December 11, 2018
At smallstep we've been focused, lately, on building technology that makes it easier for you to access your stuff. As things stand today, access is really hard. It's really hard for developers to access internal services in production and pre-production environments (e.g., to debug using curl). It's really hard for your stuff running in AWS to access your stuff running in GCP and vice-versa. It's really hard for employees to access enterprise IT applications from their iPhones while they're on the bus heading into work. Supporting these use cases, and dozens more like it, is so hard that it's often not done. Access that would make people more productive, make systems better, reduce costs, improve performance, and generally improve software and employee well-being is simply denied. That sucks.
December 11, 2018
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who've avoided this particular rabbit hole. Personally, I avoided it for a long time and felt some shame for not knowing more. The obvious result was a vicious cycle: I was too embarrassed to ask questions so I never learned.
Eventually I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It's universal and vendor neutral. It works everywhere so bits of your system can run anywhere and communicate securely. It's conceptually simple and super flexible. It lets you use TLS and ditch VPNs. You can ignore everything about your network and still have strong security characteristics. It's pretty great.
November 20, 2018
This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for traffic coming from the public internet to your website and APIs, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs.
I suspect this recommendation will elicit a range of reactions from apathy to animosity. Regardless, please read on. Using TLS everywhere has a wide range of benefits. Perhaps surprisingly, some of the most compelling benefits have nothing to do with security.
August 7, 2018
The way most software systems are secured today is fundamentally flawed. They rely on “perimeter” security: a firewall guarding access to a protected network. Inside the perimeter traffic is mostly trusted. This paradigm relies on assumptions that nobody actually believes are true: that people are never careless or dishonest and never make mistakes. One slip up that allows an attacker inside the perimeter and it’s game over.