Moving database applications to the cloud has been a boon for development teams anxious to move faster. It has also, however, exposed security flaws inherent in traditional security solutions, something data layer security startup Cyral has been tackling. To take this a step further, Cyral recently open sourced a project called Approzium to enable developers to better observe and secure data by themselves. It’s a cool project for several reasons, not the least being that in security, obscurity really isn’t your friend.
By open sourcing Approzium, Cyral makes it easier for developers to trust the project precisely because they don’t really have to trust it–they can see the code. It turns out open source offers other advantages for Cyral, as well.
Open sourcing security
Approzium, available free for download under the Apache 2.0 open source software license, is designed to make lives easier for developers to iterate code faster and ship more secure applications and services. On the observability side, Approzium helps to eliminate blind spots in the diagnosis and tracing of complex performance problems within microservice architectures. On the security side, it also lets developers connect their applications to databases without the need to access credentials, thereby preventing leaks that can arise through inadvertent application logging, application compromise, or theft of secrets manager API keys.
In these ways, Approzium complements an organization’s existing investments in monitoring tools like Datadog, New Relic, and Grafana, as well as secrets managers like HashiCorp’s Vault. Out of the box, it supports Grafana, reporting performance and security metrics to the Grafana dashboard. With minor modifications, it can do the same for Datadog and other dashboards.
At first glance, I assumed Cyral was using a modified “open core” strategy here, but the company tells me that, no, Approzium is a fully functional, standalone service. It’s simply an SDK that is easy to incorporate into an application and runs as a self-hosted service. It eliminates the need for credentials in code and provides confirmed identity information at runtime and enriches logs with service identity instead of simply logging a shared user.
Approzium follows Cyral’s release in January of the open source brewOPA project, created to make it easier for developers, DevOps, and SecOps teams to interface with policy engines of the future. As Steven J. Vaughan-Nichols has written on TechRepublic sister site ZDNet, brewOPA helps developers to take advantage of YAML interfaces to bridge the gap between DSLs for data security in the new world of cloud-native, Kubernetes, service meshes, and more.
Both open source projects help get developers invested in security from the start, rather than trying to bolt it on at the end of their development cycle. In this way, it has become critical to make security feel like a natural part of the development process so that it doesn’t slow developers. Getting this balance right is increasingly critical to the success of open source projects, as well as the companies that hope to capitalize on them, like Cyral. In this case, Cyral seems to have handled the balance between its commercial complements to the open source Approzium and brewOPA projects with aplomb.
Disclosure: I work for AWS, but the views expressed herein are mine and don’t reflect those of my employer.