Secrets Management at Scale
Release Date: 11/01/2021
Author: John Jarvis
HashiCorp’s Vault is a highly-flexible secrets management system: whether you’re a team looking for a secure, hassle-free key-value store for your application’s secrets, or an organisation in need of encryption-as-a-service to meet data-at-rest requirements, Vault is the answer; as your team grows, or adoption in other parts of your organisation occur, the common workflow underpinning all of HashiCorp’s products means that you can spend more time providing value for your customers, and less time building the kit to do it.
The Limits of OSS
We’ve discussed the limitations of OSS before. While there’s no fee for licensing the open source software (OSS) version of any of HashiCorp’s products, there are hidden costs with running them effectively. Vault, in particular, hits a hard limit associated with servicing requests: while you can set-up a highly available (HA) Vault cluster, all requests to it—simple reads included—are always relayed to the active node, which will eventually cease to be performant as clients are added to the environment.
Similarly, while that OSS Vault cluster’s ability to service requests is HA—with standby nodes ready to take over should the active one go down—the backend storage is not: if something happens to that, all your nodes will be affected. For redundancy in this area—and for many other reasons I’ll now outline—you need Vault Enterprise.
Vault Enterprise: Key Benefits
- Disaster Recovery (DR): also known simply as Replication, will give you the redundancy you need, even in the face of catastrophic cluster failure. It’s designed to be a clean solution; often simpler and quicker than attempting to recover from snapshots, or building the backend back to quorum. (If you’d like to learn more about DR, sign up for Somerford’s free hands-on workshop Disaster Recovery with Vault.) Link to workshop.
- Read Replicas (RR): also known as Performance Replication, will allow you to scale your Vault deployment. With this a ‘local’ Vault cluster in each of your data centres services adjacent clients, only relaying (likely much less frequent) write requests. This is enterprise-level performance, and resiliency when combined with DR.
- Replication Filters: also known as mount filters, facilitate data sovereignty requirements through fine-grained allow and deny policies around data replication.
- Namespaces: while the performance of your Vault deployment can scale with RR, namespaces are key in scaling the administration of your deployment. Namespaces give you centralised control and standardisation of a multi-tenancy deployment. For the teams using Vault it is the perfect combination of security and flexibility, allowing teams to do their day-to-day secrets management—including path filters for sensitive data—without sacrificing central observability or compliance goals.
- Sentinel: also known as Policy as Code, is a key aspect of the aforementioned centralised control, and, like much of Vault Enterprise, comes as an add-on module that customers can pick and choose from in a manner that best suits their needs. (Please see Vault’s features matrix for more information.)
- Other modules include:
- Hardware security module (HSM) auto-unseal;
- Tokenization, with the Transform Secret Engine (TSE), for PCI-DSS compliance, etc.
- Format Preserving Encryption (FPE), again with the TSE, for HIPAA compliance, database schema requirements, etc.
- The Key Management Interoperability Protocol (KMIP) Secrets Engine, allowing services and applications to perform cryptographic operations without having to manage the associated material.
Finally, support level agreements (SLAs) to meet all business requirements—including SEV-1 URGENT 24/7 coverage—are available with all HashiCorp Enterprise products. Whether you’re looking to preserve recovery objectives (i.e., RPO/RTO) and/or sign follow-on minimum business requirements with clients of your Vault service, HashiCorp and Somerford have you covered.
Whether you are requirements gathering around secrets management, just getting started with Vault OSS, or reaching the practical limits of your current secrets management solution, it’s worth having a chat with us. Somerford Associates are one of the few Certified HashiCorp Implementation Partners (CHIP) in the UK, and are happy to answer any questions you may have, or to simply serve as a sounding board.
Stay tuned for our next HashiCorp related blog post, where we’ll continue to look at the Enterprise editions of their HashiStack products.
Get Notified for New Blogs:
We post regularly on the platforms below, notifying our audience when we publish new pieces.
All views expressed on this blog are the author’s own and do not represent the opinions of any entity whatsoever with which the author
has been, is now or will be affiliated, inc. this organisation whose website the blog is hosted on, or any partner of this organisation.