Cloud Foundry credhub microservices PCC pivotal cloud cache tls

Pivotal Cloud Cache 1.5 Adds TLS, Secrets Management with CredHub to Keep Your Cache Secure

Enterprises are always looking for ways to stay ahead of bad actors who attempt to hack into systems and access highly sensitive information. If you want to stay one step ahead of cyber criminals, you need to remain forever vigilant.

Let’s talk about a couple of common attack vectors. Hackers can gain access to sensitive data over an enterprise’s network. Or they can steal credentials stored somewhere in the system. Both methods can lead to unauthorized access to Personally Identifiable Information (PII) and other sensitive information.

With Pivotal Cloud Cache (PCC) v1.5, now generally available, we’re addressing these security breach vulnerabilities by adding Transport Layer Security (TLS), and integration with CredHub, a credentials management system for Cloud Foundry.

Let’s take a closer look at these two capabilities. Since TLS itself utilizes CredHub, we start with CredHub.

Secrets Management via CredHub

Long-time Pivotal Application Service users know that CredHub provides a centralized point to generate, encrypt, log and control to secrets. Having credentials securely stored in one place reduces the possibility of leaks, which can be catastrophic. (Read more about CredHub here, here, and here.)

We’ve now brought the benefits of CredHub to PCC 1.5. Now, when you bind PCC to your application, the credentials generated by the service broker are encrypted and stored directly in CredHub. Previously, they were stored in clear text. Now platform operators can gain the  benefits of centralized credential management! This will help you adhere to security best practices when developers use PCC with their applications.

Centralized credential management has several efficiency benefits. Manually generating and managing credentials becomes impractical as your system grows. Centralization reduces the duplication of effort across various components of the platform. Moreover, a consistent approach throughout the platform means that any logic that is created does not have to be re-implemented in various places. Change management becomes a lot easier with the centralization of credentials. A key aspect of managing change is to rotate credentials frequently, an important practice (see the “What’s Next”).

Secure Communications via TLS

CredHub plays a key role in how a CA is generated and used throughout the platform. It works like this. First, an operator enables TLS. Then, when the operator provisions a PCC cluster, CredHub will generate a certificate so that apps and clients can establish an encrypted connection with the PCC service instance.

Historically, teams have used IPsec for encryption in transit. Now, you have the option to use TLS. Use it, and gain peace of mind knowing that 100% of your communications, including data in motion, is secure. TLS can also help you comply with regulatory requirements.

Getting Started with TLS in PCC

Before you can use TLS, you’ll need to complete a few setup and configuration steps. These steps can be completed without downtime.

Initial Setup & Provisioning TLS

First, prepare your Pivotal Application Service (PAS) foundation for TLS. This has to be done only once per foundation. To reap the benefits of TLS, you’ll need to either provide a Certificate Authority (CA) to CredHub. (Typically, you’ll get this from your enterprise public key infrastructure. Alternatively, CredHub can generate one for you.) This way, each platform service can be deployed with a server certificate. The CA is distributed across the platform. When the PCC  service publishes an encryption certificate, a client can validate that the certificate is generated by somebody it trusts before communicating across a secure channel.

For Developers: Using TLS

For developers, it’s easy to opt into using TLS with new and existing apps. Existing apps will require some modification to use TLS. Java and Spring apps will need to be modified to work with TLS enabled clusters. In order to activate TLS for Java and Spring apps, it is necessary to stop and re-bind the application.

What’s Next – Credential Rotation

Securing your infrastructure is a race against time. Bad actors require time to hack into a system and access sensitive information. A good strategy for repelling attackers is to rotate credentials frequently (daily or more often), thereby making stolen credentials useless in a short amount of time. This becomes viable when credential rotation can be automated and accomplished without any downtime or disruption to operations. CredHub allows developers and operations staff to maintain security without disrupting continuous code deployment. With CredHub, there is no trade-off between modern, agile development and delivery practices and the security of the platform.

An example of where credential rotation could have helped is the recent SWIFT banking system hack, which is an example of attackers being able to exploit stale credentials to access sensitive data. Making credentials useless in a short period of time may have prevented this from happening.

Credential rotation requires many steps. Automation will remove the complexity and errors of doing this manually, resulting in more frequent use of this technique and big reductions in vulnerabilities in key parts of the system, including PCC.

Cross-Cutting Work to Simplify How You Manage Backing Services

Both of these enhancements are in line with our efforts to adopt standardized approaches across our platform services. We added these enhancements to our MySQL and RabbitMQ services, and now we’ve done the same for PCC. Standardization across the platform allows developers and operators to be more productive by eliminating the need for learning different approaches for each service. In addition to supporting an increasing number of platform services, CredHub is extensively utilized by BOSH, CF Application Runtime, and Concourse.