Impact

Apeiro Security

Cloud Native Lifecycle Management

Security is a key concern in cloud environments, where providers hold responsibility of customers’ data and have to adhere to amplified regulatory requirements (e.g. from GDPR, CRA, to KRITIS). In a multilateral world, the control and limitation of integrated cryptography within cloud environments become increasingly important as the level of entrusted data confidentiality rises. We therefore suggest default solutions for the most common challenges, which in unison offer the flexibility to adjust to changing boundary conditions and specific requirements enforced in regulated markets and/or different jurisdictions. With Apeiro Security we provide a powerful set of tools to manage cryptographic assets, protect sensitive data, and maintain a strong and adaptable security posture in the face of emerging threats and changing requirements.

Key Management Service (KMS)

As organizations increasingly rely on cloud environments to store sensitive data, a robust Key Management Service (KMS) is essential to ensure that data remains protected through strong encryption practices. This component aims to deliver a secure and scalable solution for managing cryptographic keys, providing organizations with the ability to safeguard sensitive data through robust encryption mechanisms. KMS enables enterprises to create, manage, and control encryption keys used for protecting data at rest, ensuring compliance with stringent security and privacy standards. KMS supports key hierarchies along technical services, providers, and regional jurisdiction. This allows customers to retain control over the master key used to protect subordinate keys in the hierarchy. This architecture empowers customers to revoke access to their encrypted data, if necessary, enhancing data control and reducing the risk of unauthorized access. Key features include support for Bring Your Own Key (BYOK), where customers can import their own encryption keys, and Hold Your Own Key (HYOK), enabling customers to retain complete control and storage of their master keys. These capabilities provide flexibility for organizations to tailor their encryption strategies to meet their unique security requirements. The KMS project aims to facilitate seamless integration with existing data storage systems, ensuring that encryption and key management processes are simple, secure, and efficient.

Secrets Management & PKI

In cloud environments, effective secrets management is crucial for safeguarding sensitive information, such as API keys, database credentials, and certificates (e.g. the hierarchical cryptographic keys created in the KMS), to prevent unauthorized access and protect critical infrastructure. With Apeiro Security we will extend the open source OpenBao project with enterprise-grade features, transforming it into a comprehensive solution for secure secrets management and certificate lifecycle automation. The project will provide organizations with a service to securely store, access, and distribute secrets necessary for bootstrapping their infrastructure, especially for network constrained edge environments. OpenBao, hosted under neutral & open governance in the Linux Foundation Edge, has also been adopted in other participating IPCEI-CIS projects and ApeiroRA’s contributions promises joint development synergies.

Both capabilities can be adopted by organizations in their existing environments and will allow them to maintain strong security postures and simplify compliance with industry standards.

Crypto Agility

As cryptographic standards evolve and new vulnerabilities emerge, organizations must ensure that their cloud software can quickly adapt to maintain strong security postures. In ApeiroRA we focus on developing Crypto Agility Guidelines that enable software to seamlessly transition to new cryptographic algorithms, protocols, or standards as security requirements change. This adaptability is essential to protect sensitive data, maintain compliance, and mitigate the risks associated with outdated or vulnerable cryptographic mechanisms.

The project will include tools and recommendations for maintaining a Crypto Inventory, which catalogs all cryptographic algorithms, libraries, and versions currently in use, helping organizations identify outdated or non-compliant algorithms and ensuring that encryption practices adhere to the latest security standards. Similar to how OCM spans artifact SBoMs in its coordinate system, Crypto BoMs are envisioned to be holistically included with OCM as well.

Audit Log Standards & Integration

Ensuring comprehensive and real-time auditing is critical for maintaining runtime security, compliance, and operational visibility across modern cloud environments. This project focuses on simplifying the integration and pluggability of 3rd-party audit log services to provide organizations with a streamlined approach to monitor and record all activities and changes across their cloud infrastructure, applications, and services. The integration will leverage and extend OpenTelemetry (OTel) as the standard for observability, enabling consistent and unified logging across diverse systems. OpenTelemetry, hosted under neutral & open governance in the Cloud Native Computing Foundation, is the de-facto observability standard for all participating IPCEI-CIS projects. Our contributions with ApeiroRA clearly promises synergies and unconstrained adoption.