Protecting Your Company's Secrets in the Cloud-Native Age
December 07, 2017

George Wainblat
Unbound Technology

Modern businesses are migrating to a cloud-based model for hosting sensitive data to reap the benefits of agility and cost savings as well as to keep pace with customer demand. Cloud-Native methodologies such as DevSecOps, continuous delivery, containers and micro-services are essential building blocks in the digital business revolution. However, moving information and technologies from hardware to software poses a security concern – translating to a top challenge for both IT and the C-level, as applications built on top of micro-services and containers in a Cloud-Native environment utilize a wide variety of secrets for their proper functioning.

Define "Secret"

When it comes to cloud-native data and large volumes of information, secrets can come in all forms. Though, secrets can most simply be thought of as anything that if exposed would harm business reputation – much like we've seen in the most recent hacks from HBO, unveiling unaired episodes of Game of Thrones, and the now infamous Equifax breach which exposed millions of sensitive consumer records.

Similarly, cloud-native security has many types of secrets to protect, three of the main types that must be protected in the cloud are:

Sensitive Security Information (SSI) is confidential business materials like revenue and profits, even cyber threat information.

Personally Identifiable Information (PII) is any information that pertains to you as an individual, for example name, address, social security number, etc.

IT Systems Security Information is the information that makes up the technology infrastructure of a company, such as encryption keys (private and symmetric), certificates, and cloud service access credentials (e.g. AWS IAM).

Existing Obstacles

In an effort to not become the "next Equifax" and keep these cloud-native methodologies secure, there are several obstacles IT departments must address:

Secrets proliferation – having various secrets in multiple locations (on-premises, in the cloud and hybrid) make their management cumbersome as the secrets are decentralized and difficult to control. In addition, having secrets managed by different administrators translates to lack of control and commonly results in personnel oversight. Segmented visibility causes the confusion for local administrators because they don't have clarity of the access and usage information by different applications across the organization.

Another challenge organizations are facing are the use of dual infrastructures – legacy IT and modern Cloud-Native environments, in which keys are duplicated in both the classical IT environment as well as in the cloud. The ultimate issue lies in the reality that cloud-native systems cannot securely access resources that are external to the cloud environment.

The third issue is the high level of trust in hardware – causing it to be viewed as the security standard due to its rooted elements for securing secrets. Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs) do not have an architectural fit in software-defined security due to their physical aspects. However, given the demand for businesses to migrate to the cloud, companies are looking to overcome this obstacle. As such, cloud-native security must be scalable, interconnected and dynamic – and mirror the expanse and capabilities of the cloud methodologies while remaining as secure as hardware.

Businesses Implications

Once realizing that the above obstacles leave holes that can gravely impact business, we must comprehend the possible security breaches that are associated with lack of proper secrets protection.

A data breach, man-in-the-middle attack and certificate or credential theft are just a few examples of the potential types of cyberattacks that can occur when cloud-native secrets are not protected properly. Once hacked, business implications are costly and even devastating. Remembering back the Home Depot and Target breaches – the impact on sales was long-lasting, even for brands of their magnitude. Other implications could be law suits if you are a company who holds sensitive information like home addresses and social security numbers – much like Equifax. According to the research by British insurance company Lloyd, the damage from hacks costs businesses $400 billion a year.

The Software Vault

As potential damage of a breach is seen in reality, a different set of vault-like tools begin to emerge in the Cloud-Native ecosystem for containment of secrets. Encrypted data can rest within the software-defined vault and be transferred to applications as needed – an easy and scalable option for large enterprises. However, in the same way that a physical vault is only as secure as the hiding place of the key that unlocks it, it's content must be protected to ensure the security of the data, as it highly coveted by attackers. To keep vaulted cloud-native secrets secure, encryption keys must be safeguarded, meaning the keys require their own security measures.

There are many obstacles to overcome with a cloud-based security model – securing secrets and sensitive information is paramount in today's risk-prone world. With security breaches becoming more prevalent and brands taking heavy-hits as a result, a software-defined strategy can offer various benefits to modern companies such as scalability, agility and security. Companies who choose to utilize the power of encryption in the cloud need to secure their data in a two-fold process – the data directly and the access to it. The logistics and vastness of the cloud can at times seem daunting but proper security measures can help to make the cloud a viable and safe solution for the enterprise.

George Wainblat is Director of Product Management at Unbound Technology

The Latest

June 20, 2018

The larger the company size, the higher the proportion of low IT performers, according to the State of DevOps: Market Segmentation Report from Puppet, based on the 2017 State of DevOps Survey data ...

June 18, 2018

An overwhelming 83 percent of respondents have concerns about deploying traditional firewalls in the cloud, according to Firewalls and the Cloud, a survey conducted by Barracuda Networks...

June 14, 2018

Despite the vast majority of cloud management decision-makers believing that DevOps and microservice enablement are important, very few believe that their organizations are capable of delivering them today — a gap that is costing the average enterprise $34 million per year, according to new report from the Ponemon Institute ...

June 12, 2018

Dev teams are doing their best to give the customers what they want, but oftentimes find themselves in between a rock and a hard place. Teams are struggling to get up to speed with new tools that are meant to make their lives easier and more realistic to hit deadlines. With spring cleaning season upon us, take time this season to tune up agile processes and continue the work of advancing the shift towards DevOps ...

June 11, 2018

The ability to create a culture of DevOps is critical to any organization's ability to deliver applications and services at a high rate of speed, but can we clearly and concisely answer the question: What exactly is DevOps? Despite the best intentions, some large companies are struggling to understand what DevOps actually is, and what it takes to fully implement its concepts and reap its benefits ...

June 07, 2018

The Twelve-Factor App is a methodology that offers a 12-step best practice approach for developers to apply when building software-as-a-service apps that are both scalable and maintainable in a DevOps world. As software continues to be written and deployed at a faster rate and in the cloud, development teams are finding there is more room for failure and vulnerabilities. This blog series will discuss how to build a Twelve-Factor app securely ...

June 05, 2018

Everyone understands the importance of code quality for applications, particularly when DevOps results in releases becoming faster and faster, reducing the room for error. The same issues increasingly apply to databases, which are a vital part of DevOps workflows. Fail to integrate the database into DevOps and you'll face bottlenecks that slow down your processes and undermine your efforts ...

June 04, 2018

DevOps and security traditionally have been siloed functions and security is often seen as a policing function by DevOps team members. However, more mature business leaders are trying to bridge the gap between the two functions to achieve business excellence. This theme was evident from our recent survey where 39% of respondents cited that DevOps and development teams care greatly about their cybersecurity posture, showing that the silo between security/IT and development teams is diminishing ...

May 31, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 5, the last installment, offers some final thoughts about "tools" that are not necessarily technology ...

May 29, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 4 covers code and data ...

Share this