A couple of days ago, CapitalOne suffered a serious data breach. The cloud security community is scrambling to understand and analyze this breach, but the truth is, there is nothing new or interesting to see here. Contrary to social media gossip, the attackers in the CapitalOne disclosure exploited a well-understood and standard type of security vulnerability. You can read more in detail on what actually happened from Aporeto CTO Dimitri Stiliadis on Medium.
The vulnerability that led to the CapitalOne breach is rooted in a fundamentally flawed security model, in which it is far too easy for users to gain access to metadata API. Though it is possible to fix this issue with a Trusted Platform Module (TPM) architecture, for the average cloud user, such an architecture is almost impossible to deploy at scale.
The only effective and realistic way to limit access to metadata API – and to prevent disasters like the CapitalOne breach – is to completely rethink how you manage the distribution of credentials to applications and cloud workloads. Aporeto provides a solution for preventing this type of attack from happening in the future. We outline our approach below.
The Aporeto Identity Platform
The Aporeto Identity Platform actually introduces the methods above to protect and harden identity distribution. Here are some of the underlying mechanisms:
1. Every user, process, or container with access into a VM, is automatically restricted from accessing the metadata API for credentials. Indeed, the metadata API needs to only provide a role that allows the platform to bootstrap an identity distribution mechanism and not direct access to any underlying facilities. There is no need for a service role that provides access to any other API, or that is a super-set of all possible service roles that a VM might need.
2. An admission control mechanism captures the identity features of the caller and determines dynamically whether they can have access to specific service role credentials. With this mechanism, the “all or nothing” approach of the post-it note is replaced with a fine-grained admission control mechanism to specific ephemeral identities. Obviously the mechanism includes a full set of auditing capabilities that can immediately provide an alert for any malicious attempts.
3. Credentials can be provided through a one-time access mechanism and only to the master process of any processing context. Every time there is a reboot or restart of an application, the application characteristics are evaluated again. If a remote execution attack results in an attempt of a malicious process, this process will not have access to the credentials any more.
Essentially, the Aporeto Identity Platform provides you with the capabilities to manage the distribution of credentials to applications and cloud workloads without relying on insecure post-it notes.
If you would like to learn more about some of the other cloud security problems we solve, check out our latest whitepaper Serverless Meets Secretless. For more information on Aporeto’s Zero Trust Cloud Security solutions, please visit our website or reach out to us at firstname.lastname@example.org.