Complying with The Cybersecurity Code of Practice For Critical Information Infrastructure 2.0 (CCoP 2.0) in Singapore

Learn about the HashiCorp alignment with new cybersecurity regulations in Singapore.

Last year, the Cyber Security Agency of Singapore (CSA) published the Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation of owners of Critical Information Infrastructure (CII). This comes in accordance with the Cybersecurity Act. These codes, published here: Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition (CCoP2.0) came into effect on July 4, 2022.

How do HashiCorp's security solutions — including HashiCorp Vault, Boundary, Terraform, and Consul — align with these codes? We've created a short article on this topic:

»3.1: Policies, standards, guidelines, and procedures

Spec description: 

Organizations must have governing processes in the form of policies, standards and guidelines in place. At the top tier of formalised governance are policies, which provide a generalised overview of the organization’s security needs and direction. This is followed by mandatory standards for compliance, as well as recommended guidelines for best practice.

HashiCorp alignment:

HashiCorp Vault is integral in fulfilling the stringent requirements of an organization's governance processes. It provides a centralized platform for secrets management, encryption as a service, and privileged access management, which are fundamental to enforcing security policies and compliance standards. Furthermore, Vault can be configured to enforce access policies, meaning that only authorised personnel can access certain sensitive data or secrets, thus aligning with the governance policies of an organization. Regarding standards for compliance, Vault offers detailed audit logs that provide visibility and accountability, which are vital for meeting regulatory standards. Additionally, HashiCorp Vault follows the recommended guidelines for best practices in secure secret management, including principles of least privilege and segregation of duties. Thus, Vault contributes to the overall governance framework of an organization, helping to ensure policies are adhered to, standards are met, and best practices are followed.

HashiCorp Terraform is also essential to governance. Terraform, a tool for building, changing, and versioning infrastructure, is a critical component in the practice of infrastructure as code (IaC). IaC can meet governance requirements by providing an auditable, version-controlled means of tracking Vault configuration changes and other infrastructure. Using Terraform, infrastructure is defined and managed as code in version control systems such as Git rather than manually configured or managed through ad-hoc scripts. In addition, every change to infrastructure and configuration can be tracked through commits and pull requests, providing a clear, auditable history of who made what changes and when.

»3.4: Security-by-design

Spec description: 

An effective way to protect computer systems against cybersecurity threats is to integrate security into every step of the System Development Life Cycle (SDLC), from initiation to development, deployment, and eventual disposal of the system. This is the Security-by-Design (SBD) approach.

SBD seeks to minimise system vulnerabilities and reduce the attack surface by designing and building security in every phase of the SDLC. This includes incorporating security specifications in the design, continuous security evaluation at each phase, and adherence to best practices.

HashiCorp alignment:

HashiCorp Vault is a relevant solution in the SBD approach, offering comprehensive security capabilities throughout the SDLC. From the initiation phase, Vault can be used to securely manage and provide fine-grained access control to secrets like API keys, passwords, and tokens, thus minimizing the possibility of a security breach. During development and deployment, it provides encryption as a service, allowing the development teams to encrypt data in transit and at rest, thereby reducing the system's vulnerability. Vault's dynamic secrets feature helps reduce the attack surface by creating secrets on-demand and revoking them immediately after use. Also, it supports security best practices by providing detailed audit logs, which allows continuous security evaluation. The logs can help identify and trace suspicious activities to their origin. Finally, regarding the disposal phase, Vault ensures that sensitive data and secrets are securely deleted, mitigating the risk of residual data compromise.

HashiCorp Consul is also essential in the SBD approach throughout the SDLC. Beginning with the initiation phase, Consul provides a service discovery mechanism essential for securing inter-service communication, ensuring that only legitimate and authorised services can interact. In the development and deployment stages, Consul's service mesh provides secure service-to-service communication with automatic TLS encryption. This ensures that data in transit is always encrypted and secure, reducing the system's vulnerabilities. The service mesh also provides intention-based security policies, reducing the attack surface by controlling which services can communicate. Moreover, Consul's network infrastructure automation capabilities allow adherence to security best practices by automating network configurations, reducing human errors, and enhancing security. It further allows for continuous security evaluation through detailed monitoring and logging of service interactions. Finally, during the system disposal phase, Consul ensures secure de-registration of services, minimizing the risk of lingering, exploitable system entries.

