Zero Trust Architecture (ZTA) within LEXIS

23.Jun.2021

Frédéric Donnat, Cloud Technical Architect

Full-Stack Security

To ensure Outpost24 stays at the forefront of cybersecurity technology we conduct regular research into new innovations, and LEXIS High Performance Computing (HPC) is one of them. Outpost24 was instrumental in contributing and providing the “Security-By-Design” and “Zero-Trust” principles to creating the secure LEXIS Cloud-HPC-Big Data platform, and in this blog we explore the zero-trust fundamentals for which the LEXIS portal has been designed.

LEXIS (Large-Scale Execution for Industry & Society) is a consortium of 16 companies across supercomputing centers, research institutes, and universities to cover the spectrum of scientific and technological innovation. LEXIS combines this industry-leading expertise to deliver its platform project, across a range of complex technologies and European countries, including large industry, flagship HPC centers, industrial and scientific users, technology providers, and SMEs. From this combined expertise the LEXIS portal was born.

The Classical Approach to Security

Lots of companies rely mostly on perimeter-based network security, building their network as a castle with defenses on the perimeter. However, this approach is not made to cope with current ways of working and network complexity, if they involve, for example, remote connectivity or interfacing to cloud services. Such situations require opening access to internal resources/assets, and sooner or later are likely to allow an attacker to breach the perimeter and move on laterally to find an opening and steal critical information and data.

In the LEXIS project which goes one step further, we actively run with the problem sketched above: The build-up of the LEXIS Cloud-HPC-Big Data platform has been accompanied by the development of a security concept following the “Security-By-Design” and “Zero-Trust” principles. A secure Zero-Trust Architecture (ZTA) has been implemented. This has an immediate impact on LEXIS data, compute, orchestration, portal and billing services, and also on the unified Identity and Access Management (IAM) solution within LEXIS. This solution, based on the Open-Source product “Keycloak”, is the most important component of the platform’s Authorization and Authentication Infrastructure (LEXIS AAI). It allows for authentication based on tokens (following, e.g., the OpenID Connect standard).

ZTA concept and implementation in LEXIS services

The main idea of a Zero-Trust concept is to protect assets by minimizing access possibilities and by enforcing authentication and authorization for each access request. To give an easy example, services do not trust any other service or information source except the LEXIS AAI to check authorization for actual access. Instead, all services verify the identity and permissions, talking to the IAM system with what they know about the user. Below, we focus on our unified, federated IAM/AAI solution and its relationships with the main LEXIS components, to showcase LEXIS as an example of how a Zero-Trust architecture can be implemented.

The diagram below illustrates these relationships. It indicates that all components such as LEXIS DDI, LEXIS Orchestration Infrastructure are communicating with the LEXIS AAI to:

Validate every access token (received, e.g., from another component) which contains the identity asking to act on or access a resource
Check the component-specific permissions of such an identity
Pass an access token to any other component they need to interact with

The solution has been fine-tuned to allow any component to only retrieve directly relevant access permissions for an identity. As a concrete example, the LEXIS compute component checks the validity of an access token received through the API call (using an API call for token introspection), then it interacts with LEXIS AAI to request a specific access token for itself and information on compute access permissions for the identity in question (using an API call for getting user info).

A sound security architecture within LEXIS, beyond ZTA

The LEXIS AAI with its IAM system deployment was designed as a unified component handling authorization and authorization in LEXIS, avoiding a fragile architecture with many small IAM solutions synchronizing with each other. With a federated cross-data center deployment of Keycloak, a single point of failure is avoided. The LEXIS security architecture is not only focused on reliability and the zero-trust principle, but also implements further relevant good practices, such as limiting authorizations to a viable minimum (principle of least privilege), and proper firewalling and monitoring of network and service components.

Further information about Zero-Trust Architecture:

We are proud to share our knowledge of creating the LEXIS AAI and IAM system to maximize the Zero Trust coverage for LEXIS, to benefit the secure development of the LEXIS consortium’s offering, and protecting its user base. The LEXIS group of companies along with Outpost24 are aware of the increased threats from cyber-attacks in frequency, sophistication, and cost therefore applying a ZTA will secure its long-term cybersecurity posture. This is of paramount importance to the LEXIS consortium in stemming the threat of evolving cyber threats and protecting the LEXIS platform as it’s offering expands and grows. Due to the complex infrastructure of LEXIS, they looked to Outpost24 experts to implement ZTA and securing it from unauthorized cybercriminals and any hackers looking to move laterally through the network. A Zero Trust Architecture is now at the core of the LEXIS platform and supports their cybersecurity strategy, combining identify, access, and authentication to increase the visibility of user activity and ultimately reduces the threat surface and potential threat of data exfiltration.