Build.one has a capability called Secureable in its portfolio. Securable is an API based application. All features of the Secureable application are built using these APIs, which are also available for application developers and integrators for their applications to consume Secureable services.
Secureable is built to do the heavy lifting when it comes to the complexity of integration with multiple external authentication services, secrets and token management, encryption and decryption of data and more.
A key feature of Secureable is issuing and managing tokens for authenticated users sessions. These tokens can be used as a global “session token” across multiple components of the modern applications, allowing a user to login to all parts of an application through a single point of access.
The API based application and container based deployment model makes it easy to use Secureable with multiple applications. Secureable can either be used a built-in component of one application, or implemented as a central security service that can be used by multiple applications, centralizing the setup, access and management of key security features for a business.
AUTHENTICATION
secureable is built to provide seamless integration with multiple authentication backends.secureable can authenticate a user in a number of ways, such as username and password, Active Directory, MS Azure/ Office 365, OIDC.
A Secureable user can be associated with more than one authentication account.
A user’s “identity” and credentials are used when logging into Secureable. Secureable then handles the backend authentication to validate the user, checks the user’s permissions, group and policy membership after which a session token is issued to indicate the user is successfully authenticated.
Tokens can be used as a global session identifier across multiple applications and can be used by applications to access further features in Secureable.
OPENEDGE PASOE INTEGRATION
Secureable works with OpenEdge PASOE (application server) to provide a single point of configuration for authenticating and authorizing access to applications. OpenEdge PASOE uses Secureable as an OAuth2 authentication source, through which all of the other configured authentication sources are then available.
For Progress OpenEdge application developers working with PASOE, the integration support makes it easy to secure PASOE applications without the need to build and maintain features like user tables, group and policy memberships, access control lists, custom integration points, and managing account details. All key features for all applications, but not core competencies for most application developers.
Authenticated user session tokens can be used by the backend applications to access additional features in Secureable such as policies, ACLs, secrets and tokens, encryption of data and password generation.
Templates for PASOE configuration files can also be stored in Secureable. This makes it possible to manage pre-defined configurations for different types of setups or versions of the application. Templates can easily be retrieved from Secureable with an authenticated API call, making it possible to automate the retrieval and use of these files.
SECURE SECRET STORAGE
Arbitrary key/value secrets can be stored in Secureable. These are encrypted prior to writing them to persistent storage. So gaining access to the raw storage isn’t enough to access your secrets. They can only be accessed after an authenticated login.
Secrets can be any form of sensitive information, such as API keys, passwords, certificates, SSL keys, encryption keys, etc.
Secrets are created and managed in a “tree of secrets” with policies and permissions applied to them, allowing for the management of access to secrets by individual users or groups of users.
TWO FACTOR AUTHENICATION
All authentication services supported by Secureable can also be enabled with 2FA (Two Factor Authentication). Used can use authenticator tools like Google Authenticator to generate codes to use in addition to their normal credentials.
This provides an extra layer of security to configured authentication services even if these do not support 2FA themselves.
DYNAMIC SECRETS
Secureable can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it makes an API call to Secureable for credentials, and Secureable will generate an AWS keypair with valid permissions (single- or multiple use) on demand. After creating these dynamic secrets, Secureable will also automatically revoke them after the lease is up.
Using Dynamics Credentials, there is no need to give any users “root” access to external systems that support this. Generated credentials can also differ based on user policies and are only generated when needed, so there is no need to store copies of these anywhere once they have been used.
ENCRYPTION
Secureable can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
LEASING AND RENEWAL
All secrets in secureable have a lease associated with them. At the end of the lease, secureable will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
REVOCATION
secureable has built-in support for secret revocation. secureable can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
SDKS
We have built an Angular SDK for web applications to work with secureable. For OpenEdge systems, using secureable is as simple as calling the sdk methods. The authentication methods return a Client Principal with user metadata to use as the developer wishes.
APPLICATION ROLES
Secureable supports the ability for applications to request credentials to login to securable and get a token that can be used to subsequently access features such as OIDC tokens, Dynamic Secrets which can in turn be used to access other external systems.
An example of this could be an OpenEdge PASOE application server that requests single-use credentials from Secureable to log on and perform an action on an AWS system. The only required information needed for the application server is the application role id and the Secureable endpoint to communicate with. Secureable validates the calling application (e.g. by the id and the IP address) and in a highly secure workflow sends the required credentials to the caller on a pre-defined callback endpoint. The generated credentials have very limited access in Secureable and can only be used for selected features. In this way, applications can gain secure access to external resources without the need for storing sensitive credentials anywhere.
SINGLE SIGN-ON (SSO)
On systems that are using Active Directory network, Secureable also supports the use of Kerberos and SSO for Windows and Linux clients.
With this configured, once logged into one application, users will be automatically logged into other applications that support this mechanism.
Contact nodeable Sales - sales@nodeable.io - for more details and to be kept up to date on product availability
We would love to give you a demo and explain how secureable can make your application safer to setup and use.
Want to know more about secureable?
Contact nodeable Sales sales@nodeable.io for more details and to be kept up to date on product availability
We would love to give you a demo and explain how secureable can make your application safer to setup and use