Persoonlijke training in Windows en beveiliging
News

SURFconext passes purple team exercise with flying colours

We regularly have the security of our services tested. Recently, it was the turn of authentication and authorisation service SURFconext. A specialised, external party subjected this service to a two-week purple team exercise: an exercise to break into SURFconext's systems. And what emerged? SURFconext's security is in extremely good shape.

Purple team exercise, what is it?

In a purple team exercise, a red team and a blue team work together to carry out an attack on an online environment. This exercise specifically involved SURFconext's infrastructure and the systems and networks of the underlying platform (SVP). In the red team are the attackers, in this case the external party, Chapter8. In the blue team are the defenders, the SURFconext team and someone from Chapter8. Red and blue together are purple; purple, in other words.

Special coin

After the two full weeks of 'hacking' by the red team, they failed to penetrate SURFconext' s systems and obtain the crown jewels, such as key material and personal data. The SURFconext team therefore received a special coin from Chapter8 as a token of this exceptionally good security. In the past five years, this coin has only been awarded once before.

In this blog, you can read more about the purple team exercise with SURFconext.

Keep striving for improvement

The exercise did reveal some areas of concern for the service. One of them is that security is particularly designed to keep attackers out. Once they are in, it is not easy to see. This is therefore something the SURFconext team will work on. It is important to keep striving to improve. Every year, a risk inventory is therefore also carried out and the team tackles the points that score highest on the combination of probability and impact.

About SURFconext

Every year, more than 260 million students, staff, teachers and researchers log in via SURFconext to cloud services used by education and research institutions. SURFconext provides a single interface for all cloud services. It is also secure and convenient: users gain access with just one account, that of the institution (single sign-on).

Processing this large number of authentications (safely) requires robust and reliable software. SURF has developed this software itself. It is open source and available under the name OpenConext. Read more about it in this blog.

Read more about SURFconext