Lastly, HashiCorp Boundary is also integral to the SBD approach, ensuring secure access management throughout the SDLC. From the initiation phase, Boundary allows developers and operations teams to define precise, role-based access permissions to resources, reducing the risk of unauthorised access. During the development and deployment stages, Boundary's dynamic host cataloguing, along with just-in-time access, ensures that the right individuals have access to the right resources at the right times, reducing vulnerabilities and the attack surface. Furthermore, it provides end-to-end TLS encryption for sessions, securing all data in transit. Boundary adheres to security best practices by offering detailed session logging and monitoring capabilities, enabling continuous security evaluation throughout the SDLC. This information can be used to detect potential threats and respond promptly. In the disposal phase, Boundary ensures that access to deprecated systems and services is securely revoked, minimizing the risk of security breaches due to residual access points.

»3.5.1: Cybersecurity design principles

Spec description: 

The CIIO shall adopt the following principles in relation to its people, process and technologies to reduce cybersecurity risks to the CII:

(a) The defence-in-depth principle to ensure that the security architecture of the CII includes multiple layers of security controls to prevent single point of failure;

(b) The least privilege principle to ensure that accounts and users are granted the least extent of access necessary to perform their required functions; and

(c) The principle of segregation of duties to ensure that duties and responsibilities for critical functions relating to the CII are divided among different persons.

HashiCorp alignment:

(b) HashiCorp Vault and Boundary are designed to enforce the principle of least privilege, ensuring that users and systems have only the minimum levels of access necessary to perform their functions, which are dynamically created and time scoped. Vault manages secrets and credentials with fine-grained access control, ensuring that users and applications only have access to the secrets that are strictly necessary for their tasks. It also supports dynamic secrets, which are generated on-demand and are unique to each request, thus limiting the privileges to a specific context and reducing the risk of over-privileged access. Vault’s identity and access management (IAM) features can ensure least privilege access by tying permissions to specific roles and responsibilities. Boundary provides a secure way to access systems with just-in-time and tightly scoped permissions, embodying the least privilege principle for user access. Boundary’s role-based access control (RBAC) allows the definition of specific roles and access permissions, ensuring that users are granted the minimum privileges they need to perform their tasks. Additionally, Boundary's session policies and permissions can be dynamically updated, allowing for continuous adjustment of privileges in response to changing requirements.

(c) HashiCorp Vault and Boundary facilitate the implementation of the segregation of duties principle in a system's security infrastructure. Vault can integrate with multiple identity providers, unify all user identities across these providers, and enforce the segregation of duties by enabling RBAC, which means that access permissions to secrets related to systems are assigned to specific roles. These roles can be allocated to different individuals or systems based on their duties. For instance, you could assign separate roles for managing configuration, performing encryption, and managing secrets, ensuring these critical functions are carried out by different entities. This minimizes the risk of any single entity having too much power or access within the system. Boundary’s RBAC facilitates the division of responsibilities among different individuals. Each role in Boundary can be assigned different access rights to various systems or services. This ensures that users have access only to the systems necessary for their specific responsibilities, thus preventing any single user from having complete control over a system.

»3.5.2: Cybersecurity design principles

Spec description: 

The CIIO shall also adopt, to the extent possible, the following principles in relation to its people, process and technologies to reduce cybersecurity risks to the CII:

(a) The defence-by-diversity principle to reduce the number of potential attack vectors by having diversity throughout the CII, including diversity in technology, manufacturers and suppliers of assets, communication pathways, etc.; and

(b) The zero trust principle to ensure that each request for access to the CII is authenticated, authorised and validated for security configuration and posture before access is granted.

HashiCorp alignment:

(b) HashiCorp Vault, Consul, and Boundary align well with the zero trust principle, providing comprehensive mechanisms to authenticate, authorise, and validate each access request. Vault provides identity-based access, ensuring that every access request is authenticated and authorised based on the entity's identity. It supports multiple authentication methods like tokens, LDAP, and OAuth, ensuring secure identity verification. Vault also provides dynamic secrets, which are generated on-demand and are time-limited, ensuring that every secret used is valid only for a specific session. Consul enhances the zero trust model through its service mesh capabilities, where all service-to-service communication is secured by mutual TLS. This guarantees that all services are authenticated before communication, ensuring trust is established not just at the perimeter but within the system as well. Furthermore, Consul’s intention-based security policies enable granular authorisation of service interactions, verifying that each request is authorised before access is granted. Boundary complements these capabilities with just-in-time access and session-based user access controls. It ensures that every request for system access is authenticated using trusted identity providers. Moreover, access to every target system must be authorised based on the user's role and permissions, providing granular control over who can access what and when.

»3.6: Change management

Spec description: 

Change management is essential for tracking and controlling changes made to the system or network architecture, including to network security design, network connections, configuration settings, and program logic in both hardware and software. Good change management processes ensure that the current design and build state of these systems and networks are known and recorded to support processes such as debugging, audit, and incident response.

