Virtualization Technology News and Information
Article
RSS
Why the Future of Secrets is Vaultless

By Refael Angel, Co-Founder and CTO, Akeyless Security

In today's world, the cloud has emerged as the predominant environment for organizations, serving as the nexus for data storage and application workflows. The confluence of this paradigm shift with advanced DevOps methodologies, heightened reliance on containerization and microservices, and increased automation has led to an exponential surge in the number of machines. These machines, in turn, require a tremendous number of secrets - such as credentials, certificates, and keys - in order to safely communicate with each other, making access to these secrets a mission-critical necessity. Concurrently, cloud migration necessitates intricate orchestration for the seamless operation of these mission-critical processes and concurrently expands the attack surface of applications, thereby posing a formidable security challenge.

Unfortunately, this surge in secrets has inadvertently led to their presence in highly vulnerable locations, including configuration files, infrastructure tools, CI/CD pipelines, and even source code, a phenomenon called "Secrets Sprawl." Consequently, malicious actors have seized upon these vulnerabilities, perpetrating successful breaches that use compromised secrets to infiltrate sensitive databases and cloud providers.

Vaults, Complexity, and the Cloud

Security professionals haven't remained passive spectators in the face of this mounting threat. Their initial remedy to the problem was the deployment of secrets vaults, a technology originally conceived for on-premises environments. These vaults demanded substantial deployment efforts for each installation and meticulous upgrade procedures. Remarkably, this technology has been transplanted "as is" into the cloud arena.

The self-deployed DNA of vaults becomes evident when examining the architecture required for a highly available vault within a single region. In such a scenario, ensuring the high availability of mission-critical secrets necessitates a structure like the one depicted below:

architecture-single-vault-cluster 

Figure 1. Architecture for Single Vault Cluster

Here, a single cluster mandates three vaults to ensure high availability - a primary vault flanked by two standby vaults, interconnected via a load balancer. This intricate setup demands significant engineering resources to manage and maintain.

In a multi-region architecture, this complexity is amplified, necessitating secondary clusters in each region for data recovery, as portrayed below:

vault-architecture-two-regions 

Figure 2. Vault Architecture for Two Regions

As organizations pivot to the cloud, this architectural model rapidly becomes unwieldy, demanding a proliferation of clusters for each cloud account. The ensuing architectural complexity becomes apparent in the diagram below, illustrating a typical organizational landscape encompassing multiple cloud service providers alongside on-premises systems:

vault-cloud-architecture 

Figure 3. Vault Cloud Architecture

Within this intricate landscape, every Virtual Private Cloud (VPC), virtual network, or on-premises system mandates a vault cluster. Each of these clusters includes multiple vaults to ensure availability and data recovery.

Apart from the obvious challenges related to management and cost incurred by this architecture, a more pressing issue emerges - the absence of centralized visibility or management. Attempts to manage this extensive system from a single vault quickly encounter availability bottlenecks. Furthermore, the absence of centralized management ensures that any software update necessitates special efforts for each cluster, region, and environment. In this paradigm, a simple software upgrade can translate into hours of developer time and calendar weeks or even months of deployment time.

The sole alternative to this dispersed architecture is to resort to VPC peering (see image below), a practice that involves granting a central vault cluster access to all of an organization's VPCs. This architectural choice, while ostensibly solving some issues, is a nightmare in terms of maintenance and poses security risks, given that vault clusters require both inbound and outbound access to all organizational networks. Apart from the security problem this approach creates, it requires significant management, thereby increasing risk, cost and complexity for distributed organizations with separate and disparate networks. Even when such an approach is possible, it can take years to deploy.

Vault-Architecture-VPC-Peering 

Figure 4. Vault Architecture with VPC Peering

The Advent of the SaaS Solution: Security Challenges

The apparent solution to the vault conundrum in a cloud-centric environment is the adoption of a SaaS (Software as a Service) secrets management solution. Such a solution promises both the high availability and the data recovery capabilities required by organizations, all while alleviating the management overhead associated with traditional vaults.

