Use Piiano Vault to protect your customers’ secrets with encryption or tokenization

Privacy

Moty Michaely

Engineer, Founder, Investor

July 17, 2024

min read

Join our newsletter

Your privacy is important to us, privacy policy.

In April this year business intelligence company, Sisense, suffered a breach where bad actors accessed customer data, including access tokens, email passwords, and SSL certificates. The attackers accessed the company’s internal Gitlab code repository and found a token or credential that gave them access to Sisense’s Amazon S3 buckets. This event triggered an investigation by the US Cybersecurity and Infrastructure Security Agency (CISA), given that Sisense customers include critical infrastructure sector organizations.

Could this happen to you? In a world where cybercriminals are always looking for unprotected PII, either for its intrinsic value or to blackmail your business, protecting customer secrets is more important than ever.

In my post, How to Protect Customers' Secrets in Your SaaS Offering: Detailed Guide, I introduced you to best practices for protecting customer secrets and how using a privacy vault has the potential to offer the best protection. In this post, I dig deeper into the practical approaches to implementing this protection using Piiano Vault. Specifically, I show you how straightforward it is to encrypt or tokenize your customer secrets using the Vault REST API.

For this post, I'm using a use case where your app integrates with Slack and sends a message whenever an event occurs. You enable your customers to receive these messages by requesting Slack webhooks from your customers through a simple webpage with an input box.

The challenge is storing these incoming Slack webhooks (i.e., the secret) securely.

I don’t cover setting up your instance of Piiano Vault in this post.

If you've never done this before, you have a couple of options to try things out:

Set up a local developer version. See the get started guide in the Piiano Vault dev docs for instructions.
Create a sandbox account on the managed version of Piiano Vault.

I recommend using the managed version.

Option 1: Encrypt customer secrets

This option protects your customers' secrets by encrypting them with Vault. You then store the resulting ciphertext in your system. You can use a self-hosted full or stateless version of Piiano Vault or the managed version to do this.

Set up a Vault collection

While you don't store customer data in Piiano Vault using this option, Vault needs a collection to perform the encryption against. Vault uses this collection to validate and normalize data, control access to the data, and manage encryption keys.So, the first thing you need to do is define one. In this case, you can keep it very simple: a collection with a webhook property. You define this to Vault using the REST API like this:

curl --request POST \
  --url 'https://a1b2c3d4e.us-east-2.awsapprunner.com/api/pvlt/1.0/ctl/collections?format=json' \
  --header 'Authorization: Bearer pvaultauth' \
  --header 'Content-Type: application/json' \
  --data '{
 "type": "DATA",
 "name": "secrets",
 "properties": [
   {
     "description": "Webhook",
     "name": "webhook",
     "data_type_name": "STRING",
     "is_nullable": true
   },
  ]
}'

Encrypt your customers’ secrets

Now, you are ready to encrypt the Slack webhooks your customers provide. You do this using the encrypt operation of the Vault REST API., You pass this operation details of the collection and collection property you want Vault to perform the encryption against – the webhook property in the secrets collection – along with the webhook value you want encrypted like this:

curl --request POST \
  --url 'http://https://a1b2c3d4e.us-east-2.awsapprunner.com/api/pvlt/1.0/data/collections/secsets/encrypt/objects?reason=Maintenance' \
  --header 'Authorization: Bearer pvaultauth' \
  --header 'Content-Type: application/json' \
  --data '[
 {
   "object": {
     "fields": {
       "webhook": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
     }
   },
   "props": [
     "webhook"
   ]
 }
]'

‍

The response is the ciphertext generated by the encryption, like this:

[
  {
    "ciphertext": "AQAB3OrmXuw1Z5v1Pv98oK0AA9EmqaoWbImWB+7sfATyX0fyz8EYV8R+8fbSTZA5df6ELMCY+hseFDsxg4/b/MuhKzX8UfzljQSrNjWeSXenuv/f6z3O2rDpMj4S15mw7tuzRoX5WxVtrxTjk/kqWrJMQw=="
  }
 ]

‍

You now simply store the ciphertext in your database.

Send the message

When sending a message from your application to the customer's Slack account, you can use Piiano Vault to decrypt the webhook ciphertext and then use the webhook in your code. However, Piano Vault provides a more secure mechanism through the Invoke HTTP call action REST API operation. With this option, you give Vault the ciphertext and information on how to make the HTTP call. Vault then decrypts the webhook and builds the request without exposing the plain text webhooks to your application, further reducing the risk of data leaks.

