Vault Takes a Novel Approach to Key and Secret Management by Dynamically Rotating Access Credentials
HashiCorp, a leader in the DevOps marketplace, today released Vault, a unified solution for secure key and secret management complete with in-transit encryption, key rolling, key revocation, and detailed audit logs. This is HashiCorp’s sixth open source project along with Vagrant, Packer, Serf, Consul, and Terraform. Collectively these projects have millions of downloads, and users from AOL, Disqus, Twitch, Akamai, Expedia, Mozilla, and others.
Vault is designed for modern enterprise organizations — organizations that build applications for the distributed, dynamic infrastructure era and view application security as a top priority. Vault can be implemented in existing infrastructures and applications to securely manage and organize the increasing number of services and corresponding credentials. Vault is an essential piece of the HashiCorp application delivery and lifecycle management suite, as it securely manages secrets and tokens used by Packer, Terraform, Consul, and the commercial product Atlas to create, configure, and orchestrate applications for the modern datacenter.
Responsible secret management is one of the most difficult unsolved or unaddressed problems in modern datacenter automation and microservice architectures. It is a necessary component that enables services to securely communicate without hardcoded or insecurely stored credentials. Secret management is increasingly important as enterprises adopt distributed source code management and move towards microservices and container architectures. These trends increase the number of secrets required to connect services and expand the surface area for an attack, both in terms of potential infiltration points and internal damage in the event of a compromise. Existing solutions in the secret management space such as hardware HSMs are impossible to deploy in the cloud, or prohibitively expensive to anyone but the largest companies.
“Groupon is a multibillion dollar commerce company and in order to protect our customers and merchants from all kinds of threats, we take security seriously,” said Sean Chittenden, Operations Architect at Groupon. “Operationally, Vault promises to significantly simplify and enhance the security against internal threats and other service lifecycle management challenges. Based on our diligence and initial testing, HashiCorp has released another solid product that the industry can benefit from.”
In addition to cloud-ready deployments, Vault brings unique features to secret management — Vault dynamically generates secrets as they are requested, leases them for a period of time, and then can automatically renew access with a new key. Secrets generated by Vault can be thought of as one-time use passwords that can only be used between specific services. This is unprecedented functionality that holds several benefits and demonstrates how Vault is built for modern, distributed architectures:
- Reduce the period of time an attacker has to infiltrate the infrastructure in the event of a security breach. The attacker only has a short window of opportunity before the secret gets re-generated and access is revoked.
- Limit the internal surface area of a breach to a single application instance. Each secret grants specific, limited communication permissions. If a secret is compromised, it only provides access to a single service and not the entire infrastructure.
- Generate an audit trail of service communication. Each time a secret is generated it creates an audit log which can be used to determine the specific compromised resource in the datacenter. For example, if an application that does not have access to a database attempts to make a connection, it is clear that there has been a compromise.
- Simplify security for large operations and infrastructures. Vault lowers the barrier to entry for organizations to use responsible secret management to secure their distributed infrastructure. Administrators have visibility into how services are connecting in the datacenter, and can quickly revoke access credentials in the event of a breach.
“HashiCorp’s Vault is one giant leap forward for practical security in a cloud environment,” said Rob Witoff, Director at Coinbase. “The Shamir implementation is one of the best innovations we’ve seen for practical cloud security.”
“Cisco is committed to helping organizations protect their intellectual property in an increasingly connected world. HashiCorp’s Vault is a gigantic leap forward for secret management in distributed service architectures,” said Keith Chambers, Technical Leader at Cisco Cloud Services. “Cisco is pleased to announce that Vault is used in our open source microservice-infrastructure community project to secure both the infrastructure and the containerized applications it hosts.”
Vault stays true to the Tao of HashiCorp . It is a user-friendly product that solves a specific problem with excellence, and further shows HashiCorp’s commitment to elegantly solving the hardest problems in distributed systems and datacenter automation.
“I’m incredibly proud of Vault and the team behind it,” said Mitchell Hashimoto, Co-Founder and CEO of HashiCorp. “HashiCorp continues to push the boundary for operational excellence in many categories, now including security.”
Availability
Vault is free and open source, and available to download today at HERE
About HashiCorp
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.