Posture checks for machine to machine configurations

I am preparing an API based machine to machine demo … and thought to ask how to implement posture checks… or something equivalent to a MFA for a client request.

I am not sure if I have seen anything related to this in the past…

If possible, how do you do it?

If not possible, what alternatives are there to ensure a server credential is not compromised?

With a machine to machine setup, it’s hard to implement MFA, indeed. You could inject a human into that workers process by having the machine ask for authorization and having a human authorize it. That is all something you could/would probably do outside of ziti but I could see that process actually using ziti to control access. I don’t think something like that exists yet in ziti.

That’s only doable if the number of requests is very small. You could have that process authorize the service for some amount of time so that s human had to intervene to continue allowing the device to communicate to the service.

As for posture checks though, we do have one based on MAC address and another based on process. You could use a posture check to verify the MAC address matched one or both sides of the m2m demo. You could create a sentinel process on the machines which need to be running for the connection to complete. Usually that’s some kind of virus scanner/anti malware type process but there’s nothing preventing you from using any process. For example, I’ve tested this using just windows notepad. Notepad open? Connection established. Silly example but you get the point.

Currently, OpenZiti doesn’t try to solve the “observability” problem of detecting when a server is compromised and taking action. It’s a hard problem to solve overall but you’re right, detecting a compromised m2m solution is important, and hard.

Hope that helps

1 Like