Secrets in the Clear:
The Danger of Going Cloud-Native
Cloud-native methodologies such as DevOps, continuous integration/delivery, containers and microservices are an essential building block in the digital business revolution, however they have created a unique security challenge due to the abstraction of the hardware and the stack.
For example, crypto keys that previously resided in an HSM in a legacy application, are now typically stored encrypted in a central vault. However, when used by an application, they’re decrypted and often exposed in the clear, vulnerable to compromise by an attacker.
Another challenge is that containers, which include only a fraction of the stack, don’t have good methods for storing and protecting identity and local secrets. How can sensitive resources, such as a vault or a database, that are accessed by containers be secure if weakly identified containers can access them, too?
High Trust, Low Touch, Versatile Cloud-Native Secrets & Container Identity Management
Unbound is a tech enabler, allowing organizations to fully embrace cloud-native methodologies without compromising security and trust. Based on Unbound’s platform-agnostic vHSM technology, now each container can securely manage secrets, keys and container identities at a security level comparable to a hardware root of trust.
Managing Secrets & Crypto Keys – Unbound is different than traditional software-based schemes that use the private key and either keep it in memory or attempt to obfuscate it. Instead, with Unbound, secrets are never in the clear at any point in their lifecycle. Containers can securely use various secrets without ever being exposed to them in clear form.
Strong Identity and PKI Credentials for Containers – Unbound allows containers to securely and swiftly acquire strong identity and PKI credentials that can then be used to access different resources, providing unmatched security for identities and local secrets, effectively creating a local virtual TPM (Trusted Platform Module) for each container. Unbound also lets you assign identity at any level of granularity, such as application, pod or container.
Pure-software solution that achieves hardware-grade security
No dependency on underlying hardware and physical infrastructure (e.g. HSM)
Central key management and audit across distributed environments
Infinitely scalable to support vast cloud-native environments
No changes in the application or the container orchestration platform are required
Platform agnostic – support of any PaaS or container orchestration platform
Here’s how it works:
Unbound Key Control (UKC) allows cloud native applications to access various secrets without allowing the application to use them in clear-text. Based on Unbound’s vHSM technology, UKC protects different types of secrets, such as cryptographic keys, passwords, tokens and many more.
In addition, a real-time tamper-proof audit log that logs every secret operation is available. Being a software-only solution, it supports cloud native applications across any environment, including different cloud service providers, on premises and private clouds.
Unbound Crypto-of-Things (CoT) assigns identity to your containers, enabling secure access to various resources. The identity is strongly protected by Unbound’s vHSM technology which creates a virtual TPM that is used to store identity and local secrets at the security level of hardware.
It’s a high trust, low touch and versatile solution that allows containers to securely acquire strong identity and PKI credentials that can then be used to access different resources. It uses standard environment primitives and seamlessly integrates with the leading container orchestration platforms.