Demo Series: Prevent Databases From Exposing TLS Keys

Anjuna's Confidential Computing Platform
Published on
Feb 29, 2024
Avoid exposing your server’s TLS keys. Keep them safe with Anjuna's Confidential Computing Platform and increase your security posture.
https://www.anjuna.io/blog/demo-series-prevent-databases-from-exposing-tls-keys

TLS (Transport Layer Security) keys are vital data for encrypting and securing online communications, keeping transmitted data safe from prying eyes.

Because of the potential data that TLS keys secure, they are a prime target for attackers. With TLS keys in hand, an attacker can easily decrypt your server's inbound traffic or launch a man-in-the-middle attack, tampering with your communication without your knowledge.

Today, we conclude our exploration of how to protect a three-tier application by showing the vulnerabilities surrounding TLS keys in a database and what Anjuna Seaglass can do to protect your keys from falling into the wrong hands.

The TLS Key Vulnerability

Let's take a look at a simulated attack scenario and see how Anjuna Seaglass can keep your TLS keys from exposure.

In this scenario, an attacker has gained root access to a server running MariaDB. In the real world, this is a potential nightmare for any organization in this position because once the attacker gets into the server, they will attempt to locate and steal the server's private TLS keys. Since the keys are usually stored in plain text on a server's file system, they become all too easy targets.

Even when you've been careful enough to password-protect your TLS keys or store them within third-party secret stores — such as a vault or KMS (Key Management System) — there are still vulnerabilities to be aware of. Vaults and KMSs rely on protective measures like master keys or initial passwords, which can easily become compromised, resulting in your TLS keys becoming exposed. This challenge is usually called the "Secret Zero Problem," and it's a huge security risk if not properly addressed.

Anjuna's Solution: Secure Enclaves

An administrator can easily and quickly invoke the Anjuna Confidential Runtime, which protects data in use by leveraging the capabilities offered by top-of-the-line hardware in the cloud. By invoking the Anjuna Confidential Runtime, the administrator creates a secure enclave, an environment where the database can securely operate in a trustworthy, isolated environment. Even better, using this solution doesn't require you to overhaul the architecture of your existing database to take advantage of the extra security it provides.

Additionally, this solution also allows Anjuna Seaglass to securely store your server's TLS key within the Anjuna Policy Manager or another trusted secret store. In this scenario, Anjuna Policy Manager distributes your key to the trusted MariaDB exclusively, which is running inside the secure enclave. At no point in this process is the TLS key exposed to either the host or any potential attackers.

Anjuna’s Protection in Action

One more time, let's put Anjuna's protection to the test. This time, the attacker will not be able to locate the TLS key within the server's file system because (thanks to Anjuna) the key is stored securely in another location where it can't be exposed to attackers.

One more time, let's put Anjuna Seaglass’ protection to the test. This time, the attacker will not be able to locate the TLS key within the server's file system because (thanks to Anjuna Seaglass) the key is stored securely in another location where it can't be exposed to attackers.

Anjuna Seaglass provides a robust security solution that shields sensitive workloads and data, including your TLS keys, from prying eyes. With the power of confidential computing and secure enclaves, we virtually eliminate your database's secret zero vulnerability, keeping your sensitive data safe from even the most determined attackers.

Don't Compromise on Security — Try Anjuna Today!

Through Confidential Computing and secure enclaves, Anjuna Seaglass offers your database a wide range of security solutions to safeguard the many different components of a traditional three-tier application architecture, everything from web servers and databases to TLS keys. The Anjuna Seaglass platform offers a versatile and robust system of security that your database can't do without.

Elevate your organization's security posture and gain peace of mind about your sensitive data and assets.

Learn more about the capabilities of Anjuna Seaglass by signing up for our free trial.

More like this
Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0
Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0
Prevent Accidental Secret Breaches with Anjuna and GitLab
Is your security more like a seatbelt, or an elevator brake?
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free
Secrets Protection
Anjuna Platform and Features