Marmelab Helps WALLIX Prototype A Zero Knowledge App For Session Management

François Zaninotto
François ZaninottoJanuary 08, 2020
#reference#marmelab

Marmelab helped WALLIX Group test an innovative approach to session management. The result of this experiment is a secure, in-browser rights management platform, coupled with a zero-knowledge cloud service.

Context

Cyber security and compliance become primary concerns for most companies. New legislation like GDPR pushes all companies to be pro-active and very cautious with personal data. Data breach scandals have put the subject of cyber security on the front line.

WALLIX Group is a European software company specialized in Privileged Account Management. They edit a cyber security solution called WALLIX Bastion, currently used by more than 1000 companies across the world to secure their infrastructure. These companies use WALLIX Bastion to control and monitor access to privileged resources (databases, services, customer data, etc).

Wallix Bastion

Challenge

A single Bastion appliance can contain hundreds of thousands of authorization rules, and can serve as a proxy (SSH or RDP) for hundreds of user sessions. But some companies require much more horsepower, which can only be supported by a cluster of Bastions.

WALLIX imagined a control application allowing Security Administrators to edit the rules of a cluster in a secure, local environment, to deploy these rules to a cluster of Bastions, and to save them in a zero-knowledge cloud operated by WALLIX Group.

The uncertainties were legion: from the ability to encrypt/decrypt data in the browser in a secure and performant way, to the ability to manage a highly relational set of data locally, and including the trust of Security Experts in a cloud service for their secrets. WALLIX asked Marmelab to help them lift these uncertainties through experimentation.

Javascript was chosen as both the backend (Node.js) and frontend (React.js) language.

Cable Network

Outcomes

Using WALLIX’s prototype, security experts can set and update complex authorization rules in their browser, in offline mode. This required leveraging new browser APIs like WebCrypto, WebAuthn, IndexedDB, streaming, etc.

The UI was specially designed for large sets of security rules, and reduces the time to manage device, services, and user groups significantly. The web app is fast, even for very large configurations. It has been successfully tested for payloads of half a million records. Best-of-breed encryption in the browser ensures that the secrets are securely stored in a zero-knowledge service. Coupled with a new Cluster mode in WALLIX Bastion, it makes the WALLIX solution scale to the largest customer infrastructures.

Configurator login Configurator login Target detail
Target Groups Add Target to Group Profile detail

After a year of trial and research, the experimentation is conclusive, as summarized by Wallix CTO Serge Adda:

This collaboration has allowed us to be effective, we have gained a lot of time by relying on the state of the art of web technologies. This approach allows us to align with our time to market goal.

Did you like this article? Share it!