Cloud Secrets Management Tool – HashiCorp Vault
Today, we will talk about cloud secrets management tool Hashicorp vault in this article. As we know, cloud services providers have presented numerous inherent features and tools to protect the cloud environment. We have seen cloud tools for monitoring, audit, access, authentication, encryption etc. in AWS, Azure and GCP any top Cloud Service providers. These features and tools can provide basic line of defense that can protect the cloud infrastructure against some of the security threats. However, there’s also the vision of organizations to have specific protection layer for privilege information and sensitive data. This year we have seen unexpected surge in cyberattacks across all industries. Hence across industry we have noticed a more focused approach to maintain Privilege Access solution in order to protect their environment.
Privilege /Secrets maintenance is most crucial requirement in Identity and Access management services. The secrets/passwords are everywhere however in cloud environment these number are 4x times as compares to on premise solution with static secrets. The Secrets could be any form of digital credentials and sensitive information which could lead to breach!
What are Secrets?
A secret can be any sensitive information for e.g.
- User password
- Application and Database and other system-to-system passwords.
- auto-generated passwords /encryption keys
- Private encryption keys
- API Key and other application keys/credentials inside containers
- SSH Keys
- authorization tokens
- Private certificates for secure communication, transmitting and receiving of data (TLS, SSL etc.)
- One-time password devices
Why we need to manage Secrets?
The Secret management is imperative in today scenarios as this has been most affected sector and primary target for any Hackers. The emerging threat in digital environment and highly equipped hackers with self-learning abilities to classify, assess and exploit any vulnerability in the environment
Whether we are using secrets in different cloud services or within a particular cloud-based application, unorganized secrets management procedures can bring serious threat to entire security of platform for example: –
- Hard-coded and default credentials
- Managing passwords manually
- Sharing passwords
- Regular rotations
- Weak password and storing it in plain text files
- Hardcoded and embedded live scripts
Secrets Management Tools
In Cloud security it is imperative that primary focus should be on access control and circulation of dynamic secrets. There are various tools features provided by Cloud service provider and third-party vendors in Market for secret keys management however the most flexible and easy tool trending these days in the cloud industry is Hashicorp Vault. It comes with two products to provide cloud security services the Vault and boundary
Hashicorp is a software company with a Freemium Business Model. They provide various products to fully managed platform to automate infrastructure on any cloud.
The Hashicorp is based on open-source tools and marketable harvests that enable developers, operators, and security experts to secure, run, provision, and connect cloud-computing they basically provide infrastructure as code which is very flexible and mature. The products prevalent for cloud security are secrets management tool Hashicorp Vault and Boundary.
What is HashiCorp Vault?
HashiCorp Vault is a is a secrets management tool for securely accessing secrets. It is used to accomplish secrets keys management in distributed systems across cloud platforms. Vault empowers cloud security players to control access to tokens, passwords, encryption keys, and certificates to defend any potentially sensitive data. The contemporary “zero trust” model is used to harden inside the HashiCorp vault. The Vault can be easily integrated with applications to be explicitly authenticated, authorized to fetch secrets, rotating secrets and perform sensitive operations, along with catering audit requirements.
HashiCorp Vault solution is widely used across many industries including large financial organizations, hospitality, and everything in between to provide security in the cloud operating model.
Secrets Management tool HashiCorp Vault allows steady control access to encryption keys, passwords, certificates etc. for shielding technologies and applications. This delivers an extensive secrets management solution for enterprises looking for securing cloud environment
1– Vault helps protect data at rest and data in transit.
2– Vault exposes a high-level API for cryptography for developers to secure sensitive data without revealing encryption keys.
3- Vault also can act like a certificate authority, to provide dynamic short-lived certificates to secure communications with SSL/TLS.
4- Vault enables a brokering of identity between different platforms, such as AD on premises and AWS IAM to permit applications to work across platform borders. Vaults provide: –
- Storage Backends for Encrypted
- Isolated Namespaces
- Secure plugins
- Detailed Historical Audit logs
- Tenancy, rotating and revoking of secrets
- Vault provides a master key and generates encryption keys to protect data. The master key is split into five parts. Any three of the five parts are required to reconstruct the master key.
HashiCorp Vault Architecture
The below architectural diagram of secrets management tool HashiCorp vault can explain the workflow of the vault process and services.