However, the implementation of a SaaS solution for secrets management introduces two formidable security challenges:

  1. Access to Internal Resources: Any secrets management solution inherently requires interactions with an organization's internal resources to facilitate the smooth functioning of applications, such as enabling dynamic and rotated secrets and certain types of authentication methods. Unfortunately, traditional SaaS solutions are unable to securely interact with an organization's internal environment, making a true enterprise-level secret management solution difficult to achieve.
  2. The Zero Knowledge Conundrum: The need for zero knowledge, a condition where no entity, including cloud providers and secrets management vendors, possesses access to an organization's sensitive data, keys and secrets, has escalated in significance with the advent of the cloud era. Data encrypted with a key stored in the cloud becomes accessible to the cloud service provider, potentially exposing it to both internal malicious actors and governmental interference, as dictated by the CLOUD Act. A pure SaaS solution, by design, could inadvertently place data at risk, as it may also grant access to data for the secrets manager vendor and any potential malicious actors within their domain. Ultimately, the primary obstacle to adopting SaaS solutions for secrets and key management systems at the enterprise level is the necessity to share and expose the organization's most vital secrets-such as encryption keys, certificates, and critical resource access passwords-to a third party.

The Vaultless Solution Emerges

A new breed of secrets management, enabled by "vaultless architecture," has emerged to address both the challenges posed by SaaS solutions and the complexities inherent in traditional vaults. Vaultless architecture harnesses the power of SaaS technology while introducing innovative features that resolve the security and Zero Knowledge predicaments.

How does this work? Both security challenges can be effectively surmounted through the introduction of a lightweight, stateless "gateway" deployed within the customer's environment, as illustrated in the diagram below:

Vaultless-Gateway-Architecture 

Figure 5. Vaultless Gateway Architecture

The pivotal advantage here is that, in stark contrast to vault clusters, the gateway is a streamlined, stateless process with solely outbound access - the gateway communicates with the SaaS system, but there is no inbound communication from the SaaS. Its lightweight nature enables deployment with a simple Docker command. Crucially, the absence of inbound access ensures that data transfer occurs only when initiated from within the organization's environment, safeguarding against potential breaches via the SaaS provider. Simultaneously, the gateway enables secure interactions between the SaaS solution and the organization's internal processes and data. Finally, the gateway facilitates caching in case of network failures and enables performance acceleration, further bolstering the availability of mission-critical secrets.

The gateway's role in solving the Zero Knowledge dilemma is enabled through the incorporation of Distributed Fragments CryptographyTM (see Figure 6 below). This cryptographic technique enables the encryption of secrets using key fragments that are never combined. These fragments can be stored in diverse regions across various cloud providers. Importantly, each key fragment undergoes constant refreshing. Consequently, to decrypt an organization's secrets, a malicious actor would need to simultaneously breach different regions and cloud providers in order to access the encryption key.

distributed-fragments-cryptography 

Figure 6. Distributed Fragments Cryptography

The Zero Knowledge solution lies in storing one of these key fragments within the organization's gateway, an entity that resides within the organizational domain. Consequently, even if an attacker gains access to various cloud providers, they remain unable to decrypt the organization's secrets. This approach bestows "on-premises" security to the SaaS-based vaultless solution. Not even the vendor of the vaultless solution possesses access to this gateway fragment, ensuring that the organization's secrets remain genuinely secure, with absolute zero knowledge on the part of the vendor as well as cloud providers.

Conclusion

The evolution of secrets management points unequivocally to the vaultless architecture as the beacon guiding organizations through the labyrinth of modern cloud-centric challenges. As businesses continue their migration to the cloud and embrace DevOps methodologies, secrets have become the linchpin of security in the SDLC. Traditional vaults, born in on-premises environments, falter under the weight of complex architectures, scalability issues, and security concerns.

While the allure of SaaS secrets management is palpable, it brings forth critical security questions, particularly regarding internal resource access and the imperative of maintaining zero knowledge. Enter the vaultless solution, a revolutionary paradigm that marries SaaS technology with a lightweight, stateless gateway within the organization's domain. This gateway circumvents the pitfalls of traditional vaults and SaaS-based management, offering secure interactions, high availability, and impregnable zero knowledge.

In an era where data breaches loom large, vaultless secrets management stands as a formidable answer to the ever-expanding demands of technology and security. As organizations navigate the complex landscape of digital transformation, embracing vaultless architecture signifies a bold stride towards a future where secrets are not only managed efficiently but secured with unwavering vigilance.

++

Join us at KubeCon + CloudNativeCon North America this November 6 - 9 in Chicago for more on Kubernetes and the cloud native ecosystem. 

##

ABOUT THE AUTHOR

Refael Angel, Co-Founder and CTO, Akeyless

Refael Angel 

Refael Angel is a seasoned software engineer with expertise in cryptography. He is the mastermind behind Akeyless' Zero-Trust encryption technology with 2 submitted patents. Formerly, Refael was a Senior Software Engineer at Intuit R&D center in Israel. Refael holds a B.Sc. in Computer Science from the Jerusalem College of Technology (graduated at the age of 19).

Published Monday, October 16, 2023 7:36 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<October 2023>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234