White Paper

APRA CPS 230 compliance with The Infrastructure Cloud from HashiCorp

Published 4:00 AM UTC Sep 01, 2024

In today's complex regulatory landscape, understanding and adhering to APRA CPS 230 regulation is crucial for Australian financial institutions. This comprehensive white paper provides guidance on addressing many of the compliance requirements leveraging The Infrastructure Cloud from HashiCorp.

»Legal Disclaimer

The technical advice and guidance provided herein by HashiCorp in relation to complying with the regulations of the Australian Prudential Regulation Authority (APRA) is intended for informational purposes only. HashiCorp does not warrant or guarantee the accuracy, completeness, or suitability of this information for compliance purposes. It is the sole responsibility of the user to ensure that their use of HashiCorp products and services meets all applicable legal and regulatory requirements, including those set forth by APRA. Users are strongly advised to seek independent legal and professional advice to ensure compliance with all relevant laws and regulations. HashiCorp disclaims all liability for any damages or losses arising from the use or reliance on this information.

»Executive Summary

HashiCorp offers a comprehensive suite of solutions to address challenges in APRA CPS 230 compliance and its related regulation, APRA CPS 234. From HashiCorp Terraform for infrastructure provisioning, to HashiCorp Vault for secrets management, and HashiCorp Packer for vulnerability, patching and image lifecycle management, these tools streamline operations and cybersecurity, fortifying cloud infrastructure and enabling visibility and auditability to meet regulatory requirements end to end.

CPS 230 makes mention of CPS 234 Information Security. In practice, information security risks are operational risks. In alignment with the key principles of the standard, management of information security risks should be integrated into operational risk profiles. This guide provides an overview of how HashiCorp can contribute to financial institutions achieving CPS 230 and CPS 234 compliance.

This guide also details how HashiCorp supports subsets of CPS 234 (aligned with APRA PPG CPG 234). The HashiCorp products discussed in this guide are the commercially available versions which are a significantly stronger fit to APRA regulations than community editions.

Source documents:

APRA CPS 230 https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf

APRA CPS 234 (PPG 234) https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf

»APRA CPS 230 overview

Prudential Standard CPS 230 Operational Risk Management is intended to ensure that an APRA-regulated entity (authorized deposit-taking institutions (ADIs), general insurers, private health insurers, life companies, and registrable superannuation entities) are resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.

Key themes include being prepared for risk events, being resilient, and protecting the entity and the community. CPS 230 commences on 1 July 2025.

»Operational Risk Management

Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.

»Strategic areas of focus

Operational Risk Management: regulated entities need to conduct operational risk assessments, and design, implement and embed internal controls, along with processes to periodically test and remediate any identified weaknesses, and report risk incidents and near misses;
Business Continuity Management: evolve BCP to focus on maintaining all critical operations for an entities’ customers, be able to respond to disruptions and maintain critical operations such as payments, deposit-taking and management and customer enquiries;
Service Provider Management: include service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk including downstream providers (i.e. fourth parties), and;
Enhanced reporting requirements.

»Areas for Action

Additional Board Reporting*
Additional APRA Reporting Requirements*
Amended Contractual Agreements with Service Providers
Enhance Operational Risk Management*
Enhance Business Continuity Planning*
Enhance Management of Service Providers*

HashiCorp can support the actions noted with an asterisk.

»HashiCorp guidance: APRA CPS 230 Operational risk management

The opening sections of CPS 230 discussed authority, application and commencement, interpretation, adjustments and exclusions, key principles, risk management framework, and roles and responsibilities. Therefore this guidance commences from paragraph 25, Operational risk management. The section numbers correspond to the paragraph in the regulation.

APRA requirement

How HashiCorp helps

Operational risk management

In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS 234 Information Security (CPS 234).

While HashiCorp does not provide an asset management solution, HashiCorp Terraform tracks the creation and modification times of resources which can be used to infer the age of IT assets such as applications in the cloud, while HashiCorp Packer can also be used to build and (through Terraform) manage the lifecycle of machine images.

