Security

User security in the digital realm hinges on a multi-faceted approach that combines advanced technologies and rigorous protocols to safeguard against diverse threats. This page is redacted in a top down approach to let you understand how thought and implemented Security is in Synk Workspace.

Authentification & Authorization

We prioritize robust authentication mechanisms to protect user access to the SYNK platform. Users can authenticate through multiple options, including Multi-Factor Authentication (Coming soon) for enhanced security, wallet-based authentication for seamless Web3 integration, and classic email or address-based authentication methods. These diverse options ensure flexibility without compromising on security, allowing users to choose the most secure and convenient method of accessing the platform.For

Application

Let's start by the basics, it's pretty simple and standard, we will provide latest stable and safe version of applications, while maintaining a constant watch on Cyber Threat Intelligence feeds, and monitoring exploits and CVEs about Workspaces applications.

If possible, the application will be compiled using hardened flags and state of he art hardening of it. For example, for a web browser we will provide an unbloated version of it, removing all publicity and non privacy artefacts as well as enforced policies.

For the future applications apps submitted to the Hub Application, they will be forwarded to security experts and auditors which will ensure safety for the user as well as protection against supply chains attacks. The audit program will be open and available online to everyone to ensure transparency. Once the security audit approved, the app will be submited to community which will decide of it's suitability with Synk Workspace.

Containers

Each container will have it’s set of detection rules which will be prompted to the user in case of detection. The Synk Workspace will be configured as proactive by default, meaning it will kill at first sight (advanced users are allowed to overwrite this setting).

Containers will be build following hardening advanced specifications of the NIST.

Orchestration

A central pillar of our security framework is the use of containerized environments, managed by Kubernetes, which provides robust isolation for decentralized applications (dApps). Every single application runs within its own container, ensuring complete isolation from other apps. This method further strengthens security by preventing cross-application interference and containing any potential vulnerabilities within individual containers. This approach significantly minimizes the attack surface and enhances overall system resilience.

Our Kubernetes orchestration follows NIST regulations, ensuring compliance with the highest standards of security. By adhering to NIST guidelines, we implement top-tier practices such as strict role-based access control (RBAC), continuous monitoring, and automated security patches. These measures help prevent unauthorized access and ensure that all components of the system are regularly updated to mitigate potential vulnerabilities.

In addition to these container and Kubernetes-focused measures, we incorporate advanced detection mechanisms such as Indicators of Compromise (IoCs) and YARA rules. IoCs help detect unusual patterns, like suspicious file hashes or IP addresses, enabling early detection and response to threats. YARA rules provide a powerful tool for identifying and categorizing malware by analyzing file structures and code patterns, allowing us to swiftly neutralize threats.

By reinforcing container security with Kubernetes orchestration, NIST-aligned best practices, and multiple authentication mechanisms, combined with IoCs and YARA rules, we provide a comprehensive defense mechanism. This ensures that SYNK users can operate in a secure and resilient digital environment, protected against both known and emerging threats.

Nodes

As we plan to rely a different kind of nodes for the computing aspect, we must, from the beggining, specify clearly what are our security requirement for this critical part of our system. First, to ensure privacy, we will need to run containers on trusted infrastructure providers. They must provide Secure Enclave Technology (aka Confidential Computing) to ensure privacy of the users. We plan to use wallet mechanism to lock and unlock enclaves, meaning only you can access you enclave even in case of a physical breach of the provider.

Network

Network security is a real threat nowadays and a lot of ‘Man in the middle attacks’ are being conducted by malicious hacker. But there are ways to prevent from it and we will make sure that the hackers can’t be break with remote access by using network in depth security layers.

By controlling the ports accessible to users and ensuring that all client sessions are fully encrypted end-to-end, we effectively eliminate the possibility of malicious actors intercepting communication between the SYNK workspace and the user. This approach mitigates the risk of OSI model layer 2 attacks and significantly reduces the likelihood of layer 3 attacks, safeguarding the integrity of the network.

Furthermore, by offering VPN or TOR as exit nodes from the SYNK workspace, we protect user traffic from being monitored or intercepted. This additional layer of security, commonly used by many organizations to prevent traffic analysis and DDOS attacks, ensures that our users' data remains private and secure, even when exiting our network.

In addition to TOR and traditional VPNs, we will explore innovative methods to provide users with secure internet access. These new options will be continuously developed and made available as standalone applications in our Dapp store, expanding the range of tools users can choose from to enhance their online privacy and security.