Brief Summary of HashiCorp’s Whitepaper “Unlocking the Cloud Operating Model: Security”
Identity-based security
There are two different types of users: humans and machines. Human related security is straightforward and covers the needs to permit or restrict access to secrets, manage secret holders as well as accesses based on identities.
With machines, HashiCorp covers different case scenarios from secrets revocation in the event of a security breach, secrets management in multi-cloud environments and dynamic secrets fulfilling several constraints.
Challenges with Multi-Cloud secrets management
Nowadays, dynamic cloud infrastructure, means application’s network infrastructure is spread among multiple clouds; with this comes the concept of “Zero Trust” with according to Palo Alto Networks “Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture.” With this, applications to perform sensitive operations and fetching of secrets must always be explicitly authenticated and authorized.
Secrets sprawl is an issue that some organizations struggle with and the cloud is a great solution to mitigate this issue.
A few examples of secrets sprawls can look like (examples taken directly from the whitepaper) :
· Hardcoded hostnames or firewall rules used for application identity
· Plain-text usernames/passwords embedded in scripts, configuration files, and source code
· Highly privileged cloud provider API keys in source code
· Certificates and encryption keys stored on the filesystem unencrypted
· Staff can be hesitant to change access because they are not sure what will break
· Limited audit logging on who is doing what and where
These issues can be mitigated by using a secrets management solution.
In my opinion, by using a secrets management solution, besides solving the secrets sprawl issue, this way all sensitive data is organized, secured and easy maintainable in a centralized structure.
HashiCorp Vault: Multi-Cloud Secrets Management Simplified
HashiCorp’s Vault allows teams to securely store and tightly control access tokens, passwords, certificates and encryption keys for protecting machines, applications and sensitive data. HashiCorp Vault can be in an on-premises infrastructure or cloud using a single system.
Without exposing encryption keys, Vault exposed cryptographic operations to secure sensitive data. It can also generate certificates to secure communications with SSL/TLS. It also enables brokering identities with Active Directory, AWS IAM, and LDAP.
Vault’s Adoption often consists of three steps: Adoption, operationalizing and Scaling.
Adoption: Consist of eliminating the secret sprawl in a centralized location with its proper access controls, development, and operations. Set up Vault policies to determine how applications and users can authenticate. Integration with different trusted identity providers such as AWS, Azure, Google Cloud, Alibaba Cloud, Kubernetes, Active Directory, Okta and Other SAML-based systems for authentication. A system of records is used by Vault in conjunction with the authentication of these identities, to manage and enforce access to secrets and systems.
Operationalizing: After secrets and access have been centralized within Vault. Now its time for its consumption. It can be managed through Terraform or Kubernetes through secret injection into the file system or environmental variables as an example.
Using an orchestration platform like Kubernetes, allows secrets consumption in a safe way.
Scaling: By using dynamic secrets in Vault, without human intervention; Vault automatically ensures that secrets become invalid in the case scenario where the user leaves the company, or a container is moved to a different host. With dynamic secrets, attacks can be mitigated by using a single-use or short TTL. One of the advantages of Vault is that it is API-driven which allows end-to-end protection and communication between different environments. One of the key advantages of HashiCorp Vault is that it helps reduce costs of Hardware Security Modules while increasing productivity between security workflows and cryptographic standards across organizations.
Personal Opinion
The key features I see in Vault are besides its API-driven, the fact that it supports multiple cloud providers as well as on-premises support. It considers human and machine users. Because of its centralized architecture, it keeps all sensitive credentials such as usernames, passwords, certificates; among others in a single place which is a well-organized and maintainable solution. Its main purpose is avoiding secrets sprawling which can cause a big headache to organizations and teams across a company. Another key feature of Vault is that it can be used in conjunction with other technologies such as Terraform and Kubernetes.
From my personal experience, in my first days as a programmer I had to deal with secret sprawling, if I had known before about HashiCorp Vault I would have saved a lot of my time from updating applications and its encrypting credentials.
Finally, If you liked the article, please hit the follow button and leave lots of claps!
