Context: How to ensure the same level of data security, whether at rest or in transit?
Lenstra was approached by the security department of a major financial institution with a complex infrastructure, present both on-premise and cloud environments. As a company operating in a highly regulated sector and handling sensitive financial data, ensuring robust security for data both at rest and in transit is critical.
The challenge: Ensuring data security during migration without slowing down the process.
With the institution moving more application to the Cloud and deploying new services, they needed to adapt their approach to security. Specifically, their database clusters required mutual TLS (mTLS) authentication backed by a dedicated Certificate Authority (CA) to secure communications between nodes.However, the existing Public Key Infrastructure (PKI) service was not flexible enough to create automatically the Certificate Authority during the deployment of new database clusters. The challenge was to implement a solution that could dynamically and automatically generate CAs on demand, ensuring security without slowing down deployment.
A reliable and automated solution.
To address these challenges, Lenstra implemented a "PKI as a Service" solution using HashiCorp Vault. This solution used the Vault PKI secrets engine with Managed Keys to provide an automated and flexible PKI infrastructure.Key features of the solution included:
- Dynamic Certificate Authority Generation: The HashiCorp Vault PKI engine was configured to dynamically generate new root and intermediate CAs as part of the automated deployment process for new database clusters.
- Integration with Hardware Security Module (HSM): The solution utilized Vault's Managed Keys support, enabling the encryption keys to be securely generated and stored in a Hardware Security Module (HSM). This enhanced the security of the CA keys, ensuring they were protected by the highest standards of cryptographic security and the security department requirements.
- Just-in-Time Automation: The new system was fully automated, allowing for the just-in-time creation of CAs whenever a new database cluster was deployed. This ensured that the security infrastructure scaled seamlessly as new database clusters were deployed, without compromising on security.
A solution that provides autonomy, security, and operational efficiency for the client.
The implementation of PKI as a Service with HashiCorp Vault improved the financial institution's ability to manage its PKI infrastructure. The automated, scalable, and secure solution enabled the institution to maintain its security standards while accelerating its cloud adoption and service deployment.Key outcomes included:
- Increased Agility: The institution can now deploy new database clusters rapidly, with the necessary security measures automatically in place, supporting the organization's expansion without delays.
- Enhanced Security: By integrating HSM for key management and automating the CA generation process, the solution ensured that all cryptographic operations were performed securely, reducing the risk of key compromise.
- Operational Efficiency: The automation of PKI management reduced the workload on the security team, allowing them to focus on higher-value tasks while maintaining a strong security posture.