HashiCorp alignment:

HashiCorp Terraform Enterprise aligns well with change management objectives, providing comprehensive features for tracking and controlling changes to hardware and software configurations in the system or network architecture. Terraform Enterprise uses infrastructure as code), enabling teams to define and provision infrastructure in a predictable and repeatable manner. This IaC approach allows code used to make configuration and infrastructure changes to be stored in Git, where changes can be versioned, reviewed, and approved as part of a CI/CD pipeline, ensuring that each modification is tracked and recorded. This approach also makes it easy to revert on changes. Additionally, Terraform Enterprise includes features like Sentinel policy as code, which enforces fine-grained, logic-based policies to validate the changes, thus ensuring adherence to security and compliance standards before any changes are applied. Furthermore, the system offers workspace tagging, state versioning, and detailed audit logging, providing visibility into who made what changes and when, which are essential for debugging, audit, and incident response.

»5.1: Access control

Spec description: 

Access control involves safeguarding CII assets from unauthorised access. By deploying access management mechanisms and processes, the CIIO ensure that only authorised parties can access protected systems, information and applications. Access control includes the steps of Identification, Authentication and Authorisation.

HashiCorp alignment:

HashiCorp Vault and Boundary are significant to safeguard CII assets from unauthorised access using robust access control mechanisms by ensuring the identification, authentication, and authorisation of each access request to system assets. Vault's primary function is to manage secrets like API keys, tokens, and passwords securely. It incorporates identity-based access, where access requests are authenticated and authorised based on the requester's identity. Vault supports multiple authentication methods, including tokens, username/password, and OAuth, ensuring secure identity verification. Furthermore, its robust RBAC ensures that entities are only authorised to access secrets necessary for their function, providing a granular level of control over system assets. Complementing Vault, Boundary delivers a secure way to grant and manage access to systems, networks, and applications. It ensures the identification and authentication of users via trusted identity providers like LDAP or built-in users and groups. Like Vault, Boundary also uses RBAC to provide authorisation, ensuring that users are granted permissions consistent with their roles and responsibilities. Also, Boundary grants just-in-time access to system resources, meaning access is provided on a need-to-use basis and is revoked immediately after use, thereby reducing the risk of unauthorised access. Boundary also has the capability to provide credential injection, which is the ability to inject credentials into access sessions without exposing it to the user, further reducing the risk of leaking sensitive access credentials.

»5.2: Account management

Spec description: 

Account management is about the requirements in the creation, monitoring, maintenance and retirement of a user, application, service or system account that has access to the CII. Asset owners should determine appropriate access rights for each specific account while taking into consideration the associated cybersecurity risks. Accounts should not be granted excessive and unnecessary privileges to prevent unauthorised access. In addition, processes need to be established to detect unauthorised activities.

HashiCorp alignment:

HashiCorp Vault aids in account management by providing comprehensive mechanisms for the creation, monitoring, maintenance, and retirement of user access to application, service, or system accounts by enforcing controls over the distribution of credentials. Vault's secret engines can generate dynamic, time-limited credentials for various systems. The access to these credentials can be controlled with policies, which are applied to user identities. Access can be revoked centrally from Vault when the user should no longer have access. Dynamic credentials also ensure that each account is created with specific, minimal access rights, aligning with the principle of least privilege to prevent unauthorised access. The fine-grained access controls within Vault allow for granular determination of appropriate access rights, considering the associated cybersecurity risks. For detecting unauthorised activities, Vault provides detailed audit logs that track all interactions with the vault, including which entity accessed which secrets at which time. Vault's audit logs can be integrated with intrusion detection systems or security information and event management (SIEM) systems to flag suspicious activities and generate alerts, thereby providing continuous monitoring of account and access activities. Additionally, the dynamic secrets Vault generates are automatically revoked after their lease expires, ensuring that outdated accounts are securely retired and do not pose lingering security risks.

»5.3: Privileged access management (PAM)

Spec description: 

Privileged accounts on a network are prime targets for malicious exploitation because they usually have more authority and access to resources. An attacker who has access to these accounts could potentially move about in the network and access privileged resources to gain unauthorised and persistent access to the entire system. Therefore, privileged access must be subject to tighter access control and greater monitoring.

