Protecting infrastructure secrets and encryption keys with moving target defense

[Update: after years of R&D on the world’s first moving target defense data protection platform with federal agencies and Fortune 100 R&D labs, we are productizing & commercializing CryptoMove’s moving target data protection platform as Tholos Key Vault, a product for managing keys and secrets. You can check out our private beta here.]

On May 31, 2017, cloud-based identity and access management (IAM) provider OneLogin disclosed a massive security breach in which customer data was compromised, including the ability to decrypt encrypted data.

Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access … and are working … to determine how the unauthorized access happened and verify the extent of the impact of this incident.

Later that day, more details were revealed:

The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.

Security teams scrambled to implement a long list of recommendations from OneLogin — generating new API credentials and OAuth tokens, replacing RADIUS shared secrets, and generating new certificates for apps that use SAML single sign-on (SSO). Nearly four months later, victim customers are still rebuilding their authentication security systems.

SSO is likely to be more secure than implementing a home-grown authentication mechanism, but in some cases the disadvantages of relying on a third-party are overwhelming. For this reason, Gartner Inc. financial fraud analyst Avivah Litan has been strongly urging companies to stay away from cloud-based single sign-on services:

It’s just such a massive single point of failure … And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.

OneLogin’s security hiccup was extremely frustrating for several large organizations (and 12 million licensed users), so it’s important to take a step back and analyze the facts — or at least what we’ve been told thus far. We’ll focus on a few shortcomings of legacy encryption as they relate to OneLogin’s breach and compare it to CryptoMove’s data protection with active defense.

Adversaries’ asymmetric advantage: time

During the investigation, it was discovered that an attacker had obtained access to OneLogin’s AWS infrastructure (via stolen AWS keys) around 2AM PST on May 31, 2017. Over seven hours later, OneLogin staff was alerted to unusual database activity, around 9AM PST that same morning. This is more than enough time for an attacker to map out data infrastructure, study encryption key locations, and mount an attack. Static data infrastructure makes this easy.

Moving target defense flips the asymmetric advantage of time in favor of defenders. As attackers move laterally through a data infrastructure, the data location, size, and encryption is constantly changing. In addition, dynamically moving, mutating, fragmenting, distributing, and re-encrypting data makes it challenging for attackers to even start their attack. With CryptoMove, attackers are constantly back to square one.

Keys to the kingdom

Encryption keys are the “crown jewels” of any legacy encryption at rest system, and too many organizations fail to effectively manage them. OneLogin learned the hard way — storing your keys on the same server as your data is poor security hygiene, and even the least sophisticated attackers will take advantage. Key management solutions such as hardware security modules (HSMs) are a step in the right direction, but are often challenging to integrate and costly from a budget perspective. Cloud customers using AWS Key Management Service (KMS) or Azure’s Key Vault are forced to give up complete control of their encryption keys — a clear violation of regulations such as PCI-DSS, HIPAA, GLBA and others.

CryptoMove guards keys with active defense: dynamic movement, mutation, and distribution — the same protection it applies to data. CryptoMove can create separate keys for each data user, each server, each database, or each application, and can dynamically rotate keys. And the best part about it? You control the keys.

CryptoMove can manage keys in a variety of ways:

1. Internally in a separate CryptoMove cluster segregated from the data
2. Integration with external key management systems from third parties
3. Integration with third-party authorization systems like Okta and Auth0

HSM root of trust -> CryptoMove key cluster -> Data

Setting the record straight: key management does not require expensive, cloud-adverse hardware. Fortune 500 companies are now taking advantage of technologies like CryptoMove for moving target data protection and key management, both in the cloud and on premises.

Lesson learned

Every new data breach highlights an important opportunity for improvement in the way organizations protect sensitive data. In an updated blog post, OneLogin provided some insight into planned improvements:

We have implemented several improvements to strengthen our infrastructure to help mitigate the risk of future intrusion … We have focused our attention on the following areas:

Fine-tune monitoring of AWS API endpoint signals

Strengthen AWS key management

Enhance infrastructure and application encryption

Expand threat hunting activities

Create additional in-app risk mitigation tools

Looking forward, we continue to examine options to further harden our platform and to add new foundational capabilities to provide our customers additional security and control over their data.

Recent large-scale data breaches are forcing organizations to re-evaluate current investments in legacy encryption technology. Effective data protection requires a fundamentally new approach to data security — and CryptoMove is changing the game.