AsterionDB Briefs CISA on the AsterionDB Zero-Trust Platform
AsterionDB received the honor and opportunity to demonstrate the AsterionDB Zero-Trust Software Development Platform to the U.S. Cybersecurity & Infrastructure Security Agency on February 9th, 2023.
Click on the image above to see a PDF version of our presentation.
During the presentation we gave an overview of how we implement key Zero-Trust goals such as:
- Granular Security
- Security-by-Design
- Security-be-Default
We also provided a live demonstration where we showed how we can apply granular security when accessing unstructured data. Here is a practice video we recorded prior to the presentation. Watch and see how we do it!
AsterionDB’s Zero-Trust Alignment
Topics for Further Discussion
Security
NoFS (No File System)
The NoFS (No File System) initiative lies at the heart of the AsterionDB Zero Trust Strategy. The legacy file system is the Achilles Heel of computer software design and it was never designed for security. We believe that it is time for the legacy file system to be replaced. AsterionDB turns the Oracle Database it into a virtual file system. This makes AsterionDB a platform with capabilities that are naturally aligned with the overall goals of the Zero-Trust architecture.
We move all user assets out of the file system and eliminate the reliance on static file names. This simple shift makes it impossible to search for content through the file system in advance of being granted access. This capability thwarts Ransomware and lateral discovery of file assets by hackers.
Single Point API
AsterionDB’s open-source project, DbTwig, is a middle-tier adapter that implements a single-point API. This condenses complex API signatures down to a single function call. We take advantage of the database’s built-in JSON capabilities to decompose the interface between the middle-tier and the data-layer to a function that takes and returns a JSON string.
This prevents discovery and probing of the API by intruders that connect from the middle-tier to the data-layer. Probing of the API will set off alarms and help to drive down the threshold between intrusion and detection.
Schema Visibility & Security
Working in conjunction with our Single Point API, we limit schema visibility to a minimum. This prevents intruders from discovering schema elements such as stored logic, tables, views, indexes, triggers and so-forth.
AsterionDB’s production implementation utilizes a proxy-user that can only see the Single-Point API while the owner of the schema objects is not allowed to create a connection to the database. This orientation allows us to take a minimalist approach to provisioning and secure the entire database environment by the DBA username and password only. Application updates are accomplished by connecting to the database as a DBA during audited, windowed, maintenance events.
Granular Security
By pushing all data and logic down to the data-layer and using our Single-Point API, we are able to ensure that there is no pathway to the data without going through the logic. This is the very essence of granular security.
We are able to implement logic to express any level of security required on an individual item basis. Furthermore, the DbTwig middle-tier adapter enforces a check of credentials before any API entry point is executed. This is one of the ways we are Secure-by-Design.
Apparatus Security
By limiting the role of middle-tier devices to being an elastic, security isolation and protocol transformation layer, our apparatus is more easily secured and audited. In addition, the lack of data and business logic resources in the middle-tier leaves nothing for an intruder to take advantage of.
AsterionDB can also act as a source-of-truth and single-point for securing and serving logic executed by the middle-tier.
Operations
Backup & Disaster Recovery
With all data and business logic in the database, backup and restore operations as well as disaster recovery procedures are greatly simplified. An added benefit is that the database operates the same on premises, in the cloud and at the edge. This allows for systems to be migrated between deployments models by merely backing up and restoring the database.
Scaling & Load Balancing
AsterionDB scales along four dimensions:
The power of the database (i.e. OCPU count)
The size of the database
The capabilities and number of middle-tier compute nodes
The network bandwidth allocated and number of load balancers
Consolidation, Convergence & Efficiency
AsterionDB’s consolidated and converged approach to system architecture is naturally efficient and cost effective. By increasing database storage to accommodate unstructured data, we allow multiple operational processes to be dovetailed into a unified procedure that manages data and logic as a whole.
A unlikely benefit is also realized by the fact that data in the AsterionDB paradigm does not move as a result of workflow state changes and so forth.
Taken altogether, AsterionDB’s consolidated and converged approach decreases:
Hardware resources
Person-hours for development, operations and maintenance
Energy, HVAC & physical space requirements
Network bandwidth
DevOps
Simplified Audit & Compliance
AsterionDB’s converged approach simplifies audit and compliance tasks by centralizing data and business logic. This makes it easy to verify data access pathways and credential requirements. Furthermore, our tight integration to the Oracle database makes features such as Data Labeling and Data Loss Prevention easily available to unstructured data.
Unified Data Fabric
In line with our NoFS initiative, AsterionDB is designed to be a more robust, capable and secure environment for sharing unstructured data among applications. AsterionDB has built-in capabilities such as multi-users, asset sharing, and discovery that makes it easy for applications to share data.
Simplified Deployment & Update
AsterionDB has the same deployment model in the cloud, on premises and at the edge. The database provides a majority of the infrastructure for AsterionDB and all requirements are easily fulfilled using standard software repositories. We utilize an Oracle Marketplace image that makes it easy to spin up compute nodes in a cookie-cutter fashion.
Data-Layer Business Logic
Expressing all business logic at the data-layer is a core capability of AsterionDB and key to our Zero-Trust Platform. This is what allows us to turn the middle-tier into a protocol transformation layer.
Presently, PL/SQL is the only language that allows for this approach although other languages can be incorporated in the future.
By placing all of the business logic in the database, we can ensure that there is no pathway to the data without going through the logic. This is essential to achieving granular security.
Extended Data-Layer Logical Capabilities
AsterionDB has the ability, through an integrated Plugin Server, to interface to external logic. This essentially allows us to make the database smarter. A smarter database can obviously a more capable database. Extended logical capabilities includes things such as:
Metadata extraction
AI/ML integration
External device control
Operational technology control
Integration to foreign services
Use Cases
Horizontal Platform
AsterionDB is a horizontal software development platform. Unstructured data is pervasive throughout the software universe. It is growing at astronomical rates and is the favorite target of hackers and ransomware. AsterionDB can be used across all market segments and industry verticals.
AI/ML, Big Data, Cloud Migration, Device & Infrastructure Control
AsterionDB has been designed as an open, integration platform that makes it easy to integrate foreign technologies intro our Zero-Trust Platform. We can demonstrate the ability to trigger AI/ML processes, using Python, with all resources being stored and secured by the AsterionDB.
AsterionDB utilizes Object Storage in a unique way that can be directly leveraged in Big Data environments. We put Object Storage behind the database and use to provide hot, cold, frozen and deep-freeze data storage tiers.
For cloud migration projects, doing the work to transition file based data into AsterionDB makes the process of lifting and shifting to the cloud as simple as a database backup.
Leveraging AsterionDB’s extended logical capabilities, we can directly control the infrastructure around applications, external devices and complex machinery such as plasma cutters, CNC machines and robots.
Retrofit Existing Applications
Migrating legacy applications to a modern Zero-Trust posture is a challenge. This is largely driven by the fact that most Zero-Trust solutions have a cloud-native approach, focused on the network and perimeter, which is difficult for legacy applications to adapt to.
In contrast, AsterionDB looks and feels much like the legacy file system that existing applications largely rely upon. Migrating from the file-system to AsterionDB enables Zero-Trust at the data-layer.