Search the Community

Traditional methods no longer suffice to protect sensitive data from modern threats. Conventional strategies relied on fortress-like defenses, a concept where the network perimeter acted as a barrier, assumed to be impenetrable by external threats. But, modern adversaries have evolved to bypass these outdated methods easily. Today’s cyber threats can easily penetrate traditional security measures. […] The post Enhancing Security and Reducing Costs with Advanced Zero Trust Implementation appeared first on Centraleyes. The post Enhancing Security and Reducing Costs with Advanced Zero Trust Implementation appeared first on Security Boulevard. View the full article

AWS re:Invent is in full swing this week in Las Vegas. HashiCorp has a big presence at the event, with breakout sessions, expert talks, and product demos. As AWS re:Invent dominates the tech headlines, we wanted to reflect on our current project collaborations with AWS and the state of HashiCorp security and networking initiatives with AWS. That includes securing workloads in EKS with HashiCorp Vault, Vault Lambda Extension Caching, Vault + AWS XKS, updates on HashiCorp Consul on AWS, and more. »HashiCorp and AWS Security HashiCorp Vault provides the foundation for modern cloud security. Vault was purpose-built in the cloud era to authenticate and access multiple clouds, systems, and endpoints, and to centrally store, access, and deploy secrets (API keys, credentials, etc.). It also provides a simple workflow to encrypt data in flight and at rest. Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity. With Vault and the HashiCorp model around zero trust security, organizations can manage their transition to AWS while maintaining the level of security they need — one that trusts nothing and authenticates and authorizes everything. Specific HashiCorp-AWS security developments in the last year include: »HashiCorp and AWS Secure Workloads in EKS with Vault HashiCorp partnered with AWS to make it easier to use Vault, our enterprise secrets management solution, on AWS. The launch of EKS Blueprints with AWS allows you to enable and start up Vault instances in Amazon Elastic Kubernetes Service (EKS). EKS Blueprints is a new open source project that aims to make it easier and faster for customers to adopt EKS. As part of the EKS Blueprints launch, AWS and HashiCorp partnered to build an add-on repository that lets you enable and start up Vault instances in Kubernetes. The add-on also makes it faster and easier to start the Vault instance inside EKS; you can access Vault in EKS with one command. »Vault Lambda Extension Caching With the arrival of the Vault AWS Lambda extension in 2020, practitioners who had standardized on HashiCorp Vault for secrets management and AWS Lambda as their serverless compute environment no longer had to make their Lambda functions Vault-aware. The extension retrieves the specified secret from a Vault cluster and presents it to the Lambda function. This year we announced a new caching feature that can be added to Lambda and Vault infrastructure: Vault Lambda extension caching. This extension can cache the tokens and leased secrets proxied through the agent, including the auto-auth token. This allows for easier access to Vault secrets for edge applications, reduces the I/O burden for basic secrets access for Vault clusters, and allows for secure local access to leased secrets for the life of a valid token. »Vault + AWS XKS AWS External Key Store (XKS) is a new capability in AWS Key Management Service (AWS KMS) that allows customers to protect their data in AWS using cryptographic keys held inside on-premises hardware security modules (HSMs), software security modules (SSMs) like Vault, or other key managers outside of AWS. This integration mimics existing support for AWS CloudHSM within KMS, except that the customer-controlled key manager resides outside of an AWS datacenter. For regulatory and compliance reasons, some enterprises have a need to move their encryption key material and encryption operators completely outside of AWS infrastructure. When Vault is running outside of AWS infrastructure, it can effectively serve as a software security module (SSM) to store and manage this root of trust for a customer’s AWS account. For a more detailed overview of the external key store capabilities, please see the External Key Store (XKS) announcement on the AWS News Blog. »HashiCorp Boundary at AWS re:Inforce Earlier this year at AWS’ security conference, AWS re:inforce, HashiCorp presented a new way to safeguard who and what has access to applications, systems, and endpoints with the beta release of HCP Boundary. HCP Boundary is now generally available and provides an easy way to securely access critical systems with fine-grained authorizations based on trusted identities. Boundary on the HashiCorp Cloud Platform (HCP) provides a fully managed, single workflow to securely connect to hosts and critical systems across Kubernetes clusters, cloud service catalogs, and on-premises infrastructure. »HashiCorp Wins AWS Security Partner of the Year in North America Amazon Web Services has named HashiCorp the winner of its Security Partner of the Year in North America award, validating HashiCorp's vision for delivering zero trust security to cloud infrastructure. The Security Partner of the Year award recognizes top partners with the AWS Security Competency and affirms HashiCorp as a partner that has proven customer success stories securing every stage of cloud adoption, from initial migration through ongoing day-to-day management. HashiCorp is also one of the 2022 Regional and Global AWS Partner Award winners, with which AWS recognizes leaders around the globe playing a key role in helping customers drive innovation and build solutions on AWS. Announced at AWS re:Invent, the AWS Partner Awards recognize AWS partners whose business models have embraced specialization, innovation, and collaboration over the past year, and whose models continue to evolve and thrive on AWS as they work with customers. »HashiCorp and AWS Networking HashiCorp Consul is a cloud services networking platform that helps discover, securely connect, and improve the resiliency/visibility of services across AWS services like Amazon Elastic Cloud Compute (Amazon EC2), Amazon EKS, AWS Fargate, Amazon Elastic Container Service (Amazon ECS), and AWS Lambda. Consul enables services like these to automatically find each other, and enables secure connections between specific services according to security policies. Specific HashiCorp-AWS networking developments in the last year include: »Consul on AWS Updates This year, HashiCorp Consul on Amazon ECS added support for multi-tenancy, AWS Identity and Access Management (IAM), and mesh gateways. AWS Lambda updates, which include Consul mesh services invoking AWS Lambda functions (now generally available), and AWS Lambda functions accessing Consul mesh services (in beta), help organizations interested in serverless computing remove the barrier to adoption due to the difficulty of integrating these workloads into the service mesh. This release means service mesh users can now have consistent workflows for encrypted communications flowing between mesh services and Lambda functions. At AWS re:Invent, HashiCorp helped highlight Comcast's journey to service networking with HashiCorp Consul and AWS during a speaker session. Comcast's architecture includes multiple on-premises datacenters and cloud services, including Amazon ECS, AWS Fargate, AWS Lambda, Amazon EC2 VMs, on-premises Kubernetes, and on-premises VMs. The multinational telecommunications conglomerate adopted Consul because it flexibly supports Comcast’s cloud and on-premises workloads in multiple AWS regions, as well as the company’s own datacenters. Consul helps manage this complexity while scaling with resiliency. »HashiCorp Consul on AWS Resources Modern infrastructure may require that services run in different networks, runtimes, or compute solutions, such as Amazon EC2, Amazon EKS, AWS Fargate, Amazon ECS, or AWS Lambda. To support these services, HashiCorp provides tutorials and documentation on how to run Consul on Kubernetes, VMs and AWS services including Amazon ECS, and AWS Lambda. We have a large number of resources that can help you learn how to use Consul to securely connect your services on AWS: Get Started with Consul on Kubernetes Get Started with Consul on VMs Consul with ECS Workloads Consul with Lambda Workloads Consul Cluster Peering on Kubernetes in AWS Consul Learn Lab: Deploy Resilient Applications with Service Mesh and AWS Lambda »A Cloud-Managed Zero Trust Security Solution HashiCorp Cloud Platform (HCP) is a fully managed platform available for HashiCorp Terraform, Vault, Consul, Boundary, Waypoint, and Packer. This year, HashiCorp announced the industry’s first zero trust security solution fully deployed on the cloud, combining HCP Vault, HCP Consul, and HCP Boundary to secure applications, networks, and people, delivered on AWS. To learn more about Vault, Boundary, or Consul, visit our product pages on HashiCorp.com and read our getting started tutorials on HashiCorp Developer. And if you’re attending AWS re:Invent, please stop by our booth (#3410) to chat with our technical experts, take in a product demo, and learn how companies are accelerating their cloud journey with HashiCorp and AWS. View the full article

