CMS Security

“Security through obscurity is not much security at all.”

Popular paraphasing of American locksmith Alfred Charles Hobbs in 1851, who easily picked the Crystal Palace locks during a London exhibition that year. We fully agree, which is why our blueprints for our Oracle Cloud Infrastructure (OCI) automation engine are available on GitHub.

Passwordless RBAC model, peppered with orthrus OTP sudo challenges.

No fixed passwords stored on servers, not even in crypt form. This limits headless automation of sudo usage, for good reason. However, we have tooling to eliminate the toil of responding to prompts of various kinds.

Sandboxed execution for builds and CGI scripts.

We deploy “shared-nothing” zone builds, defaulting to zero network availability. This means the only things a customer build can access or modify are their own assets, not those any other customer, or any other system paths on the zone itself (besides /tmp). Furthermore, only Enterprise customers have internet access during their builds, because they are using their own unique Solaris zones that can be tailored exactly to their build requirements.

Ditto for CGI scripts, which are fully locked down in terms of write access to anything other than /tmp.

Zero Trust aspects.

The basic premise of zero trust architecture is to avoid designing your network security around the physiology of clam: hard on the outside, but soft and loose once you are in. So we don’t do that; every meaningful privileged network port inside the various Point of Presence (POP) LANs is only exposed to the bare-metal machine’s loopback device interface lo0, and is only meaningful in the context of a (reverse) port forwarded SSH connection to it.

This infra is fully automated once a region is brought online, but that’s all we can share publicly about the architecture (balancing Hobbsian transparency with the military mantra “loose lips sink ships” is more art than science). Rest assured — beyond breaking the antispoofing lo0 protection within Solaris 11’s (BSD) packet filter itself, there is no meaningful means of gaining access to these services, even for customer accounts.

Even if the master OCI control account is compromised, the confidentiality and integrity of all customer assets remains inviolate. All a black-hat can do is make a mess with customer website availability. In particular, they cannot access the Subversion service data records. We can reconstruct the entire OCI infrastructure from scratch in 48-72 hours once the bad apple’s OCI access has been terminated.