- Storage Backend
- Secrets Engine
- Audit Device
- Auth Method
- Client Token
- Token Store
- Root Tokens
- Rollback Manager
- Audit Broker
- Expiration Manager
Storage Backend – A storage backend is used for robust storage of encrypted data. The storage is placed at bottom of Architecture stack as it is non trusted components for the vault and chosen as per client requirement, the considered factors for the same are like High availability/Disaster recovery/Recovery time Objective. When the Vault is started the storage backend must be declared and configured well in advance.
HTTP API – The HTTP API is used to interact with clients, and it is also non-trusted component for the vault hence placed outside the Barrier
Barrier – The barrier is strong cryptographic components which creates an un-penetrable protection layer around the Vault. The barrier ensures data is validated and decrypted as it goes inside the Vault and all data gets encrypted as it goes out from the vault. The barrier by default stays in sealed state and must be unlocked before requesting any access operation to the vault.
The Unlocking of the vault is possible only using combination of Unseal Keys. When the vault is initialized it generate encryption keys. This key is in turn protected by Master key which gets divided into 5 parts and combination of any 3 keys of which are required to rebuild the master key. For protection purpose all data that flows between Vault and the storage backend passes through the barrier.
Image – Vault Architectures
Secrets Engine – Secrets engines are components which store, generate, or encrypt data. Secret Engine is like virtual file system supporting operations like read, write, delete, generate dynamic credentials, encryptions etc. In Vault when a secrets engine is enabled, a random UUID is generated. This becomes the data root for that engine. As Secret engine writes to the physical storage layer, it is prefixed with that UUID folder as relative access is not supported by the vault hence the secrets engine cannot access other data.
Audit Device – are leveraged to keep comprehensive record of logs for all requests and response inside the vault. As all the operations executed inside the vault are API request and response, thus audit log contains all authenticated communication with Vault, as well all generated errors.
Auth Method – Authentication is used to validate access to vault. The auth method are responsible for conveying identity and a set of policies to a user. Vaults validate a user and returns a client token that can be used for future requests.
Client Token /Vault token– Tokens are the method for authentication within Vault. Token can be generated leveraging authentication methods they can also be used dynamically to generate tokens based on external identities. Inside the Vault tokens record to information like Access control list policies. These policies control directs what access are allowed to the user inside the Vault these tokens also carried meta data which is used for Audit logs such as creation time, last renewal time etc.
Token Store – Are token authentication backend that it is responsible for creating and storing tokens, the token store has no login capability and all actions require existing authenticated tokens.
Root Tokens – are tokens that have the root policy committed to them.
Rollback Manager – This is internal component of Vault to control partial failure cases by using write ahead logging.
Core – The core is used to manage the flow of requests through the system, it enforces Access control Lists and ensure audit logging is done.
Audit Broker – is leveraged to distribute the request out to all the configured audit devices.
Expiration Manager – is used to automatically revokes the secret on Lease expire if allowed by the client
HashiCorp Vaults Pricing
Let’s discuss about Hashicorp vaults pricing. There are 3 options to use this tool from pricing stand point.
- Open Source
- Cloud – Managed Vault
- Enterprise Vault Premium editions.
The Vault Open-source freeware version has limitation of ~50 users only and to leverage all features and functionality it is highly recommended to use Cloud or Enterprise version. You can visit attached link for all Vault Pricing Options.
In this Article we have covered What are Secrets? Why we need Secrets Management? and Secrets Management tool offered by Hashicorp Vault. There are several other tools available for secrets management in the market as mentioned below. As per the client requirement and existing infrastructure we can propose appropriate tools to our clients as long it serves the purpose of underline security with future integration possibilities
- Conjur Secrets Manager (Open Source) – CyberArk
- Dynamic Access Provider (DAP) Enterprise – CyberArk
- AWS Secrets Manager – Rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
- Azure Key Vault – securely storing and accessing secrets
- Akeyless Vault for Secrets Management and Secure Remote Access
- Docker secrets management
The Security trend seen in last 5 years has shown paradigm shift towards Identify and Access management domain. IAM plays vital role in preventing Cyberattacks due to leak credentials and hence many organizations are moving towards taking proactive steps by adding more secrets tools and technology to protect their sensitive information. As these organization moves towards more flexible, scalable, secure and cloud agnostic environment.
The Hashicorp suits of products are outstanding in terms of ease of use, integration, and configurations. The can flawlessly assimilates with all offerings of major cloud vendors. The Hashicorp products carry solution to full scale infrastructure security management.
For the next topics we will cover about other HashiCorp product in security and its comparison to Other traditional Privilege Access Management tools in the market. Stay tuned for upcoming topics on Boundary and CyberArk PAM solution offerings.