This is a guest post by nCipher's senior sales engineer, Oli Wade.
The purpose of the blog is to introduce you to incorporating high assurance cryptographic security with hardware security modules (HSMs) into your Red Hat OpenShift projects. Since this might be new territory for some in the developer community, I’ll take a moment to explain what an HSM is.
An HSM is a specialized hardware device that is designed for the purpose of protecting encryption keys and conducting cryptographic processes such as creating digital signatures. Keys are generated according to strict security standards and based on an internal high-quality entropy source. HSMs are robust, tamper-resistant devices that incorporate innovative security features to ensure the protection of sensitive key material.
The alternative to using an HSM is to store encryption keys in software – which can be risky since skilled attackers can identify critical key material based on its unique, random characteristics. High value keys should be protected to the best achievable standards, since their loss might cause considerable financial and reputational damage – as well as a compliance violation. HSMs provide this protection and many are certified to internationally-recognized standards like FIPS 140-2 and Common Criteria, while also being recognized by security auditors as an effective tool to mitigate cyber risk.
Applications in a containerized architecture are built, deployed and operated with contemporary methods including orchestration and dynamic scalability. These advancements bring challenges when it comes to including integration with HSMs, in a way that is compatible with this type of modern workflow. This is because applications that rely on HSMs historically require installation of special supporting software and libraries, plus manual configuration of both the server and the HSM to enable secure connections to be made between them.
Now, thanks to the integration of nCipher nShield HSMs with OpenShift, it is possible to easily incorporate highly scalable crypto operations into your containerized application architecture.
Before discussing how to integrate nShield HSMs with OpenShift, it may be instructive to consider visually where the HSM fits in the context of the OpenShift platform:
As depicted in the diagram above, the nShield HSM is an external component accessed over the network. It provides highly available and scalable certified crypto offload for protecting valuable key material – so that it is never exposed within the containerized architecture or platform (where it might be observed or captured by systems administrators).
Building Container Images
Implementing cryptographic operations to enhance application security can be complex. Developers benefit from tools which make this task easier, and that provide an approved reference architecture to follow. Therefore, nCipher provides a set of standard scripts that enable supported integration with and connection to certified nShield HSMs in a streamlined and repeatable way. This reduces development times while using a tested process for delivering high assurance application security.
With these scripts, application developers can easily include the necessary nShield libraries for use with their PKCS11 or Java programs inside container images. Alternatively, off-the-shelf container images provided by third parties can be extended to include such libraries to enable their use with nShield HSMs. Typically this would form part of a CI/CD (continuous integration, delivery and deployment) pipeline so as to allow new versions or iterations of applications to be created with the same capabilities integrated.
Another container image is built with the nShield hardserver to enable and manage the connection to one or more nShield HSMs. These standardized images are stored in the normal enterprise container registry, and can be launched into any compatible container runtime.
Running Containerized Applications in OpenShift
One or more application containers are deployed into a pod alongside an instance of the hardserver container. The latter is supplied with details of the nShield HSM(s) to connect to (which can be in private or co-located hosting, or nShield as a service); while the application containers mount the corresponding Security World files from suitable persistent volume storage. Security World is nShield’s unique key management architecture, which establishes a logical security boundary for deploying and operating a group of nShield HSMs. This ensures interoperability across the organization’s HSM estate and affords rapid scalability.
Different applications and/or versions of the same application can share HSMs in the same Security World, making use of the same or their own application keys – which can be permanent or temporary depending on the volume/storage mapping configured.
nShield HSMs can support OpenShift development at any scale and with flexible or dynamic provisioning. Rather than upgrading servers or virtual machines, new application versions are deployed typically alongside and then instead of older versions with traffic distributed using included or external load balancers.
Increased application security
Using the nShield container option pack with Red Hat OpenShift, developers and operations teams can easily integrate their new or existing applications with nShield HSMs in a way that is straightforwardly accessible from contemporary containerized deployments. There is no need to install or configure software and appliances, meaning a much faster “time-to-security.” Instead of leaving potentially valuable application keys vulnerable, they are safely generated and used only within the HSM’s protected and certified boundary.
nShield HSMs are also highly scalable, which make them a good companion for use with large or dynamically deployed containerized application architectures and allows developers to increase capacity with confidence. For implementations leveraging the subscription-based nShield-as-a-Service, the maintenance and management of the HSM itself is offloaded from the IT team.
The integration of the nCipher nShield with Red Hat OpenShift enables projects to be implemented with a new level of security that delivers the scale and flexibility needed for today’s enterprise applications.
About the author
Red Hatter since 2018, technology historian and founder of The Museum of Art and Digital Entertainment. Two decades of journalism mixed with technology expertise, storytelling and oodles of computing experience from inception to ewaste recycling. I have taught or had my work used in classes at USF, SFSU, AAU, UC Law Hastings and Harvard Law.
I have worked with the EFF, Stanford, MIT, and Archive.org to brief the US Copyright Office and change US copyright law. We won multiple exemptions to the DMCA, accepted and implemented by the Librarian of Congress. My writings have appeared in Wired, Bloomberg, Make Magazine, SD Times, The Austin American Statesman, The Atlanta Journal Constitution and many other outlets.
I have been written about by the Wall Street Journal, The Washington Post, Wired and The Atlantic. I have been called "The Gertrude Stein of Video Games," an honor I accept, as I live less than a mile from her childhood home in Oakland, CA. I was project lead on the first successful institutional preservation and rebooting of the first massively multiplayer game, Habitat, for the C64, from 1986: https://neohabitat.org . I've consulted and collaborated with the NY MOMA, the Oakland Museum of California, Cisco, Semtech, Twilio, Game Developers Conference, NGNX, the Anti-Defamation League, the Library of Congress and the Oakland Public Library System on projects, contracts, and exhibitions.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit