🔒 Security Best Practices
This guide provides task-focused security recommendations for deploying and operating Control Core.
For secure diagnostics and support data-sharing guardrails, see:
📌 Overview
Control Core supports enterprise-grade security through policy-based access control, audit logging, and optional workload identity. Follow these practices to secure your deployment.
Security Layers
Security is applied at multiple layers from network to application:
Click to enlarge
📌 Access Management
- Use API keys securely: Store Bouncer API keys in secrets management; never commit them to source control.
- Rotate keys regularly: Rotate Control Plane and Bouncer API keys on a schedule.
- Least privilege: Grant users and services only the permissions they need.
- Enable MFA: Use multi-factor authentication for administrative access where supported.
🔒 Network Security
- TLS for all traffic: Use HTTPS for Control Plane and Bouncer; terminate TLS at load balancer or proxy.
- Restrict network access: Place Control Plane and Bouncers in private subnets; expose only necessary ports.
- Firewall rules: Allow only required ports (e.g., 443, 8080 for Bouncer, 8000 for Control Plane API).
📌 Cryptographic Workload Identity
Control Core provides advanced identity-based security for internal communications through cryptographic workload identity:
- Policy and Control Plane Hardening - What hardening protects, potential effects, and troubleshooting (API keys, SPIRE, deny-by-default)
- Cryptographic Workload Identity - Enterprise-grade zero-trust security with mTLS, automatic certificate rotation, and compliance alignment (SOC 2, ISO 27001, PCI DSS, HIPAA, NIST, FedRAMP)
- Work ID Configuration - Technical setup guide for enabling workload identity
📌 Data Protection
- Data masking: Use policy-driven data masking for sensitive API responses. See Rego Guidelines for
masked_responsepatterns. - Audit logging: Enable and retain audit logs for compliance. See Audit Logs.
- Secrets: Store database credentials, API keys, and tokens in your platform's secrets manager (e.g., Kubernetes Secrets, AWS Secrets Manager).
🔒 Monitoring and Compliance
- Audit logs: Review audit logs for unauthorized access or policy changes.
- Health checks: Use Bouncer and Control Plane health endpoints for monitoring.
- License and telemetry: Configure Telemetry for license verification; use encrypted transmission.
🛠️ Troubleshooting
| Issue | What to check |
|---|---|
| API key or credential exposure | Rotate keys immediately. Store secrets in a vault or secret manager. Never log or commit credentials. |
| TLS or certificate errors | Verify certificate chain and trust store. Ensure TLS is enabled for Control Plane and Bouncer endpoints. |
| Workload identity or mTLS failures | Check certificate validity and trust. See Work ID Configuration and Cryptographic Workload Identity. |
| 401/403 or Bouncer sync/heartbeat failures | Hardening requires valid API keys (and SPIRE when enabled). See Policy and Control Plane Hardening. |
| Audit or compliance gaps | Confirm audit logging is enabled and logs are retained. Review Monitoring and Compliance. |
For more, see the Troubleshooting Guide.
📘 Related Guides
- Cryptographic Workload Identity - Enterprise security and compliance overview
- Work ID Configuration - Technical setup guide
- Administrator Guide - Configuration and user management
- Bouncer Deployment - Securing the policy enforcement layer
- Rego Guidelines - Policy security patterns