Jump to content

Keysafe - Security


Recommended Posts

Hi Team,

we would like to start using the integrations in our instance but our security has some questions about Keysafe :

(1) How are keysafe stored credentials protected from unauthorised access?
(2) how are credentials destroyed
(3) what activity audit logs for keysafe operations are available
(4) what independent report of assurance/testing of keysafe security can be provided ? (pentest summary, SOC2 Type 2 etc)
 
I wonder if someone could help us get our internal security approval by helping us work through the above??
 
many thanks
Andy
Link to comment
Share on other sites

@AndyGilly

Please see my initial answers below

(1) How are keysafe stored credentials protected from unauthorised access?
Every instance has a secret private key, credentials put into keysafe are stored in the a database table, but they are encrypted using both a random nonce and the instance private key, using AES256 encryption.  This means that an encrypted key stored on an instance is inaccessible without the corresponding instance private key. 
You can only create/change/delete and use credentials if you are an administrator and are given the appropriate rights to do so. 
 
(2) how are credentials destroyed
When you delete a credential from key-safe the encrypted data is permanently deleted from our systems. 
 
(3) what activity audit logs for keysafe operations are available
Keysafe provides limited logging, in the EspServerService.log of your instance, under the [security] type. No credentials information is ever written to any log file. 
 
(4) what independent report of assurance/testing of key-safe security can be provided ? (pentest summary, SOC2 Type 2 etc)
Unfortunately none at present. I will add to our list of thing to review to see what viable options we have with regards to independent assurance options

Further to that, one other thing we have paid very close attention to is how we apply the use of credentials.  Obviously once we need a credential, lets say for ITOM to run a job on a remote computer.  The credential is read from the keysafe store and into the servers memory, once there is considered "in flight". All credentials data remains encrypted until the very last moment of use.  Credential data is never stored or written to any file on any computer system, they are simply transpoted on the wire, and passed to the relevant API at the point of use, and then discarded.  
 
Hope that helps.
Gerry

 

  • Like 1
Link to comment
Share on other sites

Morning @Gerry

a couple more questions from the security team in red below. Appreciate it if you could help with the answers

(1) How are keysafe stored credentials protected from unauthorised access?
Every instance has a secret private key, credentials put into keysafe are stored in the a database table, but they are encrypted using both a random nonce and the instance private key, using AES256 encryption.  This means that an encrypted key stored on an instance is inaccessible without the corresponding instance private key. 
You can only create/change/delete and use credentials if you are an administrator and are given the appropriate rights to do so. 
 
Who has access to the  Wessex Water instance private key, who generated it and where is it held ?

(3) what activity audit logs for keysafe operations are available

Keysafe provides limited logging, in the EspServerService.log of your instance, under the [security] type. No credentials information is ever written to any log file. 

Can we see details/spec of what gets recorded in EspServerService.log under [security] ?

 (4) what independent report of assurance/testing of key-safe security can be provided ? (pentest summary, SOC2 Type 2 etc)

Unfortunately none at present. I will add to our list of thing to review to see what viable options we have with regards to independent assurance options
OK, noted that the website FAQs state: “…As well as frequent tests undertaken by Hornbill we utilise external security companies to validate our results and services at least annually. Results of tests are available on request~.

Please can I see a copy of the most recent test results/summary and any agreed remediation actions and timescales ?


Further to that, one other thing we have paid very close attention to is how we apply the use of credentials.  Obviously once we need a credential, lets say for ITOM to run a job on a remote computer.  The credential is read from the keysafe store and into the servers memory, once there is considered "in flight". All credentials data remains encrypted until the very last moment of use.  Credential data is never stored or written to any file on any computer system, they are simply transported on the wire, and passed to the relevant API at the point of use, and then discarded.  

Can we have separate AD credentials created in KeySafe, for the purpose of separate types of operations ? EG

  • a credential specific for automating group permissions (for auto sw install/deinstalls)

  • a different credential for the purpose of automating user permissions (for user creation, suspension, deletion). 

many thanks 
Andy

Link to comment
Share on other sites

@AndyGilly

Who has access to the  Wessex Water instance private key, who generated it and where is it held ?

