Unlocking Multi-Cloud with HashiCorp Vault Secrets Management
Originally published on CloudOps’ blog.
Organizations, for a variety of reasons, often choose to avoid vendor lock-in and use cloud infrastructure resources from several cloud providers. Multi-cloud architectures involve leveraging two or more public cloud computing platforms. Further, hybrid-cloud architectures include private cloud infrastructure components as well. Applications supported by hybrid- and multi-cloud architectures are able to benefit from multiple features across clouds and reduce risks; however organizations need to utilize the right tools to unlock the full potential of these architectures.
Best-of-Breed Tools for Multi-Cloud Architectures
The DevOps and Cloud Infrastructure landscape spans a multitude of tools and platforms, each of which has its own ideal use case. Organizations that leverage best-of-breed tools across the landscape can unlock the advantages of multi-cloud architectures.
The Zero-Trust Mindset
Since these tools and platforms are critical for your organization’s success in the cloud, they need to be protected. Security should always be a fundamental part of hybrid / multi cloud architectures that are composed of multiple clouds and private data centers without clear network perimeters. These architectures require your organization adopt a “Zero Trust” mindset.
“Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access.” — Microsoft on Zero-Trust
The proper management of identities, access, and secrets is central to the Zero Trust security mindset. There are abundant solutions and literature available on identity and access management, but today we want to focus on secrets management.
What is Secrets Management?
You may already be struggling with the problem of ‘secrets sprawl’, where your keys, certificates, secrets, and passwords are stored in files, code, or scripts across multiple environments. Secrets sprawl poses several security and operational risks as your infrastructure scales up. You therefore need a comprehensive secrets manager that supports multiple integrations, scales easily with your growing infrastructure, and is easy to audit.
HashiCorp Vault for Secrets Management
HashiCorp Vault is a best-of-breed solution for secrets management. Think of it as a highly secure dynamic password manager that not only remembers passwords and certificates but also creates and changes them for applications, databases, web services, and other machine components. It integrates across multiple active directories and identity management solutions, helping your organization shift towards a Zero Trust model.
Organizations typically use the open source version of HashiCorp Vault as a key store integrated with their public cloud KMS. Their important applications store and access secrets with Vault to meet minimum security mandates. There may be multiple and in siloed deployments across the organization. However, Vault adoption is a journey that can be customized to your organization’s needs.
Succeeding with Secrets Management: Crawl, Walk, Run
Vault will enable your organization to integrate security into the innermost layers of its technology stack. How do you evolve your Secrets Management practice? First, understand where your organization is in the maturity model for secrets management. Are you resting, creeping, crawling, walking, or running along your implementation of Vault?
Rest: Your organization encounters secrets sprawl but does not have any process or solution in place to resolve the associated risks.
Creep: Your organization decides to mitigate many of the security and operational risks associated with its secret sprawl. A public cloud key store option such as Azure Key Vault is then leveraged. However, these solutions are not designed for modern multi-cloud architectures and can create operational challenges when scaled beyond your primary cloud.
Crawl: The Vault Secrets Management Platform can be an ideal solution. Get started by downloading the OSS (open source software) version to implement a few basic scenarios that leverage dynamic secrets for your target applications. The OSS version depends on HashiCorp community support and works well for PoCs. There is no multi-datacenter replication available in the OSS, and a few other key features of the Enterprise version (such as Snapshots and Backups) are missing.
Walk: Many of our customers have scaled to enterprise-wide deployments of Vault by implementing Vault Enterprise or HashiCorp Cloud Platform’s Vault Managed Service. This includes an array of additional features as well as premium support from HashiCorp. To be truly multi-cloud, customers must maintain Secrets Management in the cloud infrastructure of their choice GCP/AWS/Azure or a private cloud. For many of HashiCorp Vault’s enterprise customers, this means dedicating one team to own and manage Vault in the cloud and deliver “Secrets Management-as-a-Service” to the rest of the organization.
Run: Vault additionally offers advanced features for data encryption, data masking, and integration with hardware security modules. It can handle secrets in transit and manage the encryption key lifecycle perfectly. CloudOps’ Vault Accelerator Programs will help you realize value in a matter of weeks with Vault Enterprise or HCP Vault.
The “Secret” to Secret Management
Our library of standardized architectures and pre-built configurations, scripts, and automations assist customers of all sizes through every phase of the Vault adoption journey. Our history and expertise with HashiCorp alongside other infrastructure tools help us reduce the costs and risks of implementing such cutting-edge technology projects.
The myriad of cloud platforms and technologies grows each day, and organization’s must navigate today’s multi-cloud world to sustain business growth. CloudOps helps organizations of all sizes use and build cloud platforms that avoid vendor lock-in and reduce risk and cost. This leads to long-term sovereignty, control, and the freedom to choose the right services. Our approach is cloud- and platform-agnostic, meaning we have expertise in a wide range of solutions.
HashiCorp Vault is a best-of-breed tool for securing, storing, and controlling access to tokens, passwords, certificates, API, and other secrets in modern computing. It can be an integral part of any secure Infrastructure as Code practice. It is available in three versions:
Vault Open Source: The open source version of Vault includes features such as dynamic secrets management and community support. This version will help you get started with Secrets Management for your organization. It is fully open source and has robust community support.
Cloud Vault: The managed service offering for Vault is a part of the HashiCorp Cloud Platform and suits enterprise-wide use cases. It provides fully-managed clusters, cloud infrastructure SLAs and support. If you are a rapidly scaling organization and do not want to worry about maintaining infrastructure for your Vault deployments, HCP Vault is a great option.
Enterprise Vault: The paid licence for Vault deployments on any infrastructure. It has all the features of the cloud and open source versions as well as ones for governance and policy, scale and remediation, and premium support services.
A quick comparison of the features of these versions can be viewed here.
A specialized partner of HashiCorp, CloudOps has in-depth experience in its solutions. Learn about CloudOps’ Vault Trainings and Workshops, Enterprise Vault Accelerator Program, and HCP Vault Accelerator Program. We will equip your DevOps teams with the skills needed to securely build and operate cloud native architectures. Contact us for more information.