To prepare for using the call action, you define variables that will take values from Vault and the HTTP request, which uses the variables to pass information to the third party.

Variables are defined using the Vault Global Identifier. In this example:

"to_webhook": "pvlt:decrypt_object:secrets:webhook:AQAB3OrmXuw1Z5v1Pv98oK0AA9EmqaoWbImWB+7sfATyX0fyz8EYV8R+8fbSTZA5df6ELMCY+hseFDsxg4/b/MuhKzX8UfzljQSrNjWeSXenuv/f6z3O2rDpMj4S15mw7tuzRoX5WxVtrxTjk/kqWrJMQw==:”

‍

This code tells Vault to populate the variable to_webhook with the value it gets by decrypting an object from the secrets collection for the webhook property using a ciphertext string.

You now use the to_webhook to create the body of the HTTP request, in the case of our Slack message, like this:

POST <to_webhook>
Content-type: application/json
{
    "text": "Your customer’s message"
}

‍

Putting this all together, you make a call using the HTTP call action like this:

curl --request POST \
  --url 'http://localhost:8123/api/pvlt/1.0/data/actions/http_call?reason=AppFunctionality' \
  --header 'Authorization: Bearer pvaultauth' \
  --header 'Content-Type: application/json' \
  --data '{
 "template_variables": {
   "to_webhook": "pvlt:decrypt_object:secrets:webhook:AQAB3OrmXuw1Z5v1Pv98oK0AA9EmqaoWbImWB+7sfATyX0fyz8EYV8R+8fbSTZA5df6ELMCY+hseFDsxg4/b/MuhKzX8UfzljQSrNjWeSXenuv/f6z3O2rDpMj4S15mw7tuzRoX5WxVtrxTjk/kqWrJMQw==:"
 },
 "request": {
   "url": to_webhook,
   "method": "POST",
   "body": "\"message\": \"Your customer’s message\" }"
 },
 "include_response_body": false
}'

Option 2: Using tokenized customer secrets

WIth this option you protect your customers' secrets by storing them in Vault and obtaining a token representing the stored value. You then store the token in your database. You use the full version to do this as you are storing values in Vault.

Set up a Vault collection

To get started, Vault needs a collection to store your customer secrets in, so it has the original data to retrieve when a user attempts to detokenize a token. As you are only storing the customers’ Slack webhook in Vault, all you need is the collection you used to encrypt the webhooks: a collection with a webhook field.

Tokenize your customers’ secrets

When you've set your collection, you determine the token type you want to generate. Vault can create a variety of token types. In this example, you use a pointer token. This token represents a property value (the webhook) as it is when the token is detokenized.

You can now store and tokenize webhooks using the tokenize REST API operation. Very much in the way you perform encryption, you pass the operation details of the collection and collection property Vault stores the webhook in and the webhook value you want Vault to store and tokenize like this:

curl --request POST \
  --url 'http://https://a1b2c3d4e.us-east-2.awsapprunner.com
  --header 'Authorization: Bearer pvaultauth' \
  --header 'Content-Type: application/json' \
  --data '[
 {
   "type": "pointer",
   "fields": {
     "webhook": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
   },
   "props": [
     "webhook"
   ]
 }
]'

‍

The response provides you the token and the ID of the object stored in the Vault collection, like this:

[
  {
    "token_id": "de15a638-354a-11ed-a261-0242ac120002",
    "object_id": "cc9a39c5-4734-4786-b317-e16705d5128f"
  }
 ]

‍

You now simply store the token ID in your database.

Send the message

As with encryption, you can use Piiano Vault to detokenize the webhook token and then use the webhook in your code. However, the Invoke HTTP call action REST API provides a more secure option.

You use the same REST API call as described in the encryption section. The only difference is that the Vault global identifier needs to specify that the action is to detokenize and provide the token, like this.

"pvlt:detokenize:secrets:webhook:463a83d0-a816-4902-abba-2486e0c0a”

‍

You make a call using the HTTP call action like this:

curl --request POST \
  --url 'http://localhost:8123/api/pvlt/1.0/data/actions/http_call?reason=AppFunctionality' \
  --header 'Authorization: Bearer pvaultauth' \
  --header 'Content-Type: application/json' \
  --data '{
 "template_variables": {
   "to_webhook": "pvlt:detokenize:secrets:webhook:de15a638-354a-11ed-a261-0242ac120002:"
 },
 "request": {
   "url": to_webhook,
   "method": "POST",
to_webhook
   "body": "{\"message\": \"Your customer’s message\" }"
 },
 "include_response_body": false
}'

Using Vault as your turnkey solution

The chances are that your customers’ Slack webhooks are not the only personally identifiable information that you hold for your customers. By storing them in Vault, you can easily enhance the protection provided to details such as names, addresses, and payment information.

