Blog
How to do Zero Trust with any Secret Store Service

How to do Zero Trust with any Secret Store Service

Zero trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even when storing secret data in AWS Secrets Manager or Google Cloud GCP Secret Manager or Hashicorp Vault, or even in the product we are building at ParanoidGuy - a Databunker.

Why companies need to employ Zero Trust?

Let's say you want to store very sensitive information, like customer health information or a customer credit card or maybe a social security number. You can simply use a secret store service from the cloud provider or our Databunker service. This creates an additional level of security (let's ignore the network firewalls, anti-virus, intrusion prevention system, WAF, etc... that can be deployed). For your sensitive information, it might be not enough. Paranoid guys like our team want an additional level of protection.

So, how to do that?

This can be easily achieved by additional encryption of sensitive data on the client-side before actually storing it in the secret store (i.e. Databunker). This way you add an additional level of protection. To get the data, malicious actors will need to dump your secret manager data and hack into your infrastructure to actually be able to decode your really secret data. Creating an additional barrier is one of the main security fundamentals.

Best practice implementing Zero Trust with Databunker

Step 1. Get the original record to encrypt.

Suppose, you what to store a customer profile that containing a credit card. For example:

  1. Customer name
  2. Customer email
  3. Credit card: number, CVV, expiration

In JSON, you will have similar structure:

{
   "name":"Alex",
   "email":"alex-1@domain.com",
   "creditcard":{
      "number":"1234567890",
      "cvv":"1234",
      "exp":"11/28"
   }
}

Step 2. Configure user schema (one time)

This is a recommended step. Databunker supports schema validation & enforcement for user records (with some advanced tags). You can check the following recourse for a detailed specification:

https://json-schema.org/understanding-json-schema/index.html

Example of the user schema including credit card record.

{
   "$id":"https://paranoidguy.com/schema/",
   "$comment":"user record",
   "title":"user record",
   "description":"user record",
   "type":"object",
   "required":[
      "name",
      "email",
      "creditcard"
   ],
   "properties":{
      "name":{
         "type":"string",
         "minLength":1
      },
      "email":{
         "type":"string",
         "minLength":1
      },
      "creditcard":{
         "type":"string",
         "admin":true,
         "minLength":6,
         "maxLength":10,
      }
   }
}

Databunker supports a number of schema tag extensions that you can specify for individual field:

  1. admin - field change will require admin approval if done by the user.
  2. locked - this field can not be changed after creation, even by Admin user.
  3. preserve - this field will not be deleted after the user gets deleted.

Step 3. Encrypt the credit card and save it in Databunker.

Perform a credit card filed encryption on the client-side code. After credit card is encrypted your data will look as the following JSON:

{
   "name":"Alex",
   "email":"alex-1@domain.com",
   "creditcard":"ABC12344235ASDGGESDFF3532KKKKhH"
}

You can now save it into the Databunker

curl -s http://localhost:3000/v1/user -X POST \
  -H "X-Bunker-Token: ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Alex","email":"alex-1@domain.com",
       "creditcard":"ABC12344235ASDGGESDFF3532KKKKhH"}'

Output:

{"status":"ok","token":"31debb9e-64cf-616d-d8ae-c1b383c81e24"}

Afterwards , you can lookup user record by user name or user token.

curl -s -H "X-Bunker-Token: DEMO" \
  -X GET http://localhost:3000/v1/user/email/alex-1@domain.com

You will get original records saved in Databunker:

{
   "name":"Alex",
   "email":"alex-1@domain.com",
   "creditcard":"ABC12344235ASDGGESDFF3532KKKKhH"
}

After that, you will have to decrypt the original user credit card and use it when required.

That's all folks, let me know what you think.