Securing Beats at Scale — Hysolate

  1. The receiving end must be able to authenticate the sender in a secure manner, at scale
  2. The receiving end must be able to withstand (D)DoS attacks
  • , as an additional preprocessing pipeline.
  1. Elasticsearch supports multiple authentication options: TLS client certificates, API key, and user credentials (basic authentication). Logstash supports only TLS client certificates with the Lumberjack protocol. Unfortunately, there is no easy way to rotate and distribute them to all devices that are sending telemetry data.
  2. Elasticsearch and Logstash do not provide anti-(D)DoS protection for unauthenticated requests.

Hysolate’s Elegant Solution

Luckily, we found an elegant solution that is both secure and efficient. Before we dive into it, here’s a bit of additional background: Hysolate’s cloud infrastructure is deployed behind a HTTPS CDN, and utilizes Signed JSON Web Tokens as the authentication method both for Console users as well as internal API of the software on the devices.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store