Conclusion

In this post, I have shown you how to take practical steps to protect customer secrets with encryption or tokenization, illustrating the Piiano Vault REST API operations you would use. I've also introduced you to the invoke HTTP call action REST API operation. This operation enables you to use a customer secret without exposing it to the user who makes the call. This means that, after a customer secret has been encrypted or tokenized, no part of your application needs to handle it in plain text, significantly reducing the risk of leaks.

‍

About the author

Moty Michaely

Engineer, Founder, Investor

Entrepreneur, Founder, Engineer, Software R&D expert, Mentor, Consultant and Team Leader with more than 20 years of experience in project management, software engineering, large scale cloud based systems design and development. B.Sc. in Computer Science and finishing my M.Ss in Computer Science.

# Tags:

No items found.

Powering Data Protection

Skip PCI compliance with our tokenization APIs

Skip PCI compliance with our tokenization APIs

hey

h2

dfsd

link2

It all begins with the cloud, where applications are accessible to everyone. Therefore, a user or an attacker makes no difference per se. Technically, encrypting all data at rest and in transit might seem like a comprehensive approach, but these methods are not enough anymore. For cloud hosted applications, data-at-rest encryption does not provide the coverage one might expect.

John Marcus

Senior Product Owner

const protectedForm = 
pvault.createProtectedForm(payment Div, 
secureFormConfig);

This is some text inside of a div block.

Continue your reading

See all articels

Text Link

Privacy

How to Protect Customers' Secrets in Your SaaS Offering: Detailed Guide

Moty Michaely

min read

May 3, 2024

Privacy

How to Protect Customers' Secrets in Your SaaS Offering: Detailed Guide

How to Protect Personally Identifiable Information: PII Security Best Practices

Gil Dabah

min read

March 14, 2024

Privacy

How to Protect Personally Identifiable Information: PII Security Best Practices

Secure Sensitive User Profile Attributes in Auth0 (and other providers)

Moty Michaely

min read

February 6, 2024

Privacy

Secure Sensitive User Profile Attributes in Auth0 (and other providers)

How I Detected Sensitive Data Leaks, Such as Log Leaks in Open Source Projects Using Piiano Flows

Guy Feigenblat

min read

December 22, 2023

Privacy

How I Detected Sensitive Data Leaks, Such as Log Leaks in Open Source Projects Using Piiano Flows

Guy Feigenblat

December 22, 2023

Piiano offers developer-friendly privacy and security products.

Piiano Privacy Solutions US, Inc

135 W. 50th St. Suite 200 
New York, NY 10020

Product

Piiano Vault PCI Tokenization Piiano Flows Pricing

Company

About us Careers Contact us Book a demo

Resources

Docs Blog Privacy by Design Data Tokenization

What is PII PII Protection Column - Level Encryption 101

PII By Design ^TM Cheat Sheet

Piiano offers developer-friendly privacyand security products.

Piiano offers developer-friendly privacy and security products.

Piiano Privacy Solutions US, Inc

135 W. 50th St. Suite 200 
New York, NY 10020

Use Piiano Vault to protect your customers’ secrets with encryption or tokenization

Option 1: Encrypt customer secrets

Set up a Vault collection

Encrypt your customers’ secrets

Send the message

Option 2: Using tokenized customer secrets

Set up a Vault collection

Tokenize your customers’ secrets

Send the message

Using Vault as your turnkey solution

Conclusion

Skip PCI compliance with our tokenization APIs

h2

Continue your reading

How to Protect Customers' Secrets in Your SaaS Offering: Detailed Guide

How to Protect Customers' Secrets in Your SaaS Offering: Detailed Guide

How to Protect Personally Identifiable Information: PII Security Best Practices

How to Protect Personally Identifiable Information: PII Security Best Practices

Secure Sensitive User Profile Attributes in Auth0 (and other providers)

Secure Sensitive User Profile Attributes in Auth0 (and other providers)

How I Detected Sensitive Data Leaks, Such as Log Leaks in Open Source Projects Using Piiano Flows

How I Detected Sensitive Data Leaks, Such as Log Leaks in Open Source Projects Using Piiano Flows

Get security and privacy best practices, tips and news.