- Industry Solutions
Unvired Digital Enterprise Platform is now fully integrated with the Vault Project from Hashicorp to enhance the security
The Unvired Digital Enterprise Platform (UDEP) encrypts all configuration and messages before persistence. Industry best practices are followed for the encryption. All data for a company is AES 256 encrypted (the same technology your bank uses to secure your transactions) and decrypted with a symmetric key. Each company has its own symmetric key so that data across companies can never be accessed under any circumstances. Further to secure the keys, they are stored in key files in a landscape that is physically separate from the servers running the UDEP. For e.g. in an AWS environment, they are stored in S/3. The passwords to these key files are stored separately after encrypting with a landscape key.
To further harden this, UDEP is now fully integrated with the VaultProject from Hashicorp. From the Hashicorp website: “Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.”
So how exactly does UDEP use Vault?
The passwords for the key files are now stored in Vault. Each company has its own password stored in Vault. The access tokens for Vault are passed to UDEP via environment variables. These access tokens have tightly configured policies to ensure that the tokens can only access and perform the permitted operations.
Additionally, the auth tokens can be response wrapped. In this case, the real tokens are inserted in a “cubby hole” in Vault and a temporary one-time access token is instead configured for UDEP. UDEP unwraps the token and then uses the “real access token” to access the keys. In case the unwrap operation fails, this indicates that some other operator has intercepted the key and the system can be shut down immediately and the vault sealed to prevent any further compromise. This also ensures that the environment variables that are configured are practically useless for a hacker as they cannot be reused.
To prevent leakage of data in case a token is compromised, the tokens can also be configured to be renewable periodically. Issued tokens can be revoked and then access of keys via these tokens is not permitted.
Further UDEP also supports rotating keys used via Vault. Keys of all companies can be rotated and ensures that your data is as secure as required.
- Keys are stored in a separate Vault.
- Access is provided via response wrapped one time tokens.
- Access tokens can be periodic to facilitate revocation in case of a compromise.
- Keys can be rotated according to your security policy.
- Vault provides a detailed audit log that records all access operations for monitoring and verification.
So with the UDEP and Vault integration, all your configuration information and business data is protected to the maximum. Stay safe.
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
And: http://blog.cloudflare.com/inside-shellshock/ for some understanding on how hackers are exploiting the bug
UMP and Shellshock:
Shellshock affects running the Bash shell. UMP is currently supported on Linux and Unix systems which typically run the Bash shell. While UMP is not directly affected, the bug exposes the underlying system to attacks and its critical that the system is patched. Please contact your OS provider to get the required patches and update them immediately.
The bug exposes the underlying system to attacks and its critical that the system is patched. Please contact your OS provider to get the required patches and update them immediately.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Details: : http://heartbleed.com/
UMP and Heartbleed:
UMP is currently supported on SAP NetWeaver and on Redhat JBoss. Both SAP and JBoss are not affected by the Heartbleed bug. SAP customers can read more here: https://service.sap.com/~sapidb/011000358700000308332014E/ (SAP Login required) and JBoss customers can check this: https://access.redhat.com/solutions/785113 and http://anil-identity.blogspot.in/2014/04/jbosswildflyas-openssl-heartbleed.html?m=1
As such UMP is not affected by the Heartbleed. Additionally, the public UMP sites can be tested against Heartbleed online tests such as http://safeweb.norton.com/heartbleed. Nevertheless, in order to overcome any rare scenarios also, Unvired aligns with the general advice to change passwords used on affected websites.