Top 5 Reasons to Choose HashiCorp Vault
Author: John Jarvis
Release Date: 12/12/2024
What is HashiCorp Vault?
HashiCorp’s Vault (just Vault hereafter) is so versatile that it makes it tough to write a post like this. It’s the swiss army knife of the security world, I think it’s fair to say; and therefore, this post is going to stay at a fairly high level, showing the broad aims behind it — because it was an internal tool first, never forget: necessity is the mother of invention, as they say, and it was only later that HashiCorp realised that their internal problems were a small part of wider patterns in the world that needed addressing.
That said, however, let’s be clear, up front, that Vault isn’t for everyone. There are use cases that are better suited to other products (did you know that Somerford is also a partner with Delinea?). But if you see your organisation reflected in any of what’s to follow, or just want to have a chat more generally about zero-trust security, privileged access management, or anything related to your technical challenges, please don’t hesitate to reach out!
And so, without further ado, let’s talk details about Vault:
#1: Securing Automation
Vault is very happy to authorise flesh-and-blood people — in fact, spoiler alert: we’ll come back to that in the last reason — but where it inarguably shines is in the automation space, working at a speed and scale we’ve maybe started to take for granted, in this cloud services era. And you could be forgiven for thinking I’m about to wax lyrical about Terraform. And while, unsurprisingly, it does have first-class integration with that Infrastructure-as-Code (IaC) product, that’s just one of many. Being an API-first tool, Vault can talk to anything; and with Vault Agent, it can also seamlessly integrate with existing legacy workflows that just need to keep working.
#2: Centralised Secrets Management
Lots of vendors claim to offer centralised secrets management, but few cover the scope that Vault does, both in terms of how a modern organisation does business, and what needs to remain secret today. And this is where that swiss army knife analogy really takes form: the same product can be a centralised cryptographic key management solution for one organisation, a centralised API key management solution for another, and an enterprise-grade Certificate Authority (CA) in a multinational Public Key Infrastructure (PKI) for a third. The same product! Vault! And in each of those cases, it demonstrably improves the associated workflow, and therefore the business writ large; but, coming back to the core of this reason, it provides all the benefits of that one-stop-shop — organisation-wide visibility and control, uniform authorisations across all lines and types of that organisation’s business, concrete assurances for regulators, etc. — while still working at ‘cloud speed’: this is provable security that works with the business; not holding it up.
#3: Structured Delegation
Hand-in-hand with the notions above is the need for delegation. The security team, the Vault team, the DevOps team — however your organisation divides the responsibilities we’re talking about — will be overwhelmed at some stage: we see it again and again. Vault is so good, that everyone wants to get onboard, and, before you know it, it’s in the business critical path. But Vault can help you deal with that demand: with a feature called namespaces, the team that manages Vault can decide, in a very deliberate manner, what they’re happy for their Vault ‘clients’ to manage, and what needs to stay with the main team, for reasons outlined a moment ago.
Think of namespaces as Vaults within Vault, where teams with very different needs and workflows can manage their secrets as they see fit; within reason. So there’s still that corporate governance that what sort of integrations and secrets can be instantiated and managed, let’s say, while giving those individual teams the ability to structure the workflows and secrets themselves as they see fit. To take this point slightly further, maybe teams can set the time-to-live on their secrets based on tailored threat assessments and other information, but they can never be set beyond a certain amount of time (e.g., no one can issue a certificate that’s valid for more than 90 days).
Aside: while we’re on the topic of that organisation-wide view, and managing risks at that scale, I’d be remiss if I didn’t mention another HashiCorp product that just became publicly available at HashiConf: Vault Radar. In a nutshell, it allows you to not only scan your complete estate for unmanaged secrets, but to also delegate the remediation of its findings to the teams that know the most about them; it’s very much an end-to-end solution, and works from the (correct) assumption that this sort of work is never finished, as it were.
#4: First-class Cloud Provider Integration
I seriously debated — with myself, yes, but that still counts! — talking about certificate management at this point — anyone who’s had to manage hundreds of certificates being issued, expiring, being revoked, all throughout any given year will understand my motivation — or even Vault’s first-class integration with Kubernetes, but eventually settled on its multifaceted integration with the major cloud providers as a game-changer for many organisations.
Whatever the nature of your continuous integration / continuous deployment / pipeline solution, Vault can secure it, and access to the associated cloud environment, in a uniform and timely manner. And you can even continue to persist those secrets in your cloud provider — in, say, their key management solution — with a Vault feature called Secrets Sync, allowing that centralised secrets management without altering existing core workflows in any way.
#5: The People Bit
I know I said that HashiCorp Vault shines in the automation space, but that isn’t the end of the story: HashiCorp have always been concerned about authenticating and authorising your actual workforce too, as Vault-supported signed SSH keys, as one example, can attest to. But that isn’t the only thing they’ve been working on.
And this is where I get a bit cheeky: this is a Vault post, of course, but I’m now going to briefly talk about another HashiCorp product that works with it hand-in-glove to address this very problem: HashiCorp Boundary. With these two products, HashiCorp now has a solution that can compete with the best-in-breed of privileged access management (PAM) solutions. I’ll end this there, while teasing a recent demonstration of what’s called Boundary Transparent Sessions. If you are responsible for providing secure access for people to things, and V, P, and N are letters you never like seeing together, this presentation is for you!
