Vault Enterprise:
Secrets Management at Scale

Release Date: 11/01/2021

Author: John Jarvis

Introduction

HashiCorp’s Vault is a highly-flexible secrets management system: whether you’re a team looking for a secure, hassle-free key-value store for your application’s secrets, or an organisation in need of encryption-as-a-service to meet data-at-rest requirements, Vault is the answer; as your team grows, or adoption in other parts of your organisation occur, the common workflow underpinning all of HashiCorp’s products means that you can spend more time providing value for your customers, and less time building the kit to do it.

The Limits of OSS

We’ve discussed the limitations of OSS before. While there’s no fee for licensing the open source software (OSS) version of any of HashiCorp’s products, there are hidden costs with running them effectively. Vault, in particular, hits a hard limit associated with servicing requests: while you can set-up a highly available (HA) Vault cluster, all requests to itsimple reads includedare always relayed to the active node, which will eventually cease to be performant as clients are added to the environment.

Similarly, while that OSS Vault cluster’s ability to service requests is HAwith standby nodes ready to take over should the active one go downthe backend storage is not: if something happens to that, all your nodes will be affected. For redundancy in this areaand for many other reasons I’ll now outlineyou need Vault Enterprise.

Vault Enterprise: Key Benefits

  • Disaster Recovery (DR): also known simply as Replication, will give you the redundancy you need, even in the face of catastrophic cluster failure. It’s designed to be a clean solution; often simpler and quicker than attempting to recover from snapshots, or building the backend back to quorum. (If you’d like to learn more about DR, sign up for Somerford’s free hands-on workshop Disaster Recovery with Vault.) Link to workshop.
  • Read Replicas (RR): also known as Performance Replication, will allow you to scale your Vault deployment. With this a ‘local’ Vault cluster in each of your data centres services adjacent clients, only relaying (likely much less frequent) write requests. This is enterprise-level performance, and resiliency when combined with DR.
  • Replication Filters: also known as mount filters, facilitate data sovereignty requirements through fine-grained allow and deny policies around data replication.
  • Namespaces: while the performance of your Vault deployment can scale with RR, namespaces are key in scaling the administration of your deployment. Namespaces give you centralised control and standardisation of a multi-tenancy deployment. For the teams using Vault it is the perfect combination of security and flexibility, allowing teams to do their day-to-day secrets managementincluding path filters for sensitive datawithout sacrificing central observability or compliance goals.
  • Sentinel: also known as Policy as Code, is a key aspect of the aforementioned centralised control, and, like much of Vault Enterprise, comes as an add-on module that customers can pick and choose from in a manner that best suits their needs. (Please see Vault’s features matrix for more information.)

Finally, support level agreements (SLAs) to meet all business requirementsincluding SEV-1 URGENT 24/7 coverageare available with all HashiCorp Enterprise products. Whether you’re looking to preserve recovery objectives (i.e., RPO/RTO) and/or sign follow-on minimum business requirements with clients of your Vault service, HashiCorp and Somerford have you covered.

Conclusion

Whether you are requirements gathering around secrets management, just getting started with Vault OSS, or reaching the practical limits of your current secrets management solution, it’s worth having a chat with us. Somerford Associates are one of the few Certified HashiCorp Implementation Partners (CHIP) in the UK, and are happy to answer any questions you may have, or to simply serve as a sounding board.

Stay tuned for our next HashiCorp related blog post, where we’ll continue to look at the Enterprise editions of their HashiStack products.

Get Notified for New Blogs:

We post regularly on the platforms below, notifying our audience when we publish new pieces.

All views expressed on this blog are the author’s own and do not represent the opinions of any entity whatsoever with which the author 
has been, is now or will be affiliated, inc. this organisation whose website the blog is hosted on, or any partner of this organisation.

Scroll to Top