Securing CI/CD With Confidential Computing
HUB Security's Confidential Computing Platform offers the ability to protect running applications from sensitive data exfiltration
CI/CD (Continuous Integration and Continuous Delivery/Continuous Deployment) is a method of delivering applications to end users on a regular basis by introducing automation in the continuous delivery and continuous use phases. Well-managed CI/CD solves the problems that integrating new code can cause for development and operations teams (AKA " integration hell") CI/CD automates and monitors applications throughout their lifecycle, from integration and testing to deployment and implementation. Collectively, these practices are referred to as "CI/CD pipelines" and are supported by development and operations as part of a DevOps or Site Reliability Engineering (SRE) approach.
Recently, CircleCI, a widespread continuous integration and delivery platform, fell victim to a data breach in which an attacker was able to compromise authenticated session tokens and to extract encryption keys from a running process. This not only put the encrypted data at risk but also exposed the company to various other potential threats. In this blog post, we will discuss how HUB Security's Confidential Computing platform can be used to prevent this type of breach and provide a more secure environment for any organization.
HUB Security's Confidential Computing Platform is designed to provide a secure computing environment for organizations working with sensitive data. The platform offers a variety of features that protect against data breaches, including hardware-based security, advanced cryptography, fire-walling, and access management.
The HUB Confidential Computing Platform protects running applications from sensitive data exfiltration, by inspecting all communications between the running environment and the outside world, ensuring that all traffic is authorized and authenticated The platform includes robust firewall capabilities that can be deployed at the individual server level to restrict traffic from unauthorized sources and protect against attacks from inside or outside the organization. It can encrypt data in transit and at rest - including with post-quantum cryptography - making it much more difficult for attackers to extract sensitive information.
The platform exposes secured digital copies of sensitive assets (such as applications, their data, and AI models) by creating cyber digital twins of those assets to prevent network attacks from reaching the actual asset and its crown jewels. It enforces format, number of requests over time, and content inspection. Using its built-in velocity rules, it detects and blocks abnormal data transfer patterns, such as a sudden spike in data transfer or an attempt to exfiltrate large amounts of data.
This can limit the damage an attacker can cause, even if they manage to extract sensitive data elsewhere that would otherwise enable further attacks. The platform’s authentication process goes beyond normal application authentication and extends it to any request made to the running application - in other words, any request to the application that is not itself authenticated (and optionally signed) would be prevented from reaching the application in the first place.
Last, but not least, it would be beneficial for an organization to use continuous security monitoring, including External Attack Surface Management ( e.g. HUB's eASM), to map and scan their organization and identify potential vulnerabilities. This can help an organization proactively identify and remediate security issues before they can be exploited by attackers.
In addition, with an incident response plan and incident response teams (e.g HUB’s IRP/IRT) in place, an organization can respond quickly and effectively to security incidents as they occur. HUB Security's Confidential Computing Platform and service offerings offer protection against data breaches and help to provide and assure a secure environment for sensitive applications and their data from various threats and reduce the risk of a data breach.