Abstract:

Have you encountered any of the following scenarios in your application deployment environment

  • Store sensitive information (such as database connection strings and passwords) in configuration files on the servers in the production environment.
  • Package sensitive information as configuration files in software engineering configuration files and publish it to various environments.
  • In Docker choreography, sensitive information is stored directly in environment variables.

If you have any of the following situations in your production environment, and you are now preparing to address your own production data breaches, you may want to take a look at this document to see how you can improve your current situation from a configuration perspective.

To understand the potential threat, read through:

  • Cloud breach: More than 14 million Verizon customers were exposed
  • Cica security lists the top 10 data breaches of 2017

To understand the requirements, read through:

  • Equal-assurance information security technology Information system security level protection basic requirements level 3
  • Note: There are five levels of protection. The third level is defined as: “If the information system is damaged, it will cause serious damage to social order and public interests, or cause damage to national security. The state information security supervision department shall supervise and inspect the security protection work of the information system at that level. This level is now adopted by most enterprises.

A brief history of configuration development and an overview of security issues

In general, the history of configuration is shown below.



  • Static plaintext configuration: The initial configuration mode, the configuration in the form of a plaintext file or environment variables in the local.
  • Plaintext configuration based on configuration center: With the rise of microservice and configuration center technology (Alicloud ACM – early known as Diamond, Ctrip Apollo, Baidu Disconf, or Spring Cloud Config, etc.), configuration began to move to the configuration center.
  • Configuration center-based configuration security enhancement: The configuration center integrates various security tools to enhance configuration, such as AWS Parameter Store.

Questions about the first two approaches are outlined below.

Static plaintext configuration security issues

Before the distributed Internet architecture, early configurations were stored in static files. For example, database connection information (including passwords) is manually packaged in various environments (development, test, pre-release, production, etc.). As shown below:



The biggest problem with this deployment is that a large amount of sensitive information is stored in the configuration file, which makes the cost of obtaining sensitive data extremely low for both development test and operation personnel. Although the way of packaged deployment has been evolving, from static file configuration to static packaged environment deployment to container choreography, the way of static file configuration has not changed in essence, and with the automation of deployment tools, the security problems of their configuration have been exposed more seriously, such as:

  • In multi-environment packaged release, the development project will contain all sensitive information about the application, which is easily accessible to internal staff.
  • Container orchestration system also contains all the sensitive information of the application, and most container orchestration system transmits sensitive information by transferring environment variables, which are displayed in plain text in the container and can be obtained directly through environment variables.

Configure security issues based on plaintext configuration center

With the rise of the configuration center, more and more application configurations are migrated to the configuration center. Typical configuration center products include aliYun ACM(earlier called Diamond), Ctrip Apollo, Baidu Disconf, or Spring Cloud Config as mentioned above.

Configuration center The biggest advantage of the configuration file approach is that the configuration can be dynamically modified and delivered while decoupling configuration from publication. Other benefits of the configuration center and the various scenarios are not the focus of this article. If users are interested in scenarios, see configuration Center Usage Scenarios.

This section describes the impact of the configuration center on configuration security. A simple diagram of the configuration center where the configuration is stored is shown below.



The configuration center has the following impacts on application configuration security:

  • Configurations no longer need to be stored in plain text on the server. On the application side, configuration center connection information is stored without any sensitive data. All configuration details are stored in the configuration center. On the application side, you can choose to keep the configuration information in the entire memory instead of persisting it to the local hard disk to prevent sensitive information from being leaked.
  • At the same time, sensitive information is stored in the configuration center. Hierarchical configuration ensures that administrators can access only the required configuration information.

Configuration management based on configuration center solves the problem of sensitive information leakage in production environment. But another problem that arises is the security of the configuration center itself. Throughout the product design of the above configuration centers, almost all products store the actual configuration in plain text. If the configuration center itself is breached, all sensitive information stored in it will be compromised. In today’s cloud era, this is especially challenging for cloud vendors that provide configuration center services when facing security compliance audits like equal-assurance level 3.

This section describes how to configure security hardening measures for the ACM

Configuration security enhancement based on configuration center will become a critical requirement in configuration center security. And recently, as a configuration center product, Alicloud Application Configuration Management (ACM) released a “encrypted configuration” function, which aims to make users more secure in the configuration center to store configuration. The following sections describe the functional details.

ACM Encryption Configuration Management Design Overview

Alicloud Application Configuration Management (ACM for short) published a function for Configuration Security in the recent release version, mainly through a series of and related Configuration Security products to create the so-called “Security Configuration” for users, to thoroughly solve the above Configuration center Configuration Security problem. The IDEA of ACM to solve security problems is similar to that of other industry-leading configuration center products (such as AWS Parameter Store). ACM does not solve security problems by itself, but integrates with surrounding security products. Of course, it is also important to be safe, but in order to avoid being both an athlete and a judge, and to avoid making users feel that all eggs are in one basket, it is also objectively important to choose neutral safety products for integration. Let’s take a closer look at how ACM does it.

