Using Pivotal Cloud Cache (PCC) just got easier. Now, your developers can use your existing OAuth 2 compliant corporate directory to store and manage credentials to PCC instances.
Why does this matter? The integration with OAuth 2 extends centralized credential management for PCC. And this, in turn, increases your security posture. You have a single place that kicks-off workflows to secure your clusters. You don’t have rogue credentials floating around in YAML files. Centralized management also enables efficient credential rotation. And you can easily encrypt these secrets.
Here’s how the new OAuth 2 integration works.
Now, PCC credentials can be accessed from OAuth 2 compliant corporate directories like UAA, Vault, or systems that use LDAP. Remember the Credhub integration we added in PCC 1.5? Now, you can simply connect to your OAuth 2 compliant corporate directory, and manage your credentials there. This will be a big time-saver for you!
With Any Data Service, Security is Paramount
We’ve delivered several useful data protection and security capabilities for PCC in recent months. Here are a few of our favorite PCC roadmap items that provide you with a platform managed service that is secure and protects the integrity of your data.
Credential Management via CredHub
Credential rotation prevents intruders from accessing sensitive information by using ill-begotten credentials. It reduces the window of vulnerability by changing credentials frequently, a huge benefit given the number of credentials that the platform uses internally, in addition to the user provided credentials. (Also introduced in PCC 1.5.)
These measures build on our overall focus on security for the platform. We make it easy to apply patches and address critical vulnerabilities and exposures (CVEs) with zero downtime. Advanced persistent threats, like malware that has been left behind by an intruder, can be removed by frequently repaving the system, i.e. returning the platform to a known good state without any downtime.
Protect Against Availability Zone Failure
PCC now spreads multiple service instances across different availability zones, protecting from availability zone failures. (Released in PCC 1.6.)
PCC v1.3 added data persistence so that data in-memory is also stored on persistent disk. A write to memory is synchronously written to PCC’s optimized, local, disk-based file system, so that writes are never lost. If an entire PCC cluster fails, BOSH will recreate the VMs from the persistent disk. From there, PCC will load all the data from the disk into the cluster.
Transport Layer Security Encrypts Traffic in Transit
TLS encrypts the payload on the network preventing bad actors from getting direct access to sensitive information. The certificates that are needed to encrypt data in motion are managed by the platform. All interactions with the cluster can occur over encrypted channels by using a single/simple command to enable TLS. (Introduced in PCC 1.5)
We’re taking a holistic approach to security, so you can benefit from defense-in-depth capabilities.
For deeper coverage of security-related topics, you won’t want to miss the SpringOne Platform Conference, at which there will be several sessions on the topic of security. The conference will also feature several sessions on in-memory caching for microservices architectures. Many of these sessions are part of our annual Apache Geode Summit, which starts on Monday Oct 7th - the first day of the conference. Register now - early bird discounts still apply.
The PCC documentation provides details on how to prepare your Pivotal Application Service foundation for TLS, and how to develop an app that uses TLS. The Credhub documentation goes over how to create and use a Credhub service instance.
About the AuthorMore Content by Jagdish Mirani