Protecting Your Company's Secrets in the Cloud-Native Age
December 07, 2017

George Wainblat
Unbound Technology

Modern businesses are migrating to a cloud-based model for hosting sensitive data to reap the benefits of agility and cost savings as well as to keep pace with customer demand. Cloud-Native methodologies such as DevSecOps, continuous delivery, containers and micro-services are essential building blocks in the digital business revolution. However, moving information and technologies from hardware to software poses a security concern – translating to a top challenge for both IT and the C-level, as applications built on top of micro-services and containers in a Cloud-Native environment utilize a wide variety of secrets for their proper functioning.

Define "Secret"

When it comes to cloud-native data and large volumes of information, secrets can come in all forms. Though, secrets can most simply be thought of as anything that if exposed would harm business reputation – much like we've seen in the most recent hacks from HBO, unveiling unaired episodes of Game of Thrones, and the now infamous Equifax breach which exposed millions of sensitive consumer records.

Similarly, cloud-native security has many types of secrets to protect, three of the main types that must be protected in the cloud are:

Sensitive Security Information (SSI) is confidential business materials like revenue and profits, even cyber threat information.

Personally Identifiable Information (PII) is any information that pertains to you as an individual, for example name, address, social security number, etc.

IT Systems Security Information is the information that makes up the technology infrastructure of a company, such as encryption keys (private and symmetric), certificates, and cloud service access credentials (e.g. AWS IAM).

Existing Obstacles

In an effort to not become the "next Equifax" and keep these cloud-native methodologies secure, there are several obstacles IT departments must address:

Secrets proliferation – having various secrets in multiple locations (on-premises, in the cloud and hybrid) make their management cumbersome as the secrets are decentralized and difficult to control. In addition, having secrets managed by different administrators translates to lack of control and commonly results in personnel oversight. Segmented visibility causes the confusion for local administrators because they don't have clarity of the access and usage information by different applications across the organization.

Another challenge organizations are facing are the use of dual infrastructures – legacy IT and modern Cloud-Native environments, in which keys are duplicated in both the classical IT environment as well as in the cloud. The ultimate issue lies in the reality that cloud-native systems cannot securely access resources that are external to the cloud environment.

The third issue is the high level of trust in hardware – causing it to be viewed as the security standard due to its rooted elements for securing secrets. Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs) do not have an architectural fit in software-defined security due to their physical aspects. However, given the demand for businesses to migrate to the cloud, companies are looking to overcome this obstacle. As such, cloud-native security must be scalable, interconnected and dynamic – and mirror the expanse and capabilities of the cloud methodologies while remaining as secure as hardware.

Businesses Implications

Once realizing that the above obstacles leave holes that can gravely impact business, we must comprehend the possible security breaches that are associated with lack of proper secrets protection.

A data breach, man-in-the-middle attack and certificate or credential theft are just a few examples of the potential types of cyberattacks that can occur when cloud-native secrets are not protected properly. Once hacked, business implications are costly and even devastating. Remembering back the Home Depot and Target breaches – the impact on sales was long-lasting, even for brands of their magnitude. Other implications could be law suits if you are a company who holds sensitive information like home addresses and social security numbers – much like Equifax. According to the research by British insurance company Lloyd, the damage from hacks costs businesses $400 billion a year.

The Software Vault

As potential damage of a breach is seen in reality, a different set of vault-like tools begin to emerge in the Cloud-Native ecosystem for containment of secrets. Encrypted data can rest within the software-defined vault and be transferred to applications as needed – an easy and scalable option for large enterprises. However, in the same way that a physical vault is only as secure as the hiding place of the key that unlocks it, it's content must be protected to ensure the security of the data, as it highly coveted by attackers. To keep vaulted cloud-native secrets secure, encryption keys must be safeguarded, meaning the keys require their own security measures.

There are many obstacles to overcome with a cloud-based security model – securing secrets and sensitive information is paramount in today's risk-prone world. With security breaches becoming more prevalent and brands taking heavy-hits as a result, a software-defined strategy can offer various benefits to modern companies such as scalability, agility and security. Companies who choose to utilize the power of encryption in the cloud need to secure their data in a two-fold process – the data directly and the access to it. The logistics and vastness of the cloud can at times seem daunting but proper security measures can help to make the cloud a viable and safe solution for the enterprise.

George Wainblat is Director of Product Management at Unbound Technology

The Latest

July 19, 2018

Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert, according to a survey from Gartner. The survey also reveals that skills challenges continue to plague organizations that undergo digitalization, with digital security staffing shortages considered a top inhibitor to innovation ...

July 17, 2018

In my first blog in this series, I highlighted some of the main challenges teams face with trying to scale mainframe DevOps. To get past these hurdles, the key is to develop an incremental approach that enables teams to capture value along each step of the journey ...

July 16, 2018

The key to mainframe DevOps success is in quickly identifying and removing major bottlenecks in the application delivery lifecycle. Major challenges include collaboration between mainframe and distributed teams, lack of visibility into the impact of software changes, and limited resource flexibility with scaling out necessary testing initiatives. Now let's take a closer look at some of these key challenges and how IT departments can address them ...

July 11, 2018

How much are organizations investing in the shift to cloud native, how much is it getting them? ...

July 10, 2018

In the shift to cloud native, many organizations have adopted a configuration-as-code approach. This helps drive up application deployment velocity by letting developers and DevOps teams reconfigure their deployments as their needs arise. Other organizations, particularly the more regulated ones, still have security people owning these tools, but that creates increased pressure on the security organization to keep up. How much are organizations investing in this process, and how much is it getting them? ...

June 28, 2018

More than a third of companies that use serverless functions are not employing any application security best practices and are not using any tools or standard security methodologies to secure them, according to the State of Serverless Security survey, conducted by PureSec ...

June 27, 2018

The popularity of social media platforms and applications is spurring enterprises to adopt "social business" models to better engage with employees and customers and improve collaboration, according to a new study published by ISG ...

June 25, 2018

The previous chapter in this WhiteHat Security series discussed Codebase as the first step of the Twelve-Factor App and defined a security best practice approach for ensuring a secure source control system. Considering the importance of applying security in a modern DevOps world, this next chapter examines the security component of step two of the Twelve-Factor methodology. Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages ...

June 21, 2018

DevSecOps is quickly gaining support and traction, within and beyond information security teams. In fact, 70% of respondents believe their culture can embrace the change needed to fuse Security and DevOps, according to a new survey of 80 security professionals by Aqua Security ...

June 20, 2018

The larger the company size, the higher the proportion of low IT performers, according to the State of DevOps: Market Segmentation Report from Puppet, based on the 2017 State of DevOps Survey data ...

Share this