HashiCorp Consul can be utilised to help monitor the health of services running on your IT assets, providing insights into their operational status. Consul provides a registry for services, tracking all the services running in cloud infrastructure and their locations. Consul also allows health checks to be defined for each service, which could be anything from an HTTP endpoint to a script that runs on the service itself. Consul will continuously monitor the health of services using these checks and report discrepancies to a monitoring dashboard or alerting system to provide a comprehensive view of service health.

The APRA CPS 234 Information Security, via its Prudential Practice Guide, CPG 234, is also covered in this document.

An APRA-regulated entity must include an assessment of … the impact of new products, services, geographies and technologies on its operational risk profile.

Using Terraform, new cloud services are provisioned as secure and resilient by default, through code (infrastructure as code/policy as code principles), without manual processes that can weaken resiliency through human error. This makes the process of introducing new services, geographies or technology changes predictable, thereby making their impact assessment easier.

While HashiCorp doesn’t provide a direct impact assessment service here, the development of golden images, application and service modules and deployment workflows ensure that assessed and approved services can be adopted easily and enforced through policy as code.

An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.

HashiCorp Vault can be used to provide ephemeral secrets to third-party providers, including managed service providers, by leveraging its dynamic secrets feature. This feature allows Vault to generate short-lived, on-demand credentials that are unique to each application, machine, or user, reducing the risk associated with static, long-term credentials.

Prudential obligations can be met by implementing Vault with the following configurations:

Generate dynamic or ephemeral secrets that are created on demand for just-in-time access and configure these secrets to expire after a short period.
Configure namespaces within Vault to provide isolated environments for different teams or services, ensuring least privileged access.
Use Vault’s various authentication methods to verify the identity of users or services requesting access to secrets.
Integrate Vault with identity providers and services, ensuring authentication is centralised in Vault and usage can be centrally monitored.
Enforce centralised policy access management across different platforms, standardising best practices across the organisation.
Consolidate credentials, and detect and manage secret sprawl across multiple cloud service providers, automating secrets policies across services.
Setup Vault in multiple regions to support globally distributed applications and reduce latency to secrets.
Setup disaster recovery enabled Vault clusters to ensure business continuity.

An APRA-regulated entity must design, implement, and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.

HashiCorp contributes to internal controls to mitigate operational risks, with standardised workflows, policy as code, dynamic secrets, infrastructure drift detection, secrets scanning, PII and sensitive data encryption and protection, and OS updates at multi-cloud scale. HashiCorp products offer test and reporting functionality that will include all test results as well as deficiencies. Examples include unauthorised changes, misconfigurations, configuration drift, and unmanaged secrets. This is covered in more detail further on in this document.

An APRA-regulated entity must regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled.

HashiCorp products perform logging of all actions and events, providing auditable trails of all changes, uses, outdated versions & image explorer reports, plus Sentinel Policy validation, access audit logs, HashiCorp Boundary active session recording, Vault secret access audit logs and more. All these are ways to identify, record & address risks or potential risks.

Further, codifying infrastructure and security policies as code provides a robust checklist to audit and review to meet this requirement.

An APRA-regulated entity must ensure that operational risk incidents and near misses are identified, escalated, recorded, and addressed in a timely manner.

HashiCorp can identify and record risk incidents including where configurations have changed, or secrets have been exposed in code commits:

Drift detection - Terraform uses declarative configuration files to describe the desired state of infrastructure, then tracks state to detect any discrepancies. These discrepancies are logged and reported, including who made what changes. In addition to reporting and notifying the drift, Terraform also provides a mechanism to roll-back to a stable configuration state of infrastructure with a single click.
Secrets scanning - Vault Radar Beta operates in real time, scanning for secrets across the organisation’s codebase, alerting teams immediately. Vault Radar Beta can recognise categories and levels of risk for prioritisation and remediation.
Unpatched operating systems - Terraform can trigger an update of non-compliant images and send notifications to isolate non-compliant images. Additionally, Packer can be integrated in the existing workflows with Ansible, Chef or Puppet to update, deprecate and/or isolate non-compliant images.

APRA requirement

How HashiCorp helps

Business Continuity

An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.

Terraform enables organisations to define their infrastructure and recovery processes by deploying “infrastructure as code”, and build an automated workflow to remediate at scale. By expressing infrastructure components (such as virtual machines, networks, databases, and load balancers) as code, cloud infrastructure definitions are consistent across environments (development, staging, production), and can be recreated precisely from the code rapidly, reducing manual errors.

