listen to this article:
For any business that mandates operational agility and the utmost security, adopting Modern IT is a must. Infrastructures built on modern IT enable organizations to take advantage of innovative new technologies and approaches, that will also enable them to span across geographically distributed on-premise data centers and different cloud service providers. These infrastructures consist of heterogeneous hardware and software stacks and provide data and services in a cloud-native fashion. In order to ensure confidentiality, integrity, and authenticity of data and services in such infrastructures, it is of fundamental importance to manage cloud-native secrets securely.
The Cost of Failing at Secrets Management
Secrets management is the process of protecting sensitive information such as credentials, cryptographic, encryption and API keys, as well as certificates throughout their entire lifecycle. While protecting sensitive information throughout their lifecycle is a must, secrets get continuously exposed and make headlines due to lack of secure management.
For instance, secrets can be exposed by hardcoding them in source code repositories. By accessing a secret on a GitHub repository an attacker was able to access an Uber Amazon web server and steal data records of approximately 50 million Uber customers. In addition to the ransom of $100.000 paid to the attacker, Uber also paid $148 million for the data breach.
Another similar case happened to DXC, where an attacker spins up approximately 250 Virtual Machines on AWS over a period of four days by accessing a hardcoded private key, costing the company $64.000.
Understanding Modern IT and Why We Fail at Effective Secrets Management
In order to understand where security service providers and the organizations we cater to fail at effectively managing secrets to avoid such breaches and their subsequent business jeopardy, it is imperative to clearly understand the implications of Modern IT.
Above anything, Modern IT consists of two key characteristics: having everything virtualized on your infrastructure and having multiple security environments such as data centers and clouds. And while these characteristics enable new capabilities for businesses to remain competitive in our growing digitized world, they also create new security requirements and the need to address these quickly.
Overlooking these modern environments constituents are usually the underlying cause of exploits as we fail to arm them with the corresponding security infrastructure. More specifically, to address the new security needs of Modern IT environments and make organizations “future-ready”, we need to complement hardware or legacy anchors with a technological layer which will expose a virtual layout.
The End-Goal of Modern IT Security Infrastructure
One of the most important end-goals of adopting Modern IT, is to eliminate any single point of failure – as it relates to the distribution of your encryption and/or cryptographic keys (i.e., in one machine vs a disparate distribution), as opposed to the otherwise common notion that Modern IT is focused on availability. Availability and crypto agility is important – yes; but security is paramount. The use of multiparty computation (MPC) based cryptographic technology supports this very important security goal, given its inherent capability to split keys on multiple machines which leave attackers with the only option of breaching all of these machines simultaneously in order to get hold of secrets.
What Are Legacy Solutions Lacking
Identifying, validating and adopting a solution across an entire organization, which covers all current and also potential future use cases, is a challenging task, especially in hybrid, multi cloud environments. These fragmented environments are more common today, rather than the exception, due to the various functional and non-functional requirements which modern IT infrastructures have to meet.
However, many solutions address very specific functional and non-functional requirements, both from the infrastructure and uses case perspective. Others introduce barriers with respect to their implementation, operation, scalability, portability, and usability. In our experience and diligence in reviewing several solutions in the market, very few provide a comprehensive approach to managing secrets securely and easily.
One of these few solutions that stood out during our review and selection process for a large legal firm with a cloud transformation initiative, was Unbound CORE. CORE delivered on security, scalability and portability, i.e., platform independence.
Filling in the Gap: A Comprehensive Approach to Securing Secrets in Hybrid, Multi Cloud or Any Cloud Environments
By being cloud-ready, hence supporting hybrid, multi cloud environments, Unbound CORE fits naturally into our Cloudical technology and services arsenal. While focusing on cloud-native environments, we support our clients, end-to-end, during their entire modern IT implementation journey of embracing new approaches, new technologies, as well as implementing their required processes, policies and ensuring that they leverage their legacy investments. Note that in a journey such as this security, i.e., confidentiality, integrity, and authenticity of data and services, are paramount and the major concerns of cloud-native adopters.
While we at Cloudical understand security holistically, i.e., starting from business process up to the education and enablement of end users, we wanted to work with experts to address the challenge of managing secrets securely, and for us Unbound has become that expert partner. We look forward to continuing to innovate, while improving our client’s security posture with cutting edge cryptography, and the flexibility provided by Unbound CORE, as we begin to integrate the CORE platform into our Cloudical VanillaStack.
Just this past month, I had the pleasure of meeting with Unbound CEO and Co-founder, Prof. Yehuda Lindell and ask him about his journey as a world renown cryptographer and his evolution to Unbound and CORE. See our interview here: