entityOS Security — CTO Implementation

Open to register.
Restricted to access.

Two zones. Two firewalls. One certificate authority. IP restriction and mTLS certificate identity can be deployed independently or combined — matched to the access pattern of each user type in your organisation.

See the Architecture Implementation Stages
Scroll

The Architecture

Two zones. One user agent.

Zone 1 — Open

register.entityos.io

The intentionally public registration surface. A user agent visits here to submit their IP and certificate request. No identity required to reach this zone — it is the controlled onramp.

register.entityos.io
  • Accepts IP address submissions + CSRs
  • Validates pre-exchanged unique security code
  • Writes to entityOS Storage
  • Process function: routes IP + cert requests
  • Access Firewall: Standard Rules only
Zone 2 — Restricted (Closed)

entityos.cloud

The protected application surface. The restricted firewall supports three rule types — Standard Rules, IP Set, and X.509 Certs — which can be enabled independently or together depending on the access pattern of the user or device.

entityos.cloud
  • Firewall: Standard Rules + IP Set and/or X.509 Certs
  • IP Set alone: suits fixed corporate desktops and office networks
  • X.509 / mTLS alone: suits mobile or remote users with no fixed IP
  • IP Set + X.509: maximum assurance — both must pass
  • entityOS CA signs all certificates regardless of combination

Architecture Diagram

The complete system.

Every component and flow from User Agent to Certificate Authority, mapped from the entityOS security architecture.

User Agent e.g. Web Browser Register to Access Access Permissioned Open Restricted (Closed) ip. & cert. register.entityos.io "Safe" IP Addresses With Unique Security Code (Pre-Exchanged) App URLs entityos.cloud Registered IP Addresses &/or X.509 Certs (mTLS) Access Firewall (Standard) Standard Rules Access Firewall (Restricted) Standard Rules IP Set X.509 Certs Register IPs, Cert Requests & Codes Storage Process IPs, Cert Requests & Security Codes IP Address Cert Request Network Access IP Rules Sync IPs entityOS CA Certificate Authority Sign X.509 Certificates Auth Resources (Objects, Files etc) Open zone (orange dashes) Restricted zone (red dashes) Firewall (green) IP Sync (magenta) Cert Authority (violet) Data flows (green solid)

Implementation Mechanisms

IP restriction or mTLS — or both.

These are two independent mechanisms. Each can be deployed on its own. The right combination depends on the access pattern of the user or device, not a mandated sequence.

Mechanism 1 — IP Restriction
IP Set + Sync

Register and allowlist IP addresses

The user agent registers its IP via register.entityos.io. The IP is processed and synced to the restricted firewall's IP Set. Any connection from that IP is admitted — no certificate required. Best suited to fixed, predictable network locations.

  • Deploy register.entityos.io — the open registration endpoint
  • Implement Storage + Process function for IP registration
  • Configure WAF IP Set rule on the restricted firewall
  • Wire Network Access IP Rules → Sync IPs → IP Set
  • Remove 0.0.0.0/0 inbound rules — only registered IPs admitted
  • Validate: registered IPs pass, all others dropped
Suited to
Corporate desktops on a fixed office network or static IP range — known locations, no need for per-device certificates.
Mechanism 2 — X.509 / mTLS
entityOS CA + Certs

Register and issue X.509 certificates

The user agent registers its CSR via register.entityos.io. entityOS CA signs the certificate. The client presents it on every connection via mTLS. The restricted firewall validates the cert — no fixed IP required. Best suited to mobile or roaming users.

  • Deploy entityOS CA (ACM Private CA or entityOS-managed)
  • Extend register.entityos.io to accept cert signing requests (CSRs)
  • Wire Process → entityOS CA → Sign X.509 flow
  • Add X.509 Certs rule to the restricted firewall
  • Configure API Gateway for mutual TLS enforcement
  • Implement cert rotation and revocation via entityOS CA
Suited to
Laptops working from home, cafes, or client sites — roaming IPs, but a device-bound certificate that travels with the user.
Combined

IP Set + X.509 together — maximum assurance

Both mechanisms can be active simultaneously on the same restricted firewall. The IP Set and the X.509 Certs rule are independent checks — a connection can be required to pass one, the other, or both, depending on your policy. This means a single organisation can run mixed access patterns in parallel: office desktops on IP allowlisting, and laptops on mTLS certificates, all terminating at the same entityos.cloud endpoint.

