Ockam is a suite of open source tools, programming libraries, and managed cloud services to orchestrate end-to-end encryption, mutual authentication, key management, credential management, and authorization policy enforcement – at massive scale.
Trust for Data-in-Motion
Modern applications are distributed and have an unwieldy number of interconnections that must trustfully exchange data. To trust data-in-motion, applications need end-to-end guarantees of data integrity, authenticity, and privacy.
Ockam empowers you with simple tools to add these controls and guarantees to any application.
Join our Open Source community, start a discussion, or file an issue - or just say Hello.GitHub Discussions
Powerful Protocols, Made Simple
To be private and secure by design, applications must have granular control over every trust and access decision.
This requires a variety of complex cryptographic and messaging protocols to work together in a secure and scalable way.
Developers have to think about creating unique cryptographic keys and issuing credentials to all application entities. They have to design ways to safely store secrets in hardware and securely distribute roots of trust. They must setup communication channels that guarantee data authenticity and integrity. They must enforce authorization policies. They also need protocols that rotate and revoke credentials.
All of this gets very complicated, very quickly.
At Ockam, our mission is to empower every developer with simple tools to create applications that build trust in data.
We’ve taken proven cryptographic protocols and made them easy to use on the command line or invoke as a programming library. We handle all the underlying complexity and give you high-level and composable building blocks to create end-to-end, application layer trust in data.
Here is one example of this in action …
End-to-End Data Integrity and Authenticity
A lot happened in the above demo.
We have an application http server in python and an application client in curl. Our goal is to create trustful communication between the application server and its clients that are running in different private networks. We want to achieve this without exposing the server to the Internet and without modifying existing client or server application code.
To make this happen, we create a relay node that runs a forwarding service exposed on the Internet. Ockam Orchestrator offers highly scalable, managed encrypted relays but for this first demo we create a local relay. We then create a sidecar node next to our application server and another sidecar node next to our application client. All three nodes generate unique cryptographic identities and file system vaults to store private keys. All three nodes are setup to trust each other’s public keys.
We ask the server_sidecar to create a TCP outlet to the application server and then ask the relay node to setup a forwarder for the server_sidecar. We then ask the client_sidecar to create an end-to-end encrypted and mutually authenticated secure channel with the server_sidecar via the relay. Finally we open a TCP inlet and tunnel client requests and responses through our end-to-end secure channel.
Ockam gives you the tools to create many such end-to-end secure topologies. In this example topology, the application sidecar nodes create outgoing TCP connections to the relay which allows them to communicate from behind private NATs. The relay node routes encrypted data and cannot see or tamper with it.
In a few simple commands, without dealing with the cryptographic details, we added end-to-end data integrity, authenticity and privacy to applications that don’t have built in trust guarantees.
Built for developers, by developers
It is hard to build and scale an application that makes identity driven trust decisions. We created simple, composable building blocks so you can easily deliver secure and private applications to your customers.
Secure By Design
Secure By Design applications minimize their vulnerability surface and embrace the principle of least privilege.
Ockam’s end-to-end secure channels guarantee application layer data integrity and authenticity for all data-in-motion. This enables a deny-by-default security posture that minimizes an application’s vulnerability surface and brings true control over every access decision.
Modern applications operate in untrusted networks and increasingly rely on third-party services and infrastructure. This creates exponential growth in their vulnerability surface.
Ockam gives you the tools to eliminate implicit trust in networks, services, and infrastructure. Applications get provable cryptographic identities to authenticate and authorize every access decision.
Software cannot be secured from the outside. Ockam provides powerful building blocks to shift security left and make it an integral part of application design and development.
Application layer trust guarantees along with tools to manage keys, credentials and authorization policies give you granular control on the security and privacy properties of your application.
Application security is easiest and most cost-effective to solve at the source. Developer-first application layer security is the only viable approach to scalable secure applications.
Ockam makes it easy to securely manage the lifecycle of keys, identities, and credentials. We give you simple tools to authenticate and authorize using attribute-based credentials and policies.
Ockam’s protocols become ever more secure through transparency, community feedback, and scrutiny.
Add-ons can be built by anyone to create new hardware key vaults or cloud service connectors.
Ockam Orchestrator is built for enterprise scale.
Add-ons are ready-made connectors to your hosted authentication, database, and message broker services.
How is Ockam Used?
Ockam can, and should, be used between every application, everywhere.
Orchestrate at Scale
Modern applications are made up of an unmanageable number of ephemeral microservices. They are distributed, multi-cloud, and rely upon dozens of cloud marketplace services. With so many endpoints that need to interoperate, it’s become impossible to manage.
Ockam’s key generation and handshake protocols allow for dynamic, massive-scale orchestrations across complex network topologies.
Get Out of the Middle
You are building an app that moves data from over-there to over-there. Perhaps it’s a message service like Kafka or RabbitMQ?
You don’t want to be liable for data that moves through your service; Particularly if its HIPAA or PCI protected data!
Ockam’s end-to-end encryption originates at the data-source and terminates at the data-target , so your app-in-the-middle can not decipher data-in-motion.
Trust Anything, Anywhere
If you access data in a VPC, you are exposing your applications to threats by exposing your VPC to the internet.
Ockam’s inlets and outlets create topologies that eliminate threats from the internet for applications in VPCs. Effectively, your data can move from from VPC to VPC without exposing either application to the internet. Virtually, the applications are running next to each other in the same environment.
Ockam is for Everyone
We built Ockam with all builders in mind. We have two different configurations for you to choose from:
The Tools for Builders
Ockam Open Source can be used for small scale projects, with simple architectures, that can be manually configured.
Ockam Open Source has all of the Ockam protocols, tools, and programming libraries that a developer needs to Build Trust.
- Scale: Manually configurable
- Key generation and storage
- Secure Channels
- End-to-end encrypted messaging
- Ready-to-use Packages
- Community Supported
- Apache 2 License Get Started
The Service for Enterprises
Ockam Orchestrator is a fully-managed cloud service that includes all of the features and tools of Ockam Open Source. Orchestrator also has all of the features that you need to collaborate with your team, to integrate with automated infrastructure, to connect with data-layer stores and message brokers, and to facilitate massive scale throughput.
- Scale: Automation-required
- Key policy management
- Add-on connectors to data services
- Attribute Based Access Controls (ABAC)
- Message delivery guarantees
- Enterprise-grade support
- AWS Marketplace Get Started