Cybersecurity remains a critical area of concern for the public and private sector. According to IBM and the Ponemon Institute, last year saw 383 publicized malicious data breaches targeting the public and private sector globally, dealing north of $1.5B in direct damage and potentially trillions of dollars in lost intellectual property.
HashiCorp Vault has a unique role in responding to these security trends. Vault secures, stores, and tightly controls access to secrets across distributed application infrastructure. The unique portfolio of features allows users of various security expertise to craft strong defenses against real-world cybercriminal adversaries. In this post we'll talk through real-world attack vectors and how Vault can be used to protect against them:
- Preventing large scale data breaches with secrets management
- Limiting privilege escalation with privileged access management
- Protecting customer data with encryption as a service
Preventing large scale data breaches with secrets management
Large scale data breaches remain one of the biggest areas of concern for companies and organizations across verticals. Whether it was the theft of employee data from the FBI and Department of Homeland Security, the theft of every current and former employee’s W-2 at Seagate, or the theft of 117 million e-mails and passwords from LinkedIn, attacks focused on stealing sensitive data in bulk have become a staple of cyberattacks in the last year.
In many of these attacks, adversaries were able to successfully exfiltrate data by compromising an outer layer of their target’s infrastructure and dump a large trove of sensitive data in bulk. By exploiting 0-day vulnerabilities in large, frequently-used databases such as MySQL, adversaries can force those databases to disgorge large troves of sensitive data such as e-mails, hashed passwords, and personally identifiable information (PII) such as home addresses.
Vault provides a common workflow to securely manage and control access to secrets. The ability to manage secrets helps organizations eliminate secret sprawl and secrets stored in plaintext. Addressing both of these challenges reduces the surface area for attacks that focus on obtaining secrets.
Limiting privilege escalation with privileged access management
As a best practice, no one user should have uniform access to every secret within an infrastructure. Vault manages this by allowing different users and applications privileged, time-locked access to secrets via fine-grained access policies.
These user and application-specific policies force adversaries to compromise multiple privileged accounts at precisely the right time in order to gain system access. A compromise of this many accounts would be very challenging to go undetected.
This would have to be done ex-post facto as well, as retrieving or storing new secrets into the stolen data would require the adversary to have to re-establish communications with the infrastructure containing Vault. By sealing a Vault node, users can force adversaries to contend with their security a second time and halt access to the data as Vault would require that node to generate a new master key for its encryption. Vault administrators can also granularly restrict access to compromised data on a per-user basis by revoking that user’s access to data.
Protecting customer data with Encryption as a Service
In another major data breach, a large portion of the user base saw their non-financial data (credit card information was maintained separately) compromised in a bulk exfiltration. The organization focused on the encryption and security of the database itself rather than encrypting the data at rest.
This is frequently how sensitive but not critical secrets are maintained in the real world. Key management and performance issues related to decrypting/re-encrypting data can be onerous and difficult as organizations scale.
A secret in Vault is constantly sheathed in strong encryption: at rest in AES-256 GCM mode, and in flight using TLS. That secret is only accessible through Vault verified and trusted applications or services. Vault manages the keys for all cryptography protecting secrets.
Vault is architected in a way that allows users to defend themselves even when their other security and authentication systems have failed them. Because all secrets within Vault are encrypted at rest, dumping the contents of a Vault secret backend ensures that the attacker must either contend with the encryption directly via codebreaking, or find some way to gain access to legitimate credentials for all of the secrets within that infrastructure.
The former would be difficult. Even with a billion high-end GPUs (such as a Nvvdia GTX 1080) operating at 2 gigaflops per second, brute force attacking the key for the AES-256 used in protecting Vault secrets at rest would take multiple times longer than the current age of the universe to crack.
Vault was created to protect any kind of secret across any infrastructure. This mission not only allows HashiCorp to bring a new, accessible kind of data security and cryptography to developers and operations teams – it also requires that Vault be independently secure and not rely on the other security systems in an organization's environment.
To get started with Vault or for more information visit hashicorp.com/vault.