Security
Hazy’s system is secure by design and integrates as many security focussed features and practices as possible to ensure the secure, safe and reliable running of Hazy’s software within its customers infrastructure.
When Hazy is provided as software (as opposed to the service offering), while Hazy aims to provide the most secure software possible, the actual security of an installation is dependent on its environment and configuration.
This section aims to provide a guide to securing and monitoring Hazy’s software on your systems.
All components of the Hazy platform are designed for secure operation within the most sensitive customer environment. The following topics provide details of how Hazy embeds security processes within its development process and how customers can configure their deployment for maximum safety.
RBAC¶
As Hazy's use cases often involves confidential data, robust access control management is required to ensure only the rightful party can access specific resources. Currently, Hazy supports Role-based access control (RBAC), allowing for fine-grained configuration of different roles for its platform users. See here for setup.
Development and Release Security Procedures¶
All Hazy code is continuously analysed during the development process and as part of the release procedure in order to detect and prevent security vulnerabilities.
-
Dependencies. Hazy automatically checks for known security vulnerabilities in its dependencies as part of the automated release process. Any dependencies with security issues are fixed.
-
Minimal Images. Container images are based off a stripped Ubuntu image. These images contain only the application and the minimal dependencies required to run that application.
Restricting what is in your runtime container to precisely what is necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (for example, CVE) and reduces the burden of establishing provenance to just what you need.
-
Vulnerability Scans. As an automatic part of the container build and release process, all container images are analysed using the Trivy vulnerability scanner.
Any issues are checked for applicability and severity before the image is released to customers.
Container Security¶
Hazy brings a security conscious approach to the supplied docker containers:
-
Requires no external network access
Hazy applications will never attempt to connect to an external service (unless required by the Customer’s installation topology).
-
Read only root
To limit the risk of security breaches, the Hub container can be run with a read-only root filesystem.