The key is generated by our systems as part of the instance provisioning process, it is stored in our CMDB in encrypted form.  Only our cloud operations team have access to this key.

Can we see details/spec of what gets recorded in EspServerService.log under [security] ?

Yes in the admin tool go to the logging section, click the EspServerService.log file to view, and then click the "security" filter. 

Please can I see a copy of the most recent test results/summary and any agreed remediation actions and timescales ?

We do general service penetration testing and under NDA I can make this report available to your security folks, please PM a contact email and I can organise getting an NDA sent out for signature.  However, I would note the original question related to specific testing of KeySafe functions, there is no specific testing of KeySafe other than there is edge security and access controls that prevent access to the system in the first place. 

Can we have separate AD credentials created in KeySafe, for the purpose of separate types of operations ? EG

  • a credential specific for automating group permissions (for auto sw install/deinstalls)
  • a different credential for the purpose of automating user permissions (for user creation, suspension, deletion). 

Yes, you can have as many credentials locked away in key-safe as you need, and then use a credential for each and every integration if you like. The whole purpose of KeySafe feature is to remove the ability for people designing business processes, using services and integrations from seeing any credentials at all. The trusted person created the credential, everyone else that has permission can use it but not see it, change it or do anything else with it. 

Gerry

Link to comment
Share on other sites

  • 2 weeks later...

Morning @Gerry

apologies a couple more requests from security below in green:

1)Who has access to the  Wessex Water instance private key, who generated it and where is it held ?

The key is generated by our systems as part of the instance provisioning process, it is stored in our CMDB in encrypted form.  Only our cloud operations team have access to this key.

 

Does this mean that the cloud operations team could utilise the private key to unencrypt credentials held in the customer’s KeySafe ? If yes, are there plans to allow customers to generate/maintain their own private key in future ?

 

Can it be confirmed that our instance is only hosted in Europe and not North America ?

 

2) Please can I see a copy of the most recent test results/summary and any agreed remediation actions and timescales ?

We do general service penetration testing and under NDA I can make this report available to your security folks, please PM a contact email and I can organise getting an NDA sent out for signature.  However, I would note the original question related to specific testing of KeySafe functions, there is no specific testing of KeySafe other than there is edge security and access controls that prevent access to the system in the first place. 

I would like to review the PT report , my contact details can be used for sending the NDA over..thanks

 

 

<information removed by forum admin>

 

thanks

Andy

Link to comment
Share on other sites

@AndyGilly please for future reference exercise more caution when posting on forums. I remind you that Hornbill forums are open to general public, meaning general public has read access to our forums. Therefore please be mindful of what information you post. I am sure your colleague won't be particularly happy if starts to receive unsolicited emails all of a sudden. I have removed this information from you latest reply.

 

 

Link to comment
Share on other sites

@AndyGilly

Does this mean that the cloud operations team could utilise the private key to unencrypt credentials held in the customer’s KeySafe ? If yes, are there plans to allow customers to generate/maintain their own private key in future ?

Well its definitely technically possible for a small number of Hornbill staff to pick apart a key and then make use of it.  However, only a very limited number of people would have such access, and actually you would need more than one person to do this together, as we store credentials which themselves are encrypted using an instance-specific key, and the instance-specific keys are themselves encrypted by a system-wide key.  There are a lot of steps to get back to the credentials and while technically possible, we feel our multi-encryption approach and our information security management controls make it entirely impractical to do under and reasonable circumstance. 

Can it be confirmed that our instance is only hosted in Europe and not North America ?

Absolutely that is the case. Each customer instance is domiciled entirely in the political entity thats most appropriate for them. Our US customers servers are physically in the US, EU customers servers are in the EU, and depending on how it goes with the outcome of the "Brexit Deal" the UK may well become independent of the EU in terms of data sovereignty.  It would be entirely irresponsible of us as a SaaS service provider to do it any other way.

I would like to review the PT report , my contact details can be used for sending the NDA over..thanks

Ok, I will ask someone to organise

Gerry 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...