Consistency and ease of replication are essential in not only rebuilding infrastructure rapidly, but also building it secure by default with automatically applied policies and thereby APRA regulatory standards. The automation of infrastructure rebuild greatly reduces the need for people in the recovery process, because the rebuild is largely automated and following validated, pre-tested code.

Terraform enables organisations to test BCP in an effective and reliable manner with:

Automated environment builds with standardised code patterns that produce predictable outcomes every time
Drift detection, which regularly compares the actual infrastructure with the Terraform code to detect any discrepancies.
Dry runs, which simulate changes without actually applying them to validate the recovery plan.
Integration testing, to enable the testing of the entire recovery process end-to-end.
Security policy, compliance and cost policy validation using Sentinel policy as code framework built into the Terraform runs (plan, apply workflow).
Applying preventative controls using Sentinel policy as code framework to prevent misconfigurations which could cause security concerns later in the pipeline.

Dynamic DR Environment Creation:

For traditional DR environments require maintaining separate infrastructure solely for disaster recovery, Terraform can:

Dynamically create a DR environment on demand. If a disaster strikes, Terraform can rapidly stand up the necessary infrastructure.
Provision resources across different cloud providers to build DR environments in various regions or different CSP platforms.

infrastructure as code (IaC):

The foundation of a successful DR strategy with Terraform lies in defining all infrastructure as code, and:

Zero manual steps should be involved, and instead, the entire infrastructure (networks, servers, databases, etc.) is codified in Terraform.
If a disaster occurs, the affected components can be rebuilt by applying the Terraform configuration.

Multi-cloud support:

Terraform supports all major CSPs, including AWS, Google Cloud, Azure, Oracle Cloud, Alibaba, etc., and can:

Build DR infrastructure on any CSP, ensuring flexibility and avoiding vendor lock-in.
Support failover to a different cloud provider due to regional outages or other issues.

APRA requirement

How HashiCorp helps

Management of Service Providers

47, 48

[47] An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will … manage service provider arrangements, including the management of material risks.

[48] The policy must include the entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers; the entity’s approach to managing the risks associated with material service providers; and the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity.

Managing Cloud Service Providers (CSPs): With Terraform, organisations can manage their entire infrastructure stack, including the resources provided by external service providers, in a consistent and automated manner. This ensures that the organisation has full control and visibility over its infrastructure, regardless of where it is hosted. Further, organisations can build multi-cloud capabilities into their infrastructure as code to provide the ability to target cloud migration or cloud specific service hosting as needed.

Organisations can use HashiCorp Nomad to automate the deployment and lifecycle management of workloads running on infrastructure provided by external service providers, ensuring that applications are deployed and scaled efficiently and reliably.

Managing secrets: Organisations can use Vault to securely store and manage access to credentials and other secrets required to interact with external service providers. Vault's dynamic secrets feature can generate short-lived credentials on-demand, reducing the risk of unauthorised access and ensuring that access to sensitive data is tightly controlled.

Providing secure remote access: Organisations can use Boundary to manage human access to their entire fleet of servers hosted within external CSPs while maintaining a consistent and common workflow across multiple cloud providers. Boundary’s session recording gives visibility of who connected to which server and what actions were performed during the session.

Observability: HashiCorp's tools are designed to integrate seamlessly with third-party tools and platforms commonly used for managing service providers, such as cloud management platforms, configuration management tools, SIEM tools, and monitoring and observability platforms.

An APRA-regulated entity must:

• undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis; and

• assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service.”

Using infrastructure as code and policy as code, the right placement of workloads within appropriate region/availability zones can be ensured, including enforced centralised secrets management, ephemeral secrets, encryption and other enforced policies.

Terraform enables organisations to assess and control the configuration of their cloud resources, including geographic location and dependencies on specific service providers. Terraform's declarative configuration language allows organisations to specify the desired state of their infrastructure, ensuring consistency and minimising risks associated with configuration drift or misconfiguration.

»Monitoring, notifications and review

CPS 230 imposes substantial new reporting requirements (CPS 230 [16 (d), 22 (c), 27 (a), 30, 41, 58 and 60), although CPS 234 reporting requirements are not duplicated in CPS 230 and are covered separately in this document.

