This is a guest post by Rani Osnat, VP Marketing at Aqua Security. Aqua is a HashiCorp technology partner and focuses on securing container-based applications from development to production, on any platform.
Aqua Security, founded in 2015, focuses on securing applications that are developed and run using virtual containers, e.g. using Docker. We provide automated security controls for the entire lifecycle of containers, starting from development and all the way to protecting container workloads in production. We work with large enterprises that already use containers or are migrating to containers, and have security and regulatory requirements to ensure their applications are protected and monitored.
We chose to integrate with HashiCorp Vault after learning of a customer need for secrets management in containers. Vault is the leading product for secrets management in the enterprise, is widely used by large enterprises, and is easy to integrate with.
HashiCorp Vault for secrets management with containers
The adoption of containers creates significant disruption in application security. It’s not that containers are less secure than other technologies - but the way they are developed and run requires a significant shift in how security is managed. This is due to the very rapid development and deployment cycle, the shared kernel architecture, orchestration tools used, etc. Existing security solutions are unable to provide the necessary visibility and control for container workloads.
Case in point
Managing secrets in container environments is a major challenge for any organization moving container-based applications into production. Since container require access to secrets but run on a shared kernel, the challenge is to pass the secret to the container securely, ensure that the secret is only accessible within the container and not on the host, and facilitate secrets lifecycle operations (updates, rotation, revocation) with no downtime.
Additionally, many organizations already use a centralized secrets store such as HashiCorp Vault, so creating separate database for the purpose of managing secrets in containers creates unnecessary duplication, increases potential exposure of secrets to privileged users, and fails to leverage the existing investment.
HashiCorp Vault and Aqua
At Aqua, we want to create a secrets management solution that takes care of the “last mile” of bringing the secret into the container, while leveraging existing secrets solutions to manage secrets storage, access management and lifecycle controls. HashiCorp Vault was a perfect fit since it is widely used by enterprises, and is easy to integrate with.
With the Aqua and Vault integration, organization can securely and efficiently manage and use secrets in container-base applications. They continue to manage secrets in Vault, while Aqua provides them with the ability to assign secrets to containers and groups of containers, monitor secrets usage in containers, and update, rotate and revoke secrets with no need to stop or restart a running container.
Throughout this process, the secret itself remains encrypted and inaccessible to anyone or anything other than the intended container. It does not persist on disk, and once the container stops running, the associated secrets it used disappear with it. Even within the Aqua management console, the secret values are not visible - only their names/labels.
Miniature case study