Keep Your Data Out Of The Wrong Hands
- By Andrew Mitchell
- Published on June 9, 2016
We approach security from two angles: prevention and mitigation. Of course we do everything we can to prevent a breach, but we know that isn't enough. History has proven that the software we all depend on has vulnerabilities. We design systems with this reality in mind, and do everything we can to mitigate the damage if a breach occurs. Today we're asking for feedback on a product our R&D department is exploring, which will drastically reduce your exposure if your system is compromised.
TrueVault Keep protects your data with per-record authorization. This requires minimal changes to your existing codebase, and shifts the operational burden for securing and scaling your database to the TrueVault team.
The Dreaded Email
It's 3am and you're sitting at your computer, re-reading the email for the fiftieth time, hoping to escape the inevitable. You know when you hit send your million-plus users will all lose faith in your team and your product, because you're telling them that there is a chance their data was compromised in a breach last night because of a zero-day vulnerability in your web stack. The infuriating part is that you know only a fraction of this once-trusting group was actually compromised; your team shut down the exfil attack within minutes of noticing the DB load spike. There's no way the hackers got everything! But they cleaned their tracks well, and you have no way to know which -- or even how many -- records were compromised.
A Better Bad Day
There was nothing you could have done to prevent the breach (short of writing your own TLS stack in... not-C). You were hit by the zero day vulnerability fast. Even though your team responded quickly, the attackers had root on your API servers for 45 minutes. You have to face the music, and let your users know about the attack. You log into the TrueVault Keep console to pull up the tamper-safe audit logs, so you can find out exactly who to email. Look at that - they wasted 30 minutes trying to `select * from users` before they realized what was going on. Once they picked up on the User Auth Tokens attached to each query, they started to get some real data. There were 100 users actively making requests in that window, and 70 of them didn't read any sensitive data, they were just writing innocuous records.
It's not a great day by any stretch of the imagination. Losing data for 30 users is a big deal. All the same, it's hard not to feel relieved thinking about how bad it could have been if you weren't prepared. Without TrueVault Keep locking down your database access a lot more data would have been lost. And without the TrueVault Keep audit log, you wouldn't know exactly what was compromised. A mea culpa email to 30 users is no fun, but it won't kill your company the way an email to every user can.
We protect a lot of data with our BaaS product, but we know it's not the right fit for everything. That's why we're exploring TrueVault Keep, a drop-in solution to protect your database with minimal developer work. We talk to a lot of teams who care about security today, but didn't build it in from day one. This is a challenge, because there are very few products that provide real security (as opposed to theatrics) without invasive rewrites. Hearing this dilemma over-and-over has inspired TrueVault Keep: a drop-in product that can bolster the security of your existing (even legacy) system without pervasive changes. Here's how it works:
- You move your data to TrueVault Keep, a database enhanced with authorization logic that only allows authorized access to database records. No network traffic can reach your DB directly; it must all pass through The Keep.
- You tweak your authentication endpoint to generate a Keepsake - a cryptographically secure and short-lived access token for that user
- Using our SDKs and sample code, you pass these tokens along with your existing db calls with minimal changes to your existing data layer.
- You set the access-control predicates for each table in your database.
This simple setup process takes a few developer-days of guided effort, not months or years of meandering rewrites. We plan to support a wide array of modern databases, starting with a few high-demand products (informed, in part, by your feedback!)
TrueVault Keep addresses a very specific, very pernicious problem. In most companies, the API servers have very broad access to the database. A single set of credentials gives access to the whole data set, and we naively trust the API servers to only request the data it should. This trust goes out the window when the API server is breached, and suddenly your tight network security and minimal attack surface isn't all that secure. As long as the API server can hit MySQL on 3306, the attackers can access all the data any of your users could.
By focusing on this specific problem, and not an amorphous target of complete data security, we're able to deliver enormous value with little effort from your team. We don't solve every problem with this. We don't prevent attacks. We don't offer false-guarantees of iron-clad, bullet-proof data security. What we do is drastically reduce your exposure if your system is compromised.
We think this has a lot of value, but that's probably because it's our idea. We want to hear your feedback, good or bad. Please reply to our Hacker News post for this topic or shoot us a private email, keep at truevault dot com
Pending feedback, we plan to create an invite-only beta. Our Beta will have a minimal feature set, but the quality and security will be excellent from day one. If you're interested in signing up, send some info about your stack to beta at truevault dot com.