In alignment with the reporting requirements of CPS 234, and the substantial new reporting requirements of CPS 230, HashiCorp products facilitate consistent reporting across multi-cloud environments, including workflow compliance, visibility into how and when changes are made, redundant audit trails, and security controls across infrastructure and application environments:

HashiCorp Terraform Enterprise & HCP Terraform offerings provide audit logging capabilities that record all actions taken within the Terraform environment, including who made the change, what change was made, and when it occurred. These audit logs can be exported and analysed to generate compliance reports for internal or regulatory purposes. Terraform code is typically stored in version control systems such as Git, allowing organisations to track changes to their infrastructure configurations over time. By reviewing commit history and pull requests, auditors can gain insight into how infrastructure changes are made and ensure that they adhere to compliance requirements. Terraform integrates with various compliance tools and frameworks, allowing organisations to incorporate compliance checks directly into their Terraform workflows. For example, organisations can use Terraform's integration with the Sentinel policy as code framework or other policy enforcement tools to enforce compliance policies and automatically prevent non-compliant changes from being applied.
Sentinel (part of HashiCorp Terraform licensed editions) is a policy as code framework that enables organisations to define custom policies that specify compliance requirements, such as access controls, data encryption, cost controls, security policies and audit logging. These policies are written as code and can be tailored to meet the specific compliance standards, such as CPS 230, that the organisation needs to adhere to. Sentinel can generate custom compliance reports, providing detailed insights into compliance status, including violations, remediation actions taken, and overall compliance posture to meet the specific reporting requirements of CPS 230.
HashiCorp Vault Enterprise and HCP Vault offerings integrate with security information and event management (SIEM) systems and logging solutions, allowing organisations to aggregate and analyse Vault's audit logs alongside logs from other security-relevant systems. This centralised logging approach simplifies compliance reporting by providing a single source of truth for security-related events. Vault enforces strict access controls, allowing organisations to define policies that govern who can access which secrets and under what conditions. Vault also provides comprehensive audit logging, recording all interactions with secrets, including access attempts, modifications, and deletions. These audit logs can be used to demonstrate compliance with CPS 230/234 requirements by providing a detailed record of who accessed what information and when.
HashiCorp Boundary provides comprehensive audit logging and session recording capabilities that capture all user actions and interactions with resources. Organisations can review audit logs and session recordings to monitor user activity, detect security incidents, and demonstrate compliance with CPS 230/234 requirements for audit logging and monitoring.
HashiCorp Nomad provides comprehensive audit logging and monitoring capabilities that capture all user actions and system events. Banks can review audit logs and monitor performance metrics to track containerised workload activity, detect security incidents, and demonstrate compliance with CPS 230/234 requirements for audit logging and monitoring.
HashiCorp Packer provides audit logs and version control capabilities that enable organisations to track changes to their machine image configurations over time. Auditors can review Packer configuration files and audit logs to verify compliance with CPS 230/234 requirements related to secure configuration management and change control.
HashiCorp Consul integrates with commonly used monitoring and reporting tools to track and report on infrastructure performance and compliance. Organisations can integrate Consul with their existing monitoring and reporting workflows to streamline the collection, analysis, and presentation of data for CPS 230 reporting purposes. Consul can be used to define health check monitors that periodically assess the health of services and report any anomalies or failures. Consul's health checking capabilities monitor the operational status of critical systems and applications, enabling issues to be reported on, but also to address issues proactively.

Observability Tools (OT) establish an enterprise-wide monitoring standard, delivering end-to-end visibility across each layer of cloud applications by unifying telemetry data, including from HashiCorp products. HashiCorp products provide an API to stream audit events to OTs such as:

Terraform policy checks can be reported to the OT, including ensuring all infrastructure changes are compliant with CPS 230 regulations, including enforcing cloud zones, adherence to security policies, and all configuration changes including when and by whom.
Vault logs can be streamed to the OT, including monitoring user and machine access to sensitive resources, whether data is encrypted in transit or at rest for PII / PCI data. Policy checks can enforce zero trust principles by verifying access controls are based on user identity, device posture, and other contextual factors.
Consul can be monitored by an OT including network visualisation, verify network traffic is properly segmented, firewalls are configured correctly, and communication between services follows established security protocols.
Nomad can be monitored from the OT to check container security-related configurations such as network isolation, container runtime security settings, and access controls.
Boundary streams audit events to the OT Monitoring Platform to allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements.

