The HashiCorp Vault Production Hardening Tutorial is a masterclass of recommendations without getting into the gory details of how or why. But if you drill down on any of the 25+ hardening suggestions, you’ll find decade's worth of stories of bad things that have happened to good people (much of it documented here.)
Challenges of Traditional Linux Hardening
Linux hardening is more an art than a science, and administrators in large organizations often have the additional challenge of conforming to internal standards and requirements. Add to that the power and variety of use cases and configurations possible with HashiCorp Vault, and you are now in the deep end of the pool. But truthfully, that’s where you want to be. This is the fun stuff. These are the front lines in cybersecurity.
Simplifying Hardening with Confidential Computing
OK, so you want to harden your production Vault cluster; that’s a good idea. Let’s dive into the hardening recommendations from HashiCorp, summarized here:
- The basics
- use TLS, use firewalls, use NTP, single tenancy, user lockout, audit logging, shell history, stay current on patches, no clear text credentials, use standard input, disable SSH, use systemd, use SELinux or AppArmor
- Least privilege
- don’t run as root, minimal write privileges, restrict storage access
- Memory stuff
- disable swap, disable core dumps
- Vault-specific
- avoid root tokens, use safe plugins, non-deterministic file merging, tweak your ulimits
Advantages of Confidential Computing for HashiCorp Vault
That may look like a lot of work. And it is. And you want to get this right, right? But what if I told you that instead of earning a master’s degree in Linux security, you could accomplish your goal differently and with higher security using Confidential Computing with Anjuna Seaglass?
At the core of Confidential Computing are two critical capabilities: attestation of workloads and encrypted memory. Those two attributes will give you a significant advantage in your defense posture by mitigating two of the top risks in cyber: malware and memory attacks. Do you see above where HashiCorp recommends disabling swap and core dumps? There’s a good reason for that. Memory scanners are a major source of breaches, and you don’t have to take my word for it: just search the MITRE Framework, and you’ll see what I’m talking about. It’s the same with malware. You can do your best to enforce good practices with your software supply chain, but we are still exposed to significant risk due to the complex multi-step attacks which have evolved over the years.
Anjuna Seaglass: The Path to Smart and Safe Confidential Computing
Confidential Computing is designed to protect you from malware and memory attacks, and that’s good. But what about all of the other hardening recommendations in the HashiCorp tutorial? Let’s take a look at how Anjuna Seaglass uniquely addresses those risks. First, look at the topic of “least privilege.” You’ll see recommendations like “don’t run as root” - and that’s generally good advice. But with Anjuna Seaglass enabling your Confidential Compute node, you will no longer be concerned about lateral movement: there is no lateral movement. It’s not possible. The Anjuna Confidential Runtime provides only the resources and capabilities required to run your app, including apps like HashiCorp Vault. We lock down access, we provide the firewall, we enforce high-strength TLS, we enforce single tenancy, and we provide strong controls to mitigate a wide range of threats whether you’re running on-premises or in the cloud.
So, suppose you want to harden your environment for apps like HashiCorp Vault. In that case, Anjuna Seaglass can help simplify your journey, shorten your time-to-success, and provide ongoing defense against the ever-present CVEs and zero-days that tend to keep us up at night. We’d be happy to talk with you about this: just ask for a consultation with Anjuna and our experts will be happy to walk you through the “how exactly does this work?” part of the conversation. I’m confident that once you see the difference between old-school Linux hardening versus the pre-hardened environment you’ll get with Anjuna Seaglass, you’ll be on your way to smart and safe Confidential Computing.
Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.
Start Free