3. Taking security
3
• MuleSoft’s approach to cloud security is two-folded
– MuleSoft actively and consciously avoids inspecting, storing, manipulating,
monitoring, or otherwise directly interacting with sensitive customer data
– MuleSoft provides a highly secure environment in which customers can
perform sensitive data manipulations
• A dedicated security team follows industry best practices, runs internal security
audits and maintains policies that span operations, data security, passwords
and credentials, and secure connectivity
4. Identity authentication mechanisms
4
• User authentication
– Username and password credentials
– Multi-factor authentication
– Token-based credentials
• API and server authentication
– Public/private key cryptography
• User authorization
– Role based access control (RBAC)
– Attribute based access control (ABAC)
– OAuth (2.0) delegated access control
• Federated identity management
– Single Sign-on
5. Message integrity
5
• Message verifier
– Message received by your API is verified as being the same as sent by
the client
• Digital signatures
– Client produces a signature by using an algorithm and a secret code
– API applies the same algorithm and code to produce its own signature
and compare it against the incoming signature
• Message safety
– Protection against potentially harmful data in the request
– Attacks often come through large XML documents with multiple levels of
nested elements
6. Security recommendations
6
• Use “Least Privilege Access” principle
• Perform periodic penetration testing
• Perform periodic external reviews
• Configure Logging and Alerting
• Configure secure properties
– Optionally consider (centralized) properties management
• Credentials management
• Tight control on who has administrative access
• Use encrypted/secured communications
– Both inside and outside the application’s scope
7. Anypoint Enterprise Security
7
• Collection of security features that enforce secure access to information in
Mule applications
• Provides various methods for applying security to Mule applications
• Requires an Enterprise license
• Add-on module that needs to be installed in Anypoint Studio
• Consists of 6 modules
• Suitable for both on-premise and cloudhub applications
8. Enterprise Security modules
8
• Mule Filter Processor
– Compares messages with filter criteria before processing
– Filter by IP/timestamp features are available
• Mule Credentials Vault
– Encrypts the property file
– Flow can access the data from property files
• Mule Message Encryption Processor
– Encrypt or Decrypt part of messages or entire payload
– JCE Encrypter, XML Encrypter, PGP Encrypter
9. Enterprise Security modules
9
• Mule Secure Token Service (STS) OAuth 2.0a Provider
– Security for REST service provider/consumer
• Mule Digital Signature Processor
– Ensure the integrity and authenticity of the message source
• Mule CRC32 processor
– Cyclic redundancy check (CRC) to messages to ensure message integrity
10. Virtual Private Cloud (VPC)
10
• The Virtual Private Cloud (VPC) offering allows you to virtually create a private
and isolated network in the cloud to host workers
• Choose to use this isolated network as it best suites your needs
– Host your applications in a VPC and take advantage of its load balancer
– Configure your own firewall rules for your VPC
– Connect your VPC to your corporate intranet
whether on-premises or in other clouds
via a VPN connection as if they were all part of a single, private
network
– Set a private DNS server so the workers hosted in a VPC communicate
with your internal network using your private host names