Security vulnerability examples that can be reported from HashiCorp tools to OTs include:

Access Control Issues: Audit logs can reveal instances of unauthorised access attempts or successful accesses to sensitive resources. This could include attempts to bypass authentication mechanisms or unauthorised changes to access policies.
Configuration Changes: Any unauthorised or unexpected changes to the configuration of Vault, Boundary, or Consul could indicate a security vulnerability. This includes changes to encryption settings, access control policies, or network configurations.
Authentication Failures: Logs can highlight repeated authentication failures, which may indicate brute-force attacks or misconfigured authentication settings. Observing patterns of failed authentication attempts can help in detecting and mitigating potential security threats.
Anomalous Behaviour: Deviations from normal usage patterns, such as unusual API calls or access requests, could indicate suspicious activity. By analysing logs for abnormal behaviour, security teams can identify potential security breaches or insider threats.
Certificate and Key Management: Vault is often used for managing certificates and cryptographic keys. Logs related to certificate issuance, renewal, and revocation can help ensure the integrity and security of TLS communications and other cryptographic operations.
Network Security: Consul provides service discovery and network automation capabilities. Logs from Consul can reveal anomalies in network traffic, unauthorised service registrations, or misconfigurations that could lead to security vulnerabilities or service disruptions.
Boundary Access Logs: Boundary provides secure access to infrastructure and applications. Access logs from Boundary can help identify unauthorised access attempts, unusual session activity, or potential privilege escalation attempts.

»HashiCorp guidance: APRA CPS 234 Information Security

This section provides an overview of how HashiCorp helps organisations achieve APRA’s guidance on information security, in the document “APRA Prudential Practice Guide, CPG 234 Information Security”. HashiCorp’s aim is to assist regulated entities in achieving information security and being able to report on compliance.

Source: https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_1.pdf

APRA requirement

How HashiCorp helps

Information security controls implemented at all stages

HashiCorp implements security controls at all stages of infrastructure lifecycle management. Terraform uses infrastructure as code workflows, which offer a system of record for managed resources as well as the ability to manage the entire infrastructure lifecycle. HashiCorp security lifecycle management uses identity-based security workflows, and offers a system of record for sensitive information (credentials, certificates, keys, customer data) as well as the ability to manage the entire lifecycle of sensitive information.

Vulnerabilities and threats are identified, assessed and remediated

Vulnerabilities and threats are identified, assessed and remediated:

(c) develop tactical and strategic remediation activities for the control environment (prevention, detection and response) commensurate with the threat; and

(d) implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access.

(c) Sentinel provides policy as code framework, enabling the enforcement of compliance and governance rules, which helps in the early detection of non-compliant resources. HashiCorp’s products also support automated workflows for responding to security incidents, reducing the time between detection and remediation.

(d) With The Infrastructure Cloud from HashiCorp, organisations can create a robust defence against cyber threats, disrupting attackers at each stage of their campaign, including:

HashiCorp helps prevent reconnaissance through Consul’s service discovery and mesh capabilities, which can obscure the details of the infrastructure from potential attackers, making reconnaissance more difficult.
Vault manages secrets and protects sensitive data, reducing the risk of credential theft and subsequent exploitation of vulnerabilities.
HashiCorp’s policy as code framework, Sentinel, can enforce policies that prevent unauthorised software installations, thereby mitigating the risk of malware being installed.
Vault provides identity-based access, enabling fine-grained control over who has access to specific infrastructure, thus preventing unauthorised privilege escalation.

End-of-life and out-of-support issues

40, 41, 42, 43

End-of-life and out-of-support issues

Terraform tracks the creation and modification times of resources which can be used to infer the age of IT assets such as applications in the cloud. Terraform can also shutdown cloud workloads based on a predefined time to live or lack of activity, thereby reducing the attack surface.

