Zero Trust Architecture
CaseBender implements a Zero Trust security model aligned with NIST SP 800-207. No service, user, or device is implicitly trusted regardless of network location.Core Principles
- Verify Explicitly: Every request is authenticated and authorized based on all available data points — identity, device health, location, service identity, and data classification
- Least Privilege Access: Users and services receive the minimum permissions required for their function, with just-in-time elevation for privileged operations
- Assume Breach: The architecture assumes any component can be compromised and limits blast radius through segmentation and isolation
Device Trust Assessment
Every client device connecting to CaseBender is assessed for trust level:| Trust Level | Criteria | Access Granted |
|---|---|---|
| Full | Managed device, up-to-date OS, EDR active, compliant configuration | All operations including sensitive data |
| Elevated | Known device, recent OS, security software present | Standard operations, restricted sensitive data |
| Standard | Authenticated user, basic device info available | Read operations, limited write access |
| Reduced | Unknown device or outdated security posture | Read-only access, step-up required for any changes |
| Untrusted | Failed device checks or suspicious indicators | Access denied, security alert generated |
Mutual Service Authentication
Microservices within CaseBender authenticate to each other using HMAC-based mutual authentication:- Each service has a unique identity and signing key
- Every inter-service request includes a cryptographic signature
- Receiving services verify the signature before processing
- Replay attacks are prevented with timestamp-based nonce validation
- Key rotation is automated and does not require service restarts
Step-Up Authentication
Sensitive operations require re-authentication regardless of existing session validity:- Bulk operations: Deleting or modifying more than 10 entities
- Configuration changes: Security settings, integration credentials, RBAC policies
- Privileged access: PAM elevation requests, role assignments
- Data export: Bulk data exports, audit log downloads
- Administrative actions: User management, organization settings
Service Architecture
CaseBender is composed of isolated microservices, each with a single responsibility:Service Inventory
| Service | Purpose | Exposed Ports | External Access |
|---|---|---|---|
| web | Next.js application server, UI, and tRPC API | 3000 | Yes (via reverse proxy) |
| api | RESTful API for external integrations | 4000 | Yes (via reverse proxy) |
| worker | Background job processing (alerts, enrichment, SLA) | None | No |
| ingestion | Alert ingestion from external sources | 4100 | Yes (via reverse proxy) |
| workflow-processor | Playbook and workflow execution | None | No |
| misp-processor | MISP threat intelligence processing | None | No |
| search-sync | Elasticsearch synchronization | None | No |
Service Isolation
- Each service runs in its own container with a dedicated non-root user
- Services that do not need external access have no exposed ports
- Inter-service communication uses authenticated internal channels
- Each service has its own resource limits (CPU, memory)
- Container images use minimal Alpine Linux base images to reduce attack surface
Network Security
Segmentation
CaseBender’s network architecture separates concerns into distinct zones:- Public Zone: Reverse proxy / load balancer (the only externally accessible component)
- Application Zone: Web, API, and ingestion services (accessible only from public zone)
- Processing Zone: Worker, workflow-processor, misp-processor, search-sync (no external access)
- Data Zone: PostgreSQL, Redis, Elasticsearch (accessible only from application and processing zones)
Communication Security
- All external traffic requires TLS 1.3 (TLS 1.2 minimum with strong cipher suites)
- Inter-service communication uses mutual TLS or HMAC authentication
- Database connections are encrypted with SSL certificates
- Redis connections use AUTH and TLS
- Elasticsearch connections use API key authentication over TLS
Rate Limiting
CaseBender implements multi-layer rate limiting:- Global: Protects the entire platform from volumetric attacks
- Per-API-Key: Tier-based limits (Standard, Professional, Enterprise)
- Per-Endpoint: Sensitive endpoints (login, password reset) have stricter limits
- Sliding Window: Prevents burst attacks while allowing legitimate traffic patterns
Multi-Tenant Security
Tenant Isolation
CaseBender supports multi-tenant deployments with strict data isolation:- Database-Level: Every query is scoped to the tenant’s
organizationId— there is no way to query across tenants - Application-Level: Middleware enforces tenant context on every request before it reaches business logic
- API-Level: API keys are scoped to a specific tenant and cannot access other tenants’ data
- Search-Level: Elasticsearch indices are tenant-scoped with filtered aliases
TLP Classification
The Traffic Light Protocol (TLP) provides an additional layer of data access control:| TLP Level | Visibility | Use Case |
|---|---|---|
| TLP:RED | Named recipients only | Active incident details, threat actor attribution |
| TLP:AMBER+STRICT | Organization only, restricted sharing | Vulnerability details, internal investigation notes |
| TLP:AMBER | Organization and clients | Threat intelligence, remediation guidance |
| TLP:GREEN | Community-wide | General security advisories, best practices |
| TLP:CLEAR | Unrestricted | Public information, published CVEs |
Container Security
Build-Time Hardening
Every CaseBender container image follows security best practices:- Multi-Stage Builds: Build dependencies are not included in production images
- Non-Root Users: All services run as dedicated non-root users
- Minimal Base Images: Alpine Linux to minimize attack surface
- Pinned Dependencies: All system packages and tools are version-pinned
- Frozen Lockfiles:
pnpm install --frozen-lockfileensures reproducible builds - No Secrets in Images: All secrets are injected at runtime via environment variables or secrets providers
Runtime Hardening
- Read-only root filesystem (where supported)
- Dropped Linux capabilities
- Resource limits (CPU, memory, file descriptors)
- Health check endpoints for orchestrator monitoring
- Graceful shutdown handling for zero-downtime deployments
Related Documentation
- Data Protection — Encryption, classification, and secrets management
- Authentication — MFA, SSO, and session management
- Supply Chain Security — Container signing and build verification
- Hardening Guide — Deployment hardening recommendations