Security is a constant concern in any kind of network infrastructure. There’s a need to protect your customers, servers and the data that flows between them from attacks, which may originate externally or within the network itself.
Criminals want access to your information, whether it’s you customer’s credit card information or your company’s strategic business plans, and they will take any opportunity to gain access to it.
This includes techniques like stealing access credentials, intercepting data in transit (known as a “man-in-the-middle attack”), spoofing or API abuse (when API calls are manipulated to generate unexpected results and extract data), just to name a few.
One way to protect against these and similar threats is to implement a mutual authentication scheme in your infrastructure. Before establishing a connection, clients and servers mutually verify their identity using digital certificates, with all communications between them being encrypted.
This scheme is called mTLS (Mutual Transport Layer Security, or mutual TLS) and is available on Azion’s Edge Computing Platform. In this article, we will explain how it works, and the benefits that it may bring.
The Trust Issue
Imagine a simple application composed by a front-end, like an e-commerce storefront, and a server, where the data coming from the front-end is stored and processed. For it to operate in a secure way, we need to ensure that:
- The client is who it claim to be, and are authorized to access the server.
- The server is who it claims to be, and not an impersonator.
- Data in transit between the client and the server cannot be intercepted.
One way to implement security is by using access credentials, that is, a username and password. In this model, an application will only be able to access the server’s resources after presenting valid credentials. Problem solved? Not quite…
By itself, this model has multiple points of failure: weak passwords can be guessed using a “brute force” approach, and strong passwords can be stolen using social engineering or other methods.
Besides that, it assumes that anyone presenting valid credentials is a legitimate client. This means that, after acquiring the credentials, an attacker can connect to the server without being questioned. And we haven’t even addressed itens #2 and #3 of our list yet.
How TLS And mTLS Work
A better approach is to establish a chain of trust using digital certificates. You already use this system every day without even realizing.
When you access a secure website (indicated by the use of the HTTPS protocol on the URL), the server sends the client (your web browser) a TLS (Transport Layer Security) certificate, issued by a Certification Authority (CA) containing information on the identify of the certificate’s owner and an expiration date.
The browser checks this information with the CA, and thus can ensure that the server really is who it claims to be, like an e-commerce or banking platform, and not an impersonator trying to steal your information.
The certificate also includes a cryptographic key, that will be used to encrypt all further data in transit to avoid interception. This process is known as the “TLS handshake”.
In this example, only the server has its identity verified. mTLS is an extension of this concept, where both the client and the server exchange certificates to validate their identities. Only then a connection can be established and data can be transferred.
How a typical mTLS handshake works. 1) The client (on the left) requests a connection to the server (on the right). 2) The server delivers its certificate. 3) The client validates the server’s certificate, and delivers its own. 4) The server validates the client certificate, and establishes the connection. Image: Azion Technologies.
It’s worth mentioning that mTLS is not a new protocol. It’s part of the mTLS specification, and any server capable of TLS authentication is also capable of using mTLS, it just needs to be configured to do so.
Benefits of mTLS
mTLS can fulfill all the requirements on our previous example:
- It ensures the client’s identity, regardless of access credentials. Even if an attacker can get valid credentials, they won’t have access to the application as they lack a valid certificate. This makes attacks based on simple credential stealing impossible.
- It ensures the server’s identity, avoiding spoofing attacks. If the server presents an invalid certificate, the connection won’t even be established and any attack attempt will be twarted before it can even begin.
- It avoids man-in-the-middle attacks. Data in transit is encrypted using a key selected during the initial handshake, and only known by the client and the server. Even if a criminal manages to intercept the data, without the key it will be impossible to decode it.
Those characteristics make mTLS an essential feature in market segments like e-commerce and financial services, where information security is crucial. It is also one of the pillars for the implementation of a “Zero Trust” security architecture, whose motto is “never trust, always verify”.
It can also be used to authenticate workstations in a corporate environment, servers on an IoT infrastructure, applications running at the edge, or any other scenario where mutual trust is required.
mTLS on Azion’s Edge Computing Platform
Azion’s Edge Computing Platform supports mTLS. This feature is a requirement for Open Banking, and may also be needed if your Edge Application offers financial services or handles payments.
To enable mTLS, your application must operate using the HTTPS protocol. You will also need a digital certificate with mTLS support, generated by a third party Certificate Authority. At Azion, we call this a Trusted CA certificate. Keep in mind that the free certificates internally generated by Azion (Azion [SAN]) do not support mTLS.
For more information on how to configure mTLS support in your application, check out our documentation.
mTLS is an essential tool to protect your servers and applications, ensuring the privacy of your customer’s data and compliance with security standards recognized worldwide.
To learn more about how Azion’s services can help you take the security of your users and your organization to the next level, talk to our experts.