Packer can codify the security hardening and compliance of machine images prior to deployment to prevent the deployment of incorrect versions, update non-compliant images, and/or isolate non-compliant images. EOL/EOS in machine images including operating systems can be identified at scale across any cloud, and the system either hot-fixed, patched or decommissioned. Packer does not replace configuration management like Chef or Puppet. In fact, when building images, Packer is able to use tools like Chef or Puppet to install software onto the image.

Minimise exposure to plausible worst case scenarios

44, 45

Minimise exposure to plausible worst case scenarios, such as

a) malicious acts by an insider with highly-privileged access, potentially involving collusion with internal or external parties;

b) deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction; and

c) loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.

HashiCorp’s approach to privileged access management emphasises the principle of least privilege and the need for robust identity verification and access controls to prevent unauthorised actions by insiders. HashiCorp’s identity based access products, Boundary and Vault, enable security administrators to define identity-based policies as code with short-lived credentials to manage access to modern, dynamic systems ensuring privileges are tightly controlled and access is granted based on verified identities, reducing the risk of insider threats.

Cryptography and key management protecting Vault secrets are designed to stand up to attacks from skilled adversaries, including insider threats. Vault’s cryptographic barrier and unsealing process protect data at rest. This ensures that even if an insider has access to the storage backend, they cannot access Vault’s secrets without the proper unsealing process.

HashiCorp products provide fine-grained access control policies which can enforce restrictions on who can access what data, contributing to data loss prevention.

HashiCorp products also support multi-serve mode for high availability and replication for redundancy, helping avoid risks associated with an attack on the secrets engine. Vault employs robust access controls that can limit who has the ability to delete the Vault cluster or its data.

[see next section]

44, 45

Minimise exposure to plausible worst case scenarios, such as

a) malicious acts by an insider with highly-privileged access, potentially involving collusion with internal or external parties;

b) deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction; and

c) loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.

c. HashiCorp helps ensure encryption keys are protected against unauthorised access and loss with:

Encryption: Vault encrypts all data, including encryption keys, using 256-bit AES in GCM mode with a randomly generated nonce. This ensures that the storage backend never sees the unencrypted value.

Key Rotation: Vault supports automatic key rotation, which allows encryption keys to be updated and rotated without code changes or redeployment.

Access Control: Vault uses fine-grained access control policies to restrict who can access encryption keys. Only authorised users or systems with the correct permissions can access the keys.

Unseal process: The unseal process in Vault is designed to protect against unauthorised access. The unseal process in Vault is designed to protect against unauthorised access. By default, Vault uses Shamir’s secret sharing algorithm to split the master key into multiple shares, requiring a subset of these shares to reconstruct the master key and access the encryption keys.

Barrier Seal: Vault’s security barrier automatically encrypts all data leaving Vault, including encryption keys, using a 256-bit AES cipher in GCM mode with 96-bit nonces, which are randomly generated for every encrypted object.

Security in change management

Security in change management - APRA envisages that a regulated entity would implement controls to manage changes to information assets, including changes to hardware, software, data, and configuration

HashiCorp supports security in change management through a variety of tools and practices that ensure changes to hardware, software, data, and configurations are managed securely. Terraform allows for the provisioning and management of infrastructure using code, which helps in maintaining consistency, traceability, and version control of infrastructure changes. All information about changes are logged (and can be streamed to observability systems). Changes recorded on the audit log can be categorised based on risk.

An important factor in change management is handling changes at scale. HashiCorp tools are designed for deploying a single application or managing thousands of services across multiple clouds.

Software security

An APRA-regulated entity would typically implement secure software development and acquisition techniques to assist in maintaining confidentiality, integrity and availability by improving the general quality and vulnerability profile of the software

Sentinel codifies compliance policies and enforces them across infrastructure and applications. By integrating Sentinel policies into CI/CD pipelines, code changes can be automatically evaluated against compliance requirements and prevent non-compliant deployments.

Data leakage

50, 51, 52, 53

50 Data leakage is the unauthorised removal, copying, distribution, capturing or other types of disclosure of sensitive data that results in a loss of data confidentiality (also known as a data breach). Access to data removal methods would typically be subject to risk assessment and only granted where a valid business need exists.

53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.

