Ockam is a suite of open source tools, programming libraries, and managed cloud services to orchestrate end-to-end encryption, mutual authentication, key management, credential management, and authorization policy enforcement – at massive scale.
Trust for Data-in-Motion
Modern applications are distributed and have an unwieldy number of interconnections that must trustfully exchange data. To trust data-in-motion, applications need end-to-end guarantees of data integrity, authenticity, and privacy.
Ockam empowers you with simple tools to add these controls and guarantees to any application.
Powerful Protocols, Made Simple
To be private and secure by design, applications must have granular control over every trust and access decision.
This requires a variety of complex cryptographic and messaging protocols to work together in a secure and scalable way.
Developers have to think about creating unique cryptographic keys and issuing credentials to all application entities. They have to design ways to safely store secrets in hardware and securely distribute roots of trust. They must setup communication channels that guarantee data authenticity and integrity. They must enforce authorization policies. They also need protocols that rotate and revoke credentials.
All of this gets very complicated, very quickly.
At Ockam, our mission is to empower every developer with simple tools to create applications that build trust in data.
We’ve taken proven cryptographic protocols and made them easy to use on the command line or invoke as a programming library. We handle all the underlying complexity and give you high-level and composable building blocks to create end-to-end, application layer trust in data.
End-to-End Data Integrity and Authenticity
A lot happened in the above demo.
We have an application http server in python and an application client in curl. Our goal is to create trustful communication between the application server and its clients that are running in different private networks. We want to achieve this without exposing the server to the Internet and without modifying existing client or server application code.
To make this happen, we create a relay node that runs a forwarding service exposed on the Internet. Ockam Orchestrator offers highly scalable, managed encrypted relays but for this first demo we create a local relay. We then create a sidecar node next to our application server and another sidecar node next to our application client. All three nodes generate unique cryptographic identities and file system vaults to store private keys. All three nodes are setup to trust each other’s public keys.
We ask the serversidecar to create a TCP outlet to the application server and then ask the relay node to setup a forwarder for the serversidecar. We then ask the clientsidecar to create an end-to-end encrypted and mutually authenticated secure channel with the serversidecar via the relay. Finally we open a TCP inlet and tunnel client requests and responses through our end-to-end secure channel.
Ockam gives you the tools to create many such end-to-end secure topologies. In this example topology, the application sidecar nodes create outgoing TCP connections to the relay which allows them to communicate from behind private NATs. The relay node routes encrypted data and cannot see or tamper with it.
In a few simple commands, without dealing with the cryptographic details, we added end-to-end data integrity, authenticity and privacy to applications that don’t have built in trust guarantees.
Built for developers, by developers
It is hard to build and scale an application that makes identity driven trust decisions. We created simple, composable building blocks so you can easily deliver secure and private applications to your customers.
Secure By Design
Secure By Design applications minimize their vulnerability surface and embrace the principle of least privilege.
Ockam’s end-to-end secure channels guarantee application layer data integrity and authenticity for all data-in-motion. This enables a deny-by-default security posture that minimizes an application’s vulnerability surface and brings true control over every access decision.
Modern applications operate in untrusted networks and increasingly rely on third-party services and infrastructure. This creates exponential growth in their vulnerability surface.
Ockam gives you the tools to eliminate implicit trust in networks, services, and infrastructure. Applications get provable cryptographic identities to authenticate and authorize every access decision.
Software cannot be secured from the outside. Ockam provides powerful building blocks to shift security left and make it an integral part of application design and development.
Application layer trust guarantees along with tools to manage keys, credentials and authorization policies give you granular control on the security and privacy properties of your application.
Application security is easiest and most cost-effective to solve at the source. Developer-first application layer security is the only viable approach to scalable secure applications.
Ockam makes it easy to securely manage the lifecycle of keys, identities, and credentials. We give you simple tools to authenticate and authorize using attribute-based credentials and policies.
Ockam’s protocols become ever more secure through transparency, community feedback, and scrutiny.
Add-ons can be built by anyone to create new hardware key vaults or cloud service connectors.
Ockam Orchestrator is built for enterprise scale.
Add-ons are ready-made connectors to your hosted authentication, database, and message broker services.
Virtues of the Ockam Team
Our Value is what we believe. Our Virtues are what we do.
High-Performance: Ockam is a team of doers, builders, shippers, and finishers. We created an environment where every individual is empowered to act, and trusted to be world-class in their role.
Simple: The creation of simple solutions out of complex problems is the basis for our namesake, Ockam. Every idea, product, and procedure at Ockam is refined to be as simple as it should be.
Transparent: We trust each other to be transparent, authentic and honest. As a globally-distributed, remote-first team transparent communication establishes our culture of trust.
Time Efficient: Time is the most valuable asset that we have. We trust each other to use our time with respect. We consider how our actions, and use of time, impact everyone else on The Team.