As more organizations undergo digital transformation, evolve their IT infrastructure and migrate to public cloud, the role of digital certificates will grow—and grow a lot. Certificates and certificate authorities (CAs) play a key role in both modern IT models like DevOps and in the evolution of traditional enterprise IT. In August, we announced our Certificate Authority Service (CAS)—a highly scalable and available service that simplifies and automates the management and deployment of private CAs while meeting the needs of modern developers building and running modern systems and applications. Take a look at how easy it is to set up a CA in minutes! At launch, we showed how CAS allows DevOps security officers to focus on running the environment and offload time consuming and expensive infrastructure setup to the cloud. Moreover, as remote work continues to grow, it’s bringing a rapid increase in zero trust network access (example), and the need to issue an increasing number of certificates for many types of devices and systems outside the DevOps environment. The challenge that emerged is that the number of certificates and the rate of change both went up. It is incredibly hard to support a large WFH workforce from a traditional on-premise CA, assuming your organization even has the “premises” where it can be deployed. To be better ready for these new WFH related scenarios, we are introducing a new Enterprise tier that is optimized for machine and user identity. These use cases tend to favor longer lived certificates and require much more control over certificate lifecycle (e.g., ability to revoke a certificate when the user loses a device). This new tier complements the DevOps tier which is optimized for high throughput environments, and which tend to favor shorter lived certificates (e.g., for containers, micro-services, load balancers, etc.) at an exceptionally high QPS (number of certificates issued per second). Simply, put our goal with the new Enterprise tier is to make it easy to lift and shift your existing on-premises CA. Today CAS supports “bring your own root” to allow the existing CA root of trust to continue being the root of trust for CAS. This gives you full control over your root of trust while offloading scaling and availability management to the cloud. This also gives you freedom to move workload across clouds without having to re-issue your PKI, and vastly reduces the migration cost. Moreover, through our integration with widely deployed certificate lifecycle managers (e.g., Venafiand AppViewX), we have made the lift and shift of an existing CA to the cloud a breeze, so you can continue using the tooling that you are familiar with and simply move your CA to the cloud. CAS leverages FIPS 140-2 Level 3 validated HSMs to protect private key material. With the two tiers of CAS (Enterprise and DevOps), you can now address all your certificate needs (whether for your devops environments or for your corporate machine and user identity) in one place. This is great news for security engineers and CA admins in your environment as now they can use a single console to manage the certificates in the environment, create policies, audit, and react to security incidents. Visibility and expiration have always been the two biggest issues in PKI and with CAS and our partner solutions, you can solve these issues in one place. So whether you are at the beginning of your journey of using certificates and CAs, or have an existing CA that has reached its limit to address the surge in demand (either due to WFH or your new DevOps environment), CA Service can deliver a blend of performance, convenience, ease of deployment/operation with the security and trust benefits of Google Cloud. CAS is available in preview for all customers to try. Call to action: Review CAS video “Securing Applications with Private CAs and Certificates” at Google Cloud Security Talks Review “Introducing CAS: Securing applications with private CAs and certificates”for other CAS use cases such as support for DevOps environments. Try Certificate Authority Service for your organization. Related Article Introducing CAS: Securing applications with private CAs and certificates Certificate Authority Service (CAS) is a highly scalable and available service that simplifies and automates the management and deploymen... Read Article