Security

We utilize multiple strategies at various layers of the software & hardware stack to ensure a highly-secure operating environment.

• Nitro Enclaves: Use confidential compute to protect secrets at runtime & attest to the actual code running on the server.

• MPC: Use distributed key generation and signing so sensitive keys never live in one place and no single point of failure.

• Digital Signatures: All sensitive data and requests are signed to guarantee authenticity and provide non-repudiation of requests.

• Encryption: Data is encrypted at rest & transit, decrypted within Enclaves.

• Automation: Infrastructure is fully automated with Terraform, deployments are fully managed in CI/CD using GitOps methodology.

Policy Engine

Risks

If policy or data sets are altered, malicious access could be granted.

Mitigation

• Policy & data sets are signed. The auth engine verifies integrity before processing.

• Data, signature, and verifying public key are hosted separately.

If the policy engine logic is altered, policy rules can be bypassed.

Mitigation

• Build policy logic around Rego, a declarative policy-as-code language.

• Audit & open-source the Policy Engine [coming soon]

• Run the Policy Engine in Nitro Enclaves, attesting the software running.

If the keys used to sign the evaluation decision are compromised, tokens can be forged

Mitigation

• Use MPC TSS (threshold signing) to sign access tokens.

• Run the Policy Engine as part of a 3/3 MPC signing scheme. All 3 engine nodes must evaluate the same decision in order to complete the signature. Keyshares are generated and stored encrypted within the enclaves.

A compromised access token can be used by a malicious party

Mitigation

• Access tokens are client-bound, referencing the client's credential.

• All HTTP requests are signed by the client, proving authenticity & non-repudiation of the request.