Vault provides robust access control mechanisms, including fine-grained policies and role-based access control (RBAC), to restrict access to PCI DSS data based on user roles and permissions. Additionally, Vault integrates with identity providers and authentication systems, enabling centralised authentication and single sign-on (SSO) for accessing sensitive data.

Vault offers encryption as a service, to encrypt data at rest and in transit using industry-standard algorithms and protocols. By encrypting PCI DSS data throughout its lifecycle, data including PII/PCI, can be protected from unauthorised access and ensure compliance with encryption requirements.

Vault offers comprehensive auditing capabilities, to track and monitor access to PCI DSS data in real-time. Vault logs all access requests, including who accessed the data, when, and from where, providing an audit trail for compliance purposes and security investigations.

Consul provides service mesh capabilities for securing communication between microservices and distributed applications. By encrypting traffic with mutual TLS (mTLS) and enforcing access control policies, Consul helps protect PCI DSS data as it traverses the network, preventing eavesdropping and tampering attacks.

Cryptographic techniques to restrict access

54, 55

54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (...).

55 In order to minimise the risk of compromise, an end-to-end approach would typically be adopted, where encryption is applied from the point-of-entry to final destination.

Vault categorises sensitive data based on its criticality or sensitivity using metadata or custom attributes. Policies and access controls can be defined for different categories of data, ensuring that more critical or sensitive data is protected with stronger encryption, stricter access controls, and more rigorous auditing.

Vault enables the encryption of sensitive data at rest using industry-standard cryptographic algorithms, such as AES (Advanced Encryption Standard). When data is stored in Vault, it is encrypted using a master encryption key, ensuring that even if the underlying storage is compromised, the data remains unreadable.

Vault encrypts data in transit. Vault's transit secrets engine provides a secure platform for encrypting and decrypting data in transit. Applications can leverage the transit secrets engine to encrypt sensitive data before transmitting it to other systems or users. Vault manages the encryption keys and performs cryptographic operations transparently, ensuring that data remains protected throughout its journey.

Vault can act as a Certificate Authority (CA) or integrate with existing CAs to issue and manage TLS certificates for secure communication between applications and users. By leveraging Vault as a CA, organisations can centralise certificate management, automate certificate issuance and renewal, and enforce security policies for TLS encryption.

Information security technology solutions

An APRA-regulated entity would typically deploy appropriate information security technology solutions which maintain the security of information assets. Examples include firewalls, network access control, intrusion detection/prevention devices, anti-malware, encryption and monitoring/log analysis tools. The degree of reliance placed on technology solutions for information security could necessitate a heightened set of lifecycle controls…

Consul primarily focuses on service networking and service mesh capabilities for securing communication between microservices and distributed applications.

Consul can be used to dynamically configure firewall rules and network access control lists (ACLs) based on service discovery and metadata provided by Consul, through Consul’s integration with firewall management tools or network infrastructure devices.

Consul can facilitate integration with intrusion detection/prevention systems (IDPS) by providing service discovery and health checking capabilities, detect anomalies in service behaviour, and respond to security threats in real-time.

Consul integrates with anti-malware solutions deployed within the network infrastructure or at the endpoint level, enabling automated deployment and updates of anti-malware agents or configurations based on service lifecycle events.

Consul supports encryption of communication between services using mutual TLS (mTLS) encryption. By enabling mTLS in Consul, organisations can encrypt traffic between services, authenticate service identities, and prevent unauthorised access or eavesdropping attacks.

Consul integrates with monitoring and log analysis tools to provide visibility into service health, performance metrics, and operational logs, and can feed this information into other observability tools.

End-user developed/configured software

57, 58, 59

57. Current technologies allow end-users to develop/configure software for the purpose of automating day-to-day business processes or facilitating decision-making (e.g. spreadsheets, local databases, user administered software). This creates the risk that life-cycle controls could be inadequate for critical information assets and possibly lead to a proliferation of sensitive data being accessible outside controlled environments.

58. An APRA-regulated entity would typically introduce processes to identify and classify end-user developed/configured software and assess risk exposures. In APRA’s view, any information software asset that is critical to achieving the objectives of the business or

that processes sensitive data would comply with the relevant life-cycle management controls of the regulated entity.

