Cross Connect

Trust Anchors In Modern Systems; Don’t Overlook The Bottom Turtle
This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.
Embarrassingly easy private certificate management for VMs on AWS, GCP, and Azure
step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.
Great Minds Really Do Think Alike! No really, they do!
I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts. The third edition of the Modern Security for Leaders series.
Step v0.8.3: Federation and Root Rotation for step Certificates
The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.
Everything you should know about certificates and PKI but are too afraid to ask
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who’ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It’s universal and vendor-neutral yet poorly documented. This is the missing manual.
The case for using TLS everywhere

The case for using TLS everywhere

By: Mike Malone

This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.
Step: A New Zero Trust Swiss Army Knife from Smallstep
A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity.