known vulnerabilities, patch them when necessary, or code around the vulnerability if it can’t be patched. Our rapid release cycles mean we can put out patched versions of specific individual containers quickly, and our scripted upgrades make it easy to keep GroundWork patched to the latest version.
When you receive a version of GroundWork from us to install, that version is automatically packaged and verified coherent, meaning it is what we think it is. We then generate a signature that you can validate when you download it. One of the benefits of being a monitoring company is that we know right away if the signature or the package are changed when they shouldn’t be. We also double check each package automatically before we start the install or upgrade process. The goal is to make sure we are delivering only and exactly what we intend to deliver.
API Token Control
Access to GroundWork’s API is secured by tokens. API access covers both Read/Write and Read Only uses, and if you need to regenerate an access token, you can do so manually or automatically using the master cypher. All GroundWork services use unique tokens with the same master cypher, so you can change inter-process encryption with a single update.
GroundWork allows you to set up robust directory authentication without complicated configuration or additional modules. User access is secured through integrations with secure directory services such as Active Directory or LDAP/S, and if a directory is compromised, user ID and password authentication is available as a fall-back.
Role Based Access Control
Authorization within GroundWork is based on roles, which control access to the various sections of the application, as well as groups of monitored infrastructure. Roles can be mapped to directory containers, allowing you to seamlessly assign roles in your directory. Access to specific features, links, and monitored resources can also be mapped to roles, making user management simple and effective.
Trust your monitoring to GroundWork
Security is a shared challenge. It’s up to everyone to make sure that they play their part to ensure protocols are followed and each link of the chain is maintained. We believe this means putting our customers interests first, proactively addressing exploits, and responding quickly to potential vulnerabilities. By working in collaboration with our customers we have built a shared culture of security that helps us all remain accountable and as safe and secure as we can reasonably be.
Need a secure monitoring solution fast?
Get unlimited oversight of your environment with the most powerful version of GroundWork for 90 days. Enjoy free support, no commitment, no credit cards, no limits.
Speak to a security expert today.