Corporate desktop
Fixed office IP → IP Set check passes → access granted. No cert needed.
Laptop out of office
Dynamic IP → IP Set fails → X.509 mTLS cert checked → access granted.

System Components

What you're building — by zone.

Six components, directly from the architecture diagram. Each has a zone, a function, and a dependency.

Open Zone

register.entityos.io

The public registration endpoint. Intentionally open — no cert required to reach it. Validates the pre-exchanged security code before passing submissions downstream.

  • Accepts IP + CSR + security code
  • Standard Firewall rules only
  • Entry point to the registration pipeline
Open Zone

Storage + Process

The open zone's backend. Persists all registration submissions, then routes them: IPs go to the IP Rules engine, cert requests go to entityOS CA.

  • entityOS cloud storage layer
  • IP → Network Access IP Rules
  • Cert request → entityOS CA
Restricted Zone

Access Firewall (Restricted)

The primary gate of entityos.cloud. Three simultaneous rule types — all must pass. Anonymous traffic is dropped before any application code executes.

  • Standard Rules — base WAF policy
  • IP Set — registered IPs only
  • X.509 Certs — valid cert for mTLS
Restricted Zone

Network Access IP Rules + Sync IPs

Receives processed IP addresses from the open zone. Sync IPs propagates them to the restricted firewall's IP Set in near real time — keeping both zones coordinated.

  • Receives IP from Process function
  • Sync IPs → updates IP Set rule
  • Near real-time propagation
Restricted Zone

entityOS CA

The certificate authority for the entire system. Signs X.509 certificates on request. Feeds signed certs back to the client and registers them with the firewall's cert rule.

  • Signs X.509 certificates
  • Feeds cert to firewall X.509 rule
  • Manages rotation + revocation
Restricted Zone

Auth + Resources

The application layer — only reachable after the firewall passes both the IP Set and X.509 checks. Contains authentication logic and all protected objects and files.

  • Unreachable without valid IP + cert
  • Objects, Files, application resources
  • App-layer auth as final check

Registration Flow

What happens when a user agent registers.

Five sequential steps. Two parallel outputs (IP + cert). One verified identity.

01
User agent visits register.entityos.io
The agent opens a connection to the open zone. No certificate required. The Access Firewall (Standard) applies basic rules. The registration surface is deliberately reachable from any IP.
Open Zone
02
Submit IP + CSR + pre-exchanged security code
The agent submits its IP address, a certificate signing request, and the unique security code issued at onboarding. The code prevents unauthenticated bulk registration. The submission is written to Storage.
Registration
03a
Process routes IP → Network Access IP Rules → Sync IPs → IP Set
The IP address is extracted and sent to the Network Access IP Rules engine in the restricted zone. Sync IPs propagates it to the restricted firewall's IP Set. The agent's IP is now trusted at the network boundary.
IP Path
03b
Process routes CSR → entityOS CA → Sign X.509 Certificates
In parallel, the CSR is forwarded to entityOS CA. The CA validates and signs it, producing a trusted X.509 cert. The signed cert is returned to the agent and registered with the firewall's X.509 Certs rule.
Cert Path
04
Agent accesses entityos.cloud — IP Set + X.509 mTLS both pass
The agent connects to entityos.cloud presenting its registered IP and signed X.509 cert. The restricted firewall checks all three rule types. IP Set: pass. X.509 mTLS handshake: pass. Auth and Resources become reachable.
Restricted Zone
Unregistered agent — dropped at the restricted firewall
Any connection without a registered IP or valid X.509 cert is dropped silently at the firewall. No application code runs. No response is returned that could aid reconnaissance or scanning.
Blocked

The Model

Match the mechanism to the access pattern.

IP restriction for fixed locations. mTLS for roaming devices. Both for maximum assurance. One registration surface, one certificate authority, one restricted firewall — configured to fit your organisation's real-world access patterns.

The Solution Implementation Stages
The two mechanisms are independent — not sequential. IP restriction alone works for fixed locations. mTLS alone works for roaming devices. Both together gives maximum assurance. A single organisation can run all three patterns simultaneously against the same restricted firewall — the combination is determined by the access pattern of each user or device, not a mandated rollout order.