59. Sound practice is to establish a formal policy to govern end-user developed/configured software. The policy would clearly articulate under what circumstances end-user developed/configured software is appropriate, as well as expectations regarding lifecycle management controls including information security, development, change management and backup.

HashiCorp can codify the organisational policy to govern the infrastructure and security lifecycle management of all end-user developed and configured software. The codified policies can ensure sensitive data is contained within the appropriate environment, and is encrypted or tokenized. Policy as code can prevent PII/PCI data being moved to locations outside of policy and create alerts of any attempts.

Emerging technologies

60, 61, 62

New technologies potentially introduce a set of additional information security vulnerabilities, both known and unknown. An APRA-regulated entity would typically apply appropriate caution when considering the introduction of new technologies.

Typically, an APRA-regulated entity would only authorise the use of new technologies in a production environment where the technology:

a) has matured to a state where there is a generally agreed set of industry-accepted controls to manage the security of the technology; or

b) compensating controls are sufficient to reduce residual risk within the entity’s risk appetite.

An APRA-regulated entity could find it useful to develop a technology authorisation process and maintain an ‘approved technology register’ to facilitate this. The authorisation process would typically assess the benefits of the new technology against

the impact of an information security compromise, including an allowance for uncertainty.

Standardising on HashiCorp for cloud infrastructure provides organisations with a unified platform for managing infrastructure, applications, and security across hybrid and multi-cloud environments. This simplifies the introduction of new technologies including cloud service providers and cloud based software, as well as new technology systems integrators and managed service providers.

By adopting consistent workflows, embracing infrastructure as code principles, leveraging modularity and extensibility, enforcing policy as code, promoting collaboration and knowledge sharing, and investing in training and support, organisations can effectively manage the use of new technologies while ensuring consistent security, compliance, and operational efficiency.

Information assets managed by third parties and related parties

63, 64, 65

Information assets managed by third parties and related parties

Refer to HashiCorp CPS 230 guidance, Management of Service Providers.

Detection of security compromises

66, 67, 68, 69,

Detection of security compromises

Common monitoring techniques include:

a) network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;

b) scanning for unauthorised hardware, software and changes to configurations;

c) sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);

d) logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access; and

e) users with privileged access accounts subject to a greater level of monitoring in light of the heightened risks involved.

Refer to HashiCorp CPS 230 guidance, Management of Service Providers.

HashiCorp facilitates the detection of anomalous behaviour in infrastructure and security workflows, and logs and streams these events to external auditing and/or observability tools.
Terraform identifies any discrepancies or "drift" between an authorised configuration and a deployed configuration, highlighting changes made outside of Terraform's management. This helps maintain infrastructure consistency and facilitates remediation of unauthorised modifications.
HashiCorp products integrate with monitoring and alerting systems to provide alerts when there's any deviation from a defined configuration. As well as the above drift detection, Vault integrates with logging and monitoring tools to detect unauthorised access or configuration changes, issuing alerts for security breaches or policy violations.
As per c) above
Super users can be granted access only to the resources and capabilities necessary for their responsibilities, reducing the risk of unauthorised access. Integration with Security Information and Event Management (SIEM) systems and monitoring tools can aggregate and analyse audit logs, generate alerts, and provide real-time visibility into super user activity. Administrators can configure alerts for specific events or anomalies, enabling proactive detection and response to security incidents involving privileged access accounts.

Systematic testing program

“...an APRA-regulated entity would… maintain a program of testing which validates the design and operating effectiveness of controls over time.

As previously discussed, HashiCorp products offer test and reporting functionality that will include all test results as well as deficiencies. A significant benefit of HashiCorp’s approach to multi-cloud environments is a significant reduction in the number of tests and controls through standardisation, as well as the reduction of attack surface through controls such as graceful temporary or permanent shutdown of sunset cloud environments. Terraform's licensed editions in particular offer AI Generated tests for infrastructure as code allowing organisations to embed test cases rapidly.

Sign up for the latest HashiCorp news

More resources like this one

4/11/2024FAQ

Introduction to HashiCorp Vault

12/28/2023FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

3/15/2023Presentation

Advanced Terraform techniques

3/15/2023Case Study

Using Consul Dataplane on Kubernetes to implement service mesh at an Adfinis client

View all resources