HashiCorp alignment:

HashiCorp Vault and Boundary offer capabilities to manage privileged access, provide tight access control, and enhance monitoring to reduce the risks associated with privileged accounts. Vault can manage and securely store privileged credentials, minimising the risk of these credentials being exposed or misused. It provides fine-grained access controls, ensuring only authorised individuals or applications can access these credentials. More importantly, Vault supports dynamic secrets for various systems. These are generated on-demand and are time-limited, reducing the window of opportunity for an attacker to use these privileged credentials. Boundary, is designed to control and monitor privileged access to systems. It grants just-in-time access, meaning privileged access is provided only when needed and is revoked immediately after use. This helps reduce the attack surface associated with persistent privileged access. Boundary’s RBAC also provides tighter control over who can access privileged resources and when. Both our solutions also provide detailed audit logs, offering greater visibility and monitoring of privileged access. These logs include information about who accessed what resources and when, which can be crucial for detecting and investigating potential security incidents.

»5.5: Network segmentation

Spec description: 

Network segmentation is the separation of a network into different segments based on their security and risk levels, and controlling communication between them. By using data flow control devices or solutions at network intersections and limiting traffic allowed into and out of any given segment, network segmentation makes it difficult for a cyber threat actor to traverse the entire network to perform malicious activities such as reconnaissance work and data theft.

HashiCorp alignment:

HashiCorp Consul, when used as a service mesh, is an effective tool for implementing network segmentation. In a Consul service mesh, all services are connected, secured, and observed, with each service having a distinct identity. This enables the application of fine-grained access control policies, effectively creating secure segments within the network based on services, roles, or risk levels. These policies are enforced using mutual TLS, which ensures encrypted and authenticated communication between services. One of Consul’s key features is its ability to enforce "intentions", which are rules that control whether one service may communicate with another. These rules can allow or deny traffic between different network segments, ensuring that only authorised traffic is permitted, thereby adhering to the principles of network segmentation. Moreover, Consul's service mesh capabilities allow for east-west traffic management and is able to isolate services in the event of a detected threat, thereby limiting the potential for lateral movement by a cyber threat actor across the network. Also, Consul provides observability into service-to-service communications, which can help identify abnormal patterns of data flows, allowing these to be investigated if abnormal traffic is associated with reconnaissance work or data theft.

»5.6: Network security

Spec description: 

Network security measures exist to restrict traffic flowing between different trust domains such as an organization’s internal network and the outside world to protect the network and data from breaches, intrusions, and cybersecurity threats. In addition, the organization should also have boundaries between internal trust domains which must be identified and controlled. Examples include designing and configuring the network in a manner that secures access to and from the CII.

HashiCorp alignment:

HashiCorp Consul greatly enhances network security by establishing trusted communications between services and applications in the organization. Consul provides service discovery, and segmentation functionalities, which can effectively secure and manage the traffic flowing within or across different domains. Through Consul's service mesh capabilities, services within an organization's internal network are automatically encrypted and authorised using mutual TLS, ensuring secure communication and reducing the risk of intrusions and breaches. In addition, Consul's intentions feature allows for fine-grained control over which services can communicate with each other. This helps establish permitted communications between services and applications, as communication between different services (or trust domains) can be specifically allowed or denied based on these rules. This way, even within the internal network, traffic flow can be restricted to enhance security. Moreover, Consul's service mesh can extend across multiple clusters and datacentres, including cloud environments. This makes it possible to create secure communication paths between applications and services running across different clouds, platforms, and locations while maintaining control over the traffic flow.

»5.7: Remote connection

Spec description: 

Remote connection is the access to a non-public computing resource by a user (or a process acting on behalf of a user) communicating through an external network. For example, accessing a network in a CII to perform administration or maintenance from an external network. It is important to secure this access because it acts as a direct conduit into the CII. A secured conduit would make it difficult for a cyber threat actor to gain a foothold in the CII, denying the cyber threat actor the platform to perform reconnaissance for intelligence gathering and to take actions that adversely impact the CII.

HashiCorp alignment:

HashiCorp Boundary and Consul can secure remote access to CII. Boundary allows for secure, auditable, and identity-based user access to systems, without requiring a direct network path, nor VPNs, jump servers/bastion hosts — which can be points of compromise. It also provides a just-in-time approach to remote connections, thereby reducing exposure of your systems by only providing access at the exact time it's needed, reducing potential attack vectors. The zero trust security model it employs ensures that every request is authenticated and authorised, minimising the chances for a cyber threat actor to infiltrate the CII. HashiCorp's Consul complements Boundary by providing multi-cloud service networking to connect and secure services across any runtime platform and public or private cloud. It can ensure that only authorised services and users can communicate with each other and provides secure user-to-service communication in a distributed, microservice datacentre with mutual TLS, thereby ensuring secure communication and reducing the risk of intrusions and breaches. This minimises the possibility of an attacker being able to move laterally across your systems if they do manage to gain a foothold. Consul provides observability into user-to-service communications, which can help identify abnormal patterns of data flows, allowing these to be investigated if abnormal traffic is associated with reconnaissance and update Consul intentions, and deny further access and communications.

