We’re excited today to launch Approzium, Cyral’s latest open source project (and yes, it’s free)!
Approzium enables developers to improve observability and security of their applications. It allows applications to connect to databases without requiring access to credentials, and emits logs, metrics and traces with enriched information about their runtime execution context. It has been built as a lightweight open source library with multi-language and multi-cloud support. Approzium builds on the success of Cyral’s security as code approach and our data layer sidecar, a featherweight, stateless interception service built to handle the unique performance, deployment and availability challenges that the modern data layer presents. We’ve decided to make it available using the Apache 2.0 license.
Approzium eliminates blind spots in the diagnosis and tracing of complex performance problems within autoscaled microservices running on modern orchestration frameworks such as Kubernetes and AWS ECS (Elastic Container Service). For example, all instances of an autoscaled microservice look alike from a database’s perspective. This makes it harder to attribute performance issues resulting from misbehaving queries, buggy service code and faulty cloud VMs to a specific microservice instance.
Additionally, Approzium addresses common security vulnerabilities in how applications typically connect to a database. Regardless of whether database credentials are stored in the application code itself, or in a secrets manager such as Hashicorp Vault, allowing applications direct access to credentials exposes them to leaks through inadvertent application logging, application compromise, or theft of secrets manager API keys.
Approzium solves this problem by leveraging the cloud providers’ security infrastructure to authenticate the applications using IAM roles, instead, thus abstracting database credentials away from them. As a result, applications do not need to know the actual database credentials in order to connect to them while administrators still retain control over which applications are allowed access.
By providing richer execution context about each microservice instance, such as the service’s IAM role info, the EC2 instance id and hostname where it’s running, or its container/task id in dockerized environments, Approzium allows DevOps teams to quickly trace and resolve performance issues. This context is added into existing logs, metrics and traces already being emitted by the microservice.
Approzium’s Python SDK currently supports both AWS RDS as well as self-hosted MySQL and PostgreSQL on AWS. It communicates with an Approzium authentication service that stands between your application and your database.
- Read Approzium’s docs.
- Download the Approzium server binary.
- Take the Approzium Python SDK for a spin.
- View or contribute to Approzium on Github.
Tell us what you want us to add to Approzium by opening a feature request.
We hope you will enjoy using Approzium and hope it helps you write better, more secure code!
Fernando Pereira got his Ph.D at the University of California, Los Angeles, in 2008. Since 2009 he is an associate professor at the Department of …
The Security Digest: Week 31
Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, …