Introducing Border0's new Application-Aware Policies

In this blog we’ll take a look at how our new application-specific permissions empower you to define fine grained access rules for your applications and services all the way up to the application layer .

We get it - your users and applications are everywhere, and your digital infrastructure is becoming increasingly dynamic and complex. Managing access has become a daunting task. That's why we're excited to announce the latest update to Border0's policy language, which integrates application-specific permission management with identity and network-level access controls, all in a single platform. This provides a granular and context-aware solution, enabling you to define highly tailored permissions for specific applications and unlock a new level of security, efficiency, and operational excellence.

Check out a demo of our new Application Aware permissions!

What are Application specific permissions

Application-specific permissions allow you to define and control the level of access users have to a specific application, moving beyond traditional firewall-like permissions that only filter by port and IP addresses.

Imagine an organization with multiple Linux servers and databases across different departments. Traditional network-based access controls might allow a user who gains network access to have wide-reaching capabilities within it, posing risks if permissions are not strictly managed.

With Border0’s new policy permissions, you can ensure a developer has SSH access to a specific server only as the 'ubuntu' user, preventing them from escalating privileges by logging in as 'root'. Simultaneously, the same policy can restrict database access such that the developer can only run select queries on the production database while allowing more extensive privileges on a staging database. Or you can define a Kubernetes rule limiting kubectl exec access to a set of namespaces but only on pods with the label app=nginx.

Border0 Policy editor: configuring a Database specific Access Policy

These examples illustrate the capabilities and potential of our new policy language. By integrating application-specific permissions with our context and identity-aware policies, you can simplify access management and ensure users have exactly the access they need to perform their tasks, without overprovisioning.

Key Capabilities of Application-Specific Permissions

Let's look at some practical examples of leveraging Border0 policies to control detailed access up to the application layer.

SSH Username Control

Our new policy language enables you to define precise SSH username permissions, controlling who can access a service with specific usernames. For example, you can restrict SSH access to only allow the "ubuntu" user, adding an extra layer of security and granularity. Additionally, you can set time limits on SSH shell sessions, such as a maximum of 1 hour (3600 seconds), further enhancing control and security.

{ "ssh": { "allowed_usernames": [ "ubuntu" ], "max_session_duration_seconds": 3600, "shell": {} } }

Kubernetes Namespace Control

Border0 policies now enable you to restrict access to specific Kubernetes namespaces and even to pods with certain labels. This provides fine-grained control over who can execute commands within different parts of your Kubernetes cluster.

{ "kubectl_exec": { "allowed_namespaces": [ { "namespace": "production", "pod_selector": { "app": "nginx" } } ] } }

Per-Database Permissions

You can define precise permissions for specific databases, controlling the types of queries that are allowed. For example, you can grant the support team read-only and update access to a particular database, while allowing the database engineering team full read-write access. This ensures that your data is secure and compliant with regulations, and that each team has the access they need to perform their tasks.

{ "database": { "max_session_duration_seconds": 3600, "allowed_databases": [ { "database": "my_db", "allowed_query_types": [ "ReadOnly", "update" ] } ] } }


Command Execution Control

Policies can also specify which commands can be executed over an SSH exec session, allowing for precise control over what users can do over an SSH exec channel.

{ "ssh": { "exec": { "commands": [ "^ls -la$" ] } } }

Why Border0's Application-Aware Policies are a Big Deal

Traditional firewalls and access control solutions have limitations when it comes to granular access control and permissions management. They focus on network-level access, relying on application owners to manage permissions, which can lead to fragmented management and security gaps.

Border0's policy language offers a unified approach to access management, enabling administrators to define access levels based on multiple variables and contexts within a single platform. This streamlines access management for all services and applications, leveraging SSO identities and centralized access management.

Comprehensive reporting, including session recordings and audit logs, provides complete visibility, enhancing security and operational efficiency. Border0's application-aware policies bridge the gap between access control and application management, offering a new level of control and security.

Benefits of Layer 7 Control and Visibility with Border0

Granular Security: Application-specific permissions allow for precise control over who can access what and what actions they can perform, enhancing security by minimizing unnecessary access.

Compliance and Auditability: Detailed permissions help ensure compliance with various regulations and provide a clear audit trail of who accessed what and when. This is particularly important for sensitive environments such as financial services and healthcare.

Operational Efficiency: By providing specific access permissions, you can ensure that users have exactly the access they need to perform their jobs without over-provisioning, thereby improving operational efficiency.

Flexibility and Control: The ability to set permissions at the application layer provides unmatched flexibility and control, allowing organizations to adapt quickly to changing security requirements and operational needs.

Conclusion

The application-specific (Layer 7) permissions provided by Border0 policies are a unique and powerful feature. They offer granular control over access to applications and services, enhancing security, compliance, and operational efficiency. Whether it's restricting SSH access to specific usernames, controlling Kubernetes namespaces, or defining precise database permissions, Border0's Layer 7 capabilities set it apart from traditional access control solutions. For more details also see the Policy documentation.

Experience the power and flexibility of Border0’s new policy language today. Sign up for our free, fully-featured community edition and take control of your infrastructure with precision and confidence.

Ready to level up
your security?