Advanced Data Protection with HashiCorp Vault

(Thanks to Nico, Sebastien Braun and Tim Arenz for their valuable inputs and feedback on this blog post)

Introduction

Organizations store sensitive, personal and valuable data, which must be protected. Leakage of such data can lead to financial loss, reputation risk, legal ramifications and more.

Moreover, organizations must comply with data protection standards and regulations like the PCI DSS, GDPR, HIPAA, etc.

In this blog you will learn what measures organizations take to protect their data, how they implement them, understand their challenges and find out how HashiCorp Vault helps organizations solve these challenges.

Data Protection Measures and Implementation

Encryption at Rest

Transparent Data Encryption (TDE) and Full Disk Encryption (FDE)

Most organizations implement some sort of encryption at rest. Information is encrypted at the block level in the filesystem or physical storage medium. This type of encryption does protect you from physical theft but does not protect you if access to a database or database host is compromised, as an example.

Encryption in Transit

Information is encrypted in-flight and decrypted by software when required. Information is persisted in an encrypted manner. This type of encryption works well against threats such as SQL injection. Even if the data is compromised, it is encrypted and not useful.

Tokenization

Ultra-sensitive information, such as credit card numbers are commonly protected using tokenization where sensitive data is substituted by non-sensitive data called the token.

Format Preserving Encryption & Data Masking

Information is obfuscated in such a way that it is compliant with data constraints in systems of record and decoded as needed.

Data masking is another way to obfuscate information. In this case though, the data is masked and cannot be decoded once it’s encoded.

Hardware Security Module (HSM)

Many organizations use FIPS 140–2-certified Hardware Security Modules or HSMs to ensure that critical security parameters are protected in a compliant manner.

Data Protection Challenges

Data in most applications must be encrypted, but deploying cryptography and key management infrastructure is expensive, hard to develop against, and not cloud or multi data-center friendly.

Increasing Costs

Procuring and deploying new key management infrastructure, HSMs and support can be expensive.

Vault can help reduce hardware costs related to multiple key management infrastructure solutions, HSMs, licensing and support.

Reduced Productivity

With multiple workflows/APIs to learn cryptographic standards across an organization and different projects and restricted access to HSMs.

With Vault, you can create consistent workflows and cryptographic standards across your organization.

Increasing Risk

With multiple attack surfaces to intercept and steal sensitive data.

Vault enables you to encrypt sensitive data using centrally managed, audited and secured encryption keys. But more importantly all of this can be achieved through a single workflow and APIs.

Data Protection Perspectives

We have different personas and decision makers responsible for data protection rollout and implementation in every organization and they all have different goals and expectations.

CISO and the security teams

A CISO and the security teams must ensure that the organization and the applications are compliant and audited. They are responsible for security after all and hence, they want to reduce risk by having more control and transparency.

CTO and IT Managers

The CTO and IT Managers are more focused on the cost and productivity of the implementation. They must ensure that they use and build standards and those are consistent across the organization. They are also responsible for time to market. Hence, it is also in their interest to enable their developers by offering them the right tools and processes.

Developers

Developers love and expect APIs, ease of use and simplicity.

Vault and Data Protection

Encryption as a Service

Vault’s transit secrets engine provides Encryption as a Service (EaaS). Vault manages the keys, but the client decides where to store the encrypted data. Applications use Vault APIs to encrypt and decrypt values.

Transit secret engine encrypt operation

Transit secret engine decrypt operation

Here is some sample code to enable and use the transit secret engine:

Format-Preserving Encryption

Vault’s transform secrets engine provides AES FF3–1 Format-Preserving Encryption (FPE). Vault manages keys and the client decides format & storage for data. Applications can encode and decode values using the Vault API.

Transform secret engine FPE encode operation

Transform secret engine FPE decode operation

Here is some sample code to enable and use the transform secret engine with FPE:

Data Masking

Transform secret engine data masking encode operation

Decoding a masked value is not possible

The Transform secrets engine provides Data Masking. Vault basically searches and replaces PII data that you pattern match for (Credit Card, SSN, Passport, etc). Applications can encode or mask the values using the Vault API. Decoding is not possible with data masking.

Here is some sample code to enable and use the Transform secret engine with data masking:

KMIP and HSM Integration

You can also use Vault with traditional application and storage systems using KMIP and integrate with HSMs to maintain compliance.

KMIP

Vault supports Key Management Interoperability Protocol and can present itself as a KMIP Server to systems e.g. NetApp, VMware, MySQL etc.

HSM

Vault supports integration with any HSM that supports PKCS #11.

Multi-tenancy

Vault offers namespaces and can also instantiate multiple KMIP Servers.

Full Disk Encryption (FDE)

Storage systems that support the KMIP protocol can retrieve keys stored in Vault and serve them to encrypted disk for access.

Transparent Data Encryption (TDE)

KMIP capable database applications can retrieve keys stored in Vault and serve them encrypted data.

NetApp & VMware

If you are interested in the integration with NetApp or VMware, checkout these blog posts:

1. HashiCorp Vault as an External Key Manager for NetApp Encryption
2. Securing VMWare Data: A HashiCorp Vault KMIP Story

Summary

1. Vault provides the foundation for cloud security.
2. Vault offers advanced data protection features like EaaS, FPE & Data-masking along with KMIP & HSM integration.
3. Vault increases agility for deploying new and isolated cryptography and at the same time reduces cost and risk.