This is a guest post by nCipher's senior sales engineer, Oli Wade.
The purpose of the blog is to introduce you to incorporating high assurance cryptographic security with hardware security modules (HSMs) into your Red Hat OpenShift projects. Since this might be new territory for some in the developer community, I’ll take a moment to explain what an HSM is.
An HSM is a specialized hardware device that is designed for the purpose of protecting encryption keys and conducting cryptographic processes such as creating digital signatures. Keys are generated according to strict security standards and based on an internal high-quality entropy source. HSMs are robust, tamper-resistant devices that incorporate innovative security features to ensure the protection of sensitive key material.
The alternative to using an HSM is to store encryption keys in software – which can be risky since skilled attackers can identify critical key material based on its unique, random characteristics. High value keys should be protected to the best achievable standards, since their loss might cause considerable financial and reputational damage – as well as a compliance violation. HSMs provide this protection and many are certified to internationally-recognized standards like FIPS 140-2 and Common Criteria, while also being recognized by security auditors as an effective tool to mitigate cyber risk.
Applications in a containerized architecture are built, deployed and operated with contemporary methods including orchestration and dynamic scalability. These advancements bring challenges when it comes to including integration with HSMs, in a way that is compatible with this type of modern workflow. This is because applications that rely on HSMs historically require installation of special supporting software and libraries, plus manual configuration of both the server and the HSM to enable secure connections to be made between them.
Now, thanks to the integration of nCipher nShield HSMs with OpenShift, it is possible to easily incorporate highly scalable crypto operations into your containerized application architecture.
Before discussing how to integrate nShield HSMs with OpenShift, it may be instructive to consider visually where the HSM fits in the context of the OpenShift platform:
As depicted in the diagram above, the nShield HSM is an external component accessed over the network. It provides highly available and scalable certified crypto offload for protecting valuable key material – so that it is never exposed within the containerized architecture or platform (where it might be observed or captured by systems administrators).
Building Container Images
Implementing cryptographic operations to enhance application security can be complex. Developers benefit from tools which make this task easier, and that provide an approved reference architecture to follow. Therefore, nCipher provides a set of standard scripts that enable supported integration with and connection to certified nShield HSMs in a streamlined and repeatable way. This reduces development times while using a tested process for delivering high assurance application security.
With these scripts, application developers can easily include the necessary nShield libraries for use with their PKCS11 or Java programs inside container images. Alternatively, off-the-shelf container images provided by third parties can be extended to include such libraries to enable their use with nShield HSMs. Typically this would form part of a CI/CD (continuous integration, delivery and deployment) pipeline so as to allow new versions or iterations of applications to be created with the same capabilities integrated.
Another container image is built with the nShield hardserver to enable and manage the connection to one or more nShield HSMs. These standardized images are stored in the normal enterprise container registry, and can be launched into any compatible container runtime.
Running Containerized Applications in OpenShift
One or more application containers are deployed into a pod alongside an instance of the hardserver container. The latter is supplied with details of the nShield HSM(s) to connect to (which can be in private or co-located hosting, or nShield as a service); while the application containers mount the corresponding Security World files from suitable persistent volume storage. Security World is nShield’s unique key management architecture, which establishes a logical security boundary for deploying and operating a group of nShield HSMs. This ensures interoperability across the organization’s HSM estate and affords rapid scalability.
Different applications and/or versions of the same application can share HSMs in the same Security World, making use of the same or their own application keys – which can be permanent or temporary depending on the volume/storage mapping configured.
nShield HSMs can support OpenShift development at any scale and with flexible or dynamic provisioning. Rather than upgrading servers or virtual machines, new application versions are deployed typically alongside and then instead of older versions with traffic distributed using included or external load balancers.
Increased application security
Using the nShield container option pack with Red Hat OpenShift, developers and operations teams can easily integrate their new or existing applications with nShield HSMs in a way that is straightforwardly accessible from contemporary containerized deployments. There is no need to install or configure software and appliances, meaning a much faster “time-to-security.” Instead of leaving potentially valuable application keys vulnerable, they are safely generated and used only within the HSM’s protected and certified boundary.
nShield HSMs are also highly scalable, which make them a good companion for use with large or dynamically deployed containerized application architectures and allows developers to increase capacity with confidence. For implementations leveraging the subscription-based nShield-as-a-Service, the maintenance and management of the HSM itself is offloaded from the IT team.
The integration of the nCipher nShield with Red Hat OpenShift enables projects to be implemented with a new level of security that delivers the scale and flexibility needed for today’s enterprise applications.