In this regard, ALI Cloud ACM solves this problem through the combination of RAM and KMS products. To facilitate readers’ understanding of these three products, product portals are listed below:

  • Application Configuration Management (ACM), formerly known as Diamond, is an Application Configuration center product. Based on the application configuration center product, you can greatly reduce the workload of configuration management and enhance the service capability of configuration management in micro-service, DevOps, and big data scenarios. ] .
  • KeyManagementService is a secure and easy-to-use management service. You do not need to spend a lot of money to protect the confidentiality, integrity, and availability of the key. With the key management service, you can use the key safely and conveniently, and focus on developing the encryption and decryption scenarios you need.
  • Resource Access Management is a stable and reliable centralized Access control service. You can assign the access and management rights of Ali Cloud resources to your enterprise members or partners through access control.

The following describes the roles of the three products in ACM encryption configuration.

  • ACM: Stores and provision configurations. But in the cryptographic configuration solution, ACM transfers most of the security functions to KMS. Configurations stored on the ACM server are encrypted by KMS, and the ACM server does not directly provide the decryption function, which greatly improves configuration security. In the process of reading the encryption configuration, the configuration is finally decrypted by invoking KMS on the ACM client.
  • KMS: provides encryption and decryption services for users. When configuring encryption and decryption based on KMS in the ACM, you can specify a customized key pair or use the default KMS key pair provided by the ACM to simplify management.
  • RAM: In the product system of Ali Cloud, each product has its own service account. That is, the ACM console itself has no way of accessing the user’s KMS key configuration. However, users need to encrypt configurations on the ACM console for convenient configuration and management. Therefore, the ACM console must have the minimum operation permission on the USER’s KMS key pair. This is achieved through the role authorization of RAM in the security system of Ali Cloud.

In the following sections, we will take a look at how ACM does in configuring security.

ACM encryption configuration principles

The core idea of ACM encryption configuration is to use KMS to encrypt and decrypt configurations. Detailed below.

User Commissioning Process

This section describes how to use the ACM encryption configuration function. As shown in the figure below.



The steps are described as follows:

  • ACM, this is inevitable.
  • Open KMS, this is also of course.
  • Grant ACM a minimal permission role on RAM that can read the user’s KMS encryption. This step is critical, otherwise ACM cannot use the keys in user KMS as a separate product.

You write the encryption configuration flow on the ACM console

The following figure shows the process of writing encryption configurations on the ACM console:



Detailed steps:

  1. The user writes a configuration on the ACM console and sets it as an encrypted configuration on the console
  2. ACM identifies this configuration as an encryption configuration that depends on the user’s KMS key. In this case, ACM invokes RAM to obtain the user’s minimum permission role that can read KMS encryption through authentication.
  3. The ACM uses this role to invoke the KMS API and use the user’s KMS key pair to encrypt the configurations stored on the ACM console.
  4. The ACM Console stores the encrypted configuration in the ACM configuration database.

As can be seen from the above process,

  • The ACM saves all configurations in ciphertext and does not store the key. Therefore, the ACM cannot obtain the plaintext even if the configuration information is leaked.
  • The ACM uses RAM authorization to operate users’ KMS keys. The authorized role can only authorize the ACM to perform operations related to configuration encryption and decryption, but does not have other permissions, such as deleting key peer-to-peer operations, to minimize additional security risks.

In theory, users can write configurations on the console without relying on the ACM console function. After KMS encryption, users can directly write configurations on the console. Of course, this brings up big usability issues. In the process design of ACM encryption configuration writing, KMS is called through the authorization of RAM role, which not only ensures security, but also brings great convenience to users when creating configurations. It is a very balanced compromise scheme.

The application reads the encryption configuration process using the ACM SDK

The following is an example of how to read the encryption configuration using the ACM SDK:



Detailed steps:

  1. The program reads the ACM configuration ID
  2. The ACM ciphertext configuration is read
  3. The ACM Client identifies the ciphertext configuration, and the KMS Client decrypts the ciphertext configuration transparently and returns the plaintext configuration
  4. Program read plaintext configuration, link database, plaintext configuration does not fall disk, to ensure security.

As can be seen from the above process,

  • On the application side, the configuration does not contain any sensitive data and contains only one configuration item that the ACM Client needs to read.
  • In actual use, the ACM SDK packages ACM Client and KMS Client calls, and the specific call information is transparent to applications.

Summary of ACM encryption configuration

As shown in the preceding chapters, THE ACM encryption configuration balances security and ease-of-use.

  • In terms of ease of use, both the server and client are transparent, whether configuration write or configuration read.
  • In terms of security, RAM and KMS integration ensures that the configuration can be encrypted in a secure enough channel and stored in ciphertext on the storage side.

The above practices better meet the current mainstream level 3 compliance goals and effectively meet the security needs of most enterprise users.

Derivative reading:Equal-assurance information security technology Information system security level protection basic requirements level 3



Make your configuration more secure on the cloud

As a configuration center focused on user configuration, the ACM aims to ensure user configuration security in the upper cloud era. On this basis, ACM and more Aliyun products will protect user configuration security through friendly integration, and its scenarios will include but not limited to:

  • Container services are configured for secure storage.
  • ECS flexible and scalable configurations for secure storage.
  • Secure storage of other PaaS service links.

The original link