John Jarvis Somerford Associates

Top 5 Reasons to Choose HashiCorp Vault

Author: John Jarvis
Release Date: 12/12/2024

What is HashiCorp Vault?

HashiCorpā€™s Vault (just Vault hereafter) is so versatile that it makes it tough to write a post like this. Itā€™s the swiss army knife of the security world, I think itā€™s fair to say; and therefore, this post is going to stay at a fairly high level, showing the broad aims behind it ā€” because it was an internal tool first, never forget: necessity is the mother of invention, as they say, and it was only later that HashiCorp realised that their internal problems were a small part of wider patterns in the world that needed addressing.

That said, however, letā€™s be clear, up front, that Vault isnā€™t for everyone. There are use cases that are better suited to other products (did you know that Somerford is also a partner with Delinea?). But if you see your organisation reflected in any of whatā€™s to follow, or just want to have a chat more generally about zero-trust security, privileged access management, or anything related to your technical challenges, please donā€™t hesitate to reach out!

And so, without further ado, letā€™s talk details about Vault:

#1: Securing Automation

Vault is very happy to authorise flesh-and-blood people ā€” in fact, spoiler alert: weā€™ll come back to that in the last reason ā€” but where it inarguably shines is in the automation space, working at a speed and scale weā€™ve maybe started to take for granted, in this cloud services era. And you could be forgiven for thinking Iā€™m about to wax lyrical about Terraform. And while, unsurprisingly, it does have first-class integration with that Infrastructure-as-Code (IaC) product, thatā€™s just one of many. Being an API-first tool, Vault can talk to anything; and with Vault Agent, it can also seamlessly integrate with existing legacy workflows that just need to keep working.

#2: Centralised Secrets Management

Lots of vendors claim to offer centralised secrets management, but few cover the scope that Vault does, both in terms of how a modern organisation does business, and what needs to remain secret today. And this is where that swiss army knife analogy really takes form: the same product can be a centralised cryptographic key management solution for one organisation, a centralised API key management solution for another, and an enterprise-grade Certificate Authority (CA) in a multinational Public Key Infrastructure (PKI) for a third. The same product! Vault! And in each of those cases, it demonstrably improves the associated workflow, and therefore the business writ large; but, coming back to the core of this reason, it provides all the benefits of that one-stop-shop ā€” organisation-wide visibility and control, uniform authorisations across all lines and types of that organisationā€™s business, concrete assurances for regulators, etc. ā€” while still working at ā€˜cloud speedā€™: this is provable security that works with the business; not holding it up.

#3: Structured Delegation

Hand-in-hand with the notions above is the need for delegation. The security team, the Vault team, the DevOps team ā€” however your organisation divides the responsibilities weā€™re talking about ā€” will be overwhelmed at some stage: we see it again and again. Vault is so good, that everyone wants to get onboard, and, before you know it, itā€™s in the business critical path. But Vault can help you deal with that demand: with a feature called namespaces, the team that manages Vault can decide, in a very deliberate manner, what theyā€™re happy for their Vault ā€˜clientsā€™ to manage, and what needs to stay with the main team, for reasons outlined a moment ago.

Think of namespaces as Vaults within Vault, where teams with very different needs and workflows can manage their secrets as they see fit; within reason. So thereā€™s still that corporate governance that what sort of integrations and secrets can be instantiated and managed, letā€™s say, while giving those individual teams the ability to structure the workflows and secrets themselves as they see fit. To take this point slightly further, maybe teams can set the time-to-live on their secrets based on tailored threat assessments and other information, but they can never be set beyond a certain amount of time (e.g., no one can issue a certificate thatā€™s valid for more than 90 days).

Aside: while weā€™re on the topic of that organisation-wide view, and managing risks at that scale, Iā€™d be remiss if I didnā€™t mention another HashiCorp product that just became publicly available at HashiConf: Vault Radar. In a nutshell, it allows you to not only scan your complete estate for unmanaged secrets, but to also delegate the remediation of its findings to the teams that know the most about them; itā€™s very much an end-to-end solution, and works from the (correct) assumption that this sort of work is never finished, as it were.

#4: First-class Cloud Provider Integration

I seriously debated ā€” with myself, yes, but that still counts! ā€” talking about certificate management at this point ā€” anyone whoā€™s had to manage hundreds of certificates being issued, expiring, being revoked, all throughout any given year will understand my motivation ā€” or even Vaultā€™s first-class integration with Kubernetes, but eventually settled on its multifaceted integration with the major cloud providers as a game-changer for many organisations.

Whatever the nature of your continuous integration / continuous deployment / pipeline solution, Vault can secure it, and access to the associated cloud environment, in a uniform and timely manner. And you can even continue to persist those secrets in your cloud provider ā€” in, say, their key management solution ā€” with a Vault feature called Secrets Sync, allowing that centralised secrets management without altering existing core workflows in any way.

#5: The People Bit

I know I said that HashiCorp Vault shines in the automation space, but that isnā€™t the end of the story: HashiCorp have always been concerned about authenticating and authorising your actual workforce too, as Vault-supported signed SSH keys, as one example, can attest to. But that isnā€™t the only thing theyā€™ve been working on.

And this is where I get a bit cheeky: this is a Vault post, of course, but Iā€™m now going to briefly talk about another HashiCorp product that works with it hand-in-glove to address this very problem: HashiCorp Boundary. With these two products, HashiCorp now has a solution that can compete with the best-in-breed of privileged access management (PAM) solutions. Iā€™ll end this there, while teasing a recent demonstration of whatā€™s called Boundary Transparent Sessions. If you are responsible for providing secure access for people to things, and V, P, and N are letters you never like seeing together, this presentation is for you!

More Resources like this one:

How to Manage Encryption Keys with HashiCorp Vault: HashiCorp Vault 101 Webinar Tutorial

Discover Somerford's Vault Acceleration Program (VAP) for HashiCorp Vault - Rapid Deployment

Want to Learn More About Vault?

Get in touch and we'd be happy to support you!
Scroll to Top