Details of Security in CyberCNS

Agent security

• Sqlite is used as a database in CyberCNSAgent only for probe. There is no database in lightweight agents or one time scans.

• In the Probe database, the following fields are saved

• Agent database is protected with secure password which is unique per agent.

Cloud security

Database and user login information is isolated per partner.

CyberCNS using OpenSearch as database and Keycloak as authenticator. Each partner is created as a tenant inside OpenSearch and a realm inside Keycloak.

These are tied together and this also provides complete data isolation. The credentials to access the tenant and realm are unique and this is stored in a vault post encryption.

This architecture provides the user with a two level tenant data isolation.

Open

All secret keys are encrypted and saved.Encryption key will be different per company.

Below are the keys that are encrypted.
Agent Credentials:

1. Password

Integrations

for each integration(Which will be different per integration model supported)

Every agent has an oauth client key and this key has capabilities to query only specific APIs for agent operation

API Layer Protection

• API Keys mimic the user that the key is generated for.

Client authentication

When a confidential OIDC client needs to send a backchannel request (for example, to exchange code for the token, or to refresh the token) it needs to authenticate against the Keycloak server. By default, there are three ways to authenticate the client: client ID and client secret, client authentication with signed JWT, or client authentication with signed JWT using client secret.

Client ID and Client Secret

This is the traditional method described in the OAuth2 specification. The client has a secret, which needs to be known to both the adapter (application) and the Keycloak server.

Client authentication with Signed JWT

This is based on the RFC7523 specification.