This is a guest post by Rani Osnat, VP Marketing at Aqua Security. Aqua is a HashiCorp technology partner and focuses on securing container-based applications from development to production, on any platform.
Aqua Security, founded in 2015, focuses on securing applications that are developed and run using virtual containers, e.g. using Docker. We provide automated security controls for the entire lifecycle of containers, starting from development and all the way to protecting container workloads in production. We work with large enterprises that already use containers or are migrating to containers, and have security and regulatory requirements to ensure their applications are protected and monitored.
We chose to integrate with HashiCorp Vault after learning of a customer need for secrets management in containers. Vault is the leading product for secrets management in the enterprise, is widely used by large enterprises, and is easy to integrate with.
HashiCorp Vault for secrets management with containers
The adoption of containers creates significant disruption in application security. It’s not that containers are less secure than other technologies - but the way they are developed and run requires a significant shift in how security is managed. This is due to the very rapid development and deployment cycle, the shared kernel architecture, orchestration tools used, etc. Existing security solutions are unable to provide the necessary visibility and control for container workloads.
Case in point
Managing secrets in container environments is a major challenge for any organization moving container-based applications into production. Since container require access to secrets but run on a shared kernel, the challenge is to pass the secret to the container securely, ensure that the secret is only accessible within the container and not on the host, and facilitate secrets lifecycle operations (updates, rotation, revocation) with no downtime.
Additionally, many organizations already use a centralized secrets store such as HashiCorp Vault, so creating separate database for the purpose of managing secrets in containers creates unnecessary duplication, increases potential exposure of secrets to privileged users, and fails to leverage the existing investment.
HashiCorp Vault and Aqua
At Aqua, we want to create a secrets management solution that takes care of the “last mile” of bringing the secret into the container, while leveraging existing secrets solutions to manage secrets storage, access management and lifecycle controls. HashiCorp Vault was a perfect fit since it is widely used by enterprises, and is easy to integrate with.
With the Aqua and Vault integration, organization can securely and efficiently manage and use secrets in container-base applications. They continue to manage secrets in Vault, while Aqua provides them with the ability to assign secrets to containers and groups of containers, monitor secrets usage in containers, and update, rotate and revoke secrets with no need to stop or restart a running container.
Throughout this process, the secret itself remains encrypted and inaccessible to anyone or anything other than the intended container. It does not persist on disk, and once the container stops running, the associated secrets it used disappear with it. Even within the Aqua management console, the secret values are not visible - only their names/labels.
Miniature case study
An insurance company has started developing and delivering applications using Docker containers. One of the challenges the customer faced was managing secrets in containers, and more specifically how to provide containers with access to the keys and credentials they need to operate without increasing the risk of exposure. The company wanted to:
- Leverage its HashiCorp Vault installation to manage secrets for containers
- Avoid unnecessary duplication of the secrets database
- Ensure that secrets are not visible nor persistent on the host
- Gain visibility and an audit trail for compliance purposes
Since the customer is a large insurer, they are bound by many regulatory requirements. Managing secrets in a secure way was paramount, and being able to gain visibility into where and when those secrets are used - an invaluable benefit to compliance.
The customer is now capable of extending its strict secrets management practices to its container deployments, reaping the benefits that containers bring - agile development and delivery, scalable applications - with no compromise on security and compliance.
HashiCorp Vault is a product to secure any infrastructure and any application. Vault provides a consistent workflow to securely store and manage secrets, provide encryption as a service, and granular privilege access management. To learn more about HashiCorp Vault visit https://www.hashicorp.com/products/vault/.