»5.13: Database security

Spec description: 

Critical data is often stored in a database. While databases are not typically attacked directly, requests for data from applications, malicious or not, are often passed to them. For example, SQL injection or cross-site scripting are attacks that attempt to retrieve data or bypass authentication related to a database. Knowing these types of cyber attacks are commonplace, measures need to be taken to secure a database.

Database security describes cybersecurity measures that aim to secure the confidentiality, integrity and availability of data stored in a database. 

For example, granular access control should be applied to the entire database, specific tables, or even in some specific columns or records to ensure only authorised accounts can connect to and query the data in the database. In addition, an individual should not be both a database administrator and system administrator as excessive access could increase the risk of abuse if the access is misused or compromised. Therefore, segregation of duties must be in place to ensure checks and balances for preventing fraud and errors.

Furthermore, database logging and activity monitoring tools are important in detecting unauthorised access, manipulation, exfiltration or destruction of data.

HashiCorp alignment:

HashiCorp Vault can enhance the security of databases. It has a dynamic secrets feature which can provide short-lived credentials for accessing databases, which can help to protect against threats like SQL injection or cross-site scripting attacks. These dynamically generated credentials are tied to a lease and can be automatically revoked after the lease expires. This mitigates the risk of abuse, as the credentials are ephemeral and only valid for a short period of time, making it difficult for malicious actors to exploit them. Vault can also segregate duties by managing access to both system and database administrators and ensuring that one individual does not have excessive access that could be exploited if compromised. This function aligns with the principles of least privilege and segregation of duties, reducing the potential for unauthorised access or abuse and controlled using policies. Also, Vault's encryption capabilities can help secure data at rest and in transit, maintaining the confidentiality and integrity of the data. This encryption is consumed via APIs by the application and encrypted by Vault before the application stores the encrypted data, ensuring that even if the database is compromised, the data remains secure. Lastly, Vault has extensive logging capabilities, which can monitor activity and detect unauthorised access. Audit logs record who did what and when allowing for accurate traceability and accountability.

»5.17: Cryptographic key management

Spec description: 

The management of cryptographic keys is crucial to the effectiveness of cryptographic techniques. Any compromise to the cryptographic keys could allow a cyber threat actor to decrypt classified information or obtain privileged accesses, which may lead to the failure of the organization’s entire security infrastructure.

HashiCorp alignment:

HashiCorp Vault is essential in managing cryptographic keys. Its Key Management Secrets Engine gives a consistent workflow for the distribution and lifecycle management of cryptographic keys in various key management service (KMS) providers. It allows organizations to maintain centralised control of their keys in Vault while taking advantage of cryptographic capabilities native to the KMS providers. This helps organizations Bring Your Own Key (BYOK) to cloud, maintaining control while using cloud services securely. Another capability, the KMIP Secrets Engine, further streamlines the management of keys used by systems. This allows Vault to act as a Key Management Interoperability Protocol (KMIP) server provider and handle the lifecycle of its KMIP-managed objects. It supports interoperability and standardisation of key management, adding another layer of security by enabling secure communication and encryption key management with KMIP-compliant devices. Additionally, Vault's Public Key Infrastructure (PKI) secrets engine dynamically generates X.509 certificates, effectively handling the creation, storage, and revocation of these certificates.

»6.1: Logging

Spec description: 

Logging is the process of recording events occurring within a system or network and enables an organization to perform investigations and threat hunting. For an organization to establish and maintain successful log management activities, it is vital that polices are developed based on defined goals and requirements, including the logging scope and log generation, transmission, storage, retention, and analysis.

HashiCorp alignment:

HashiCorp Vault, Consul, and Boundary contribute significantly to log management activities within an organization. Vault, a secret management tool, generates audit logs that provide a detailed account of every interaction with the system, including access to secrets, encryption, and key usage. Consul, a service networking solution, generates logs that provide insights into the health and connectivity status of the services within the network. These logs can aid in identifying any anomalies or issues within the network. Boundary, a secure access solution, creates logs of all sessions, including attempts to access services, successful connections, and failed attempts, providing valuable insights for threat hunting. Each of these tools provides mechanisms for secure transmission, storage, and retention of logs. The generated logs can then be ingested into a centralised logging or SIEM system for further analysis.