The following is a guest blog post from Aater Suleman, CEO at Flux7. Flux7 is one of HashiCorp's Premier System Integration partners and have successfully helped deploy dozens of customer environments using the HashiCorp stack.
As a HashiCorp consulting partner, Flux7 helps organizations establish a framework for repeatable deployments of Vault on top of their existing infrastructure or as part of a new infrastructure solution. We began working with HashiCorp Vault two years ago in response to increased requests from Chief Information Security Officers (CISOs) who wanted to ensure their company’s cloud migration or greenfield deployment met the organization’s risk, security, and compliance objectives.
Organizations migrating to cloud technologies want to ensure security controls and policies are in place before moving. Whether they recognize it or not, organizations are looking for secrets management, encryption as a service, and privilege access management (PAM).
In addition to continued conversation around cloud migration strategy, we also began fielding concerns over the proliferation of credentials and secrets as organizations adopt microservices. One challenge organizations often face when implementing microservices is the proliferation of secrets. As the number of microservices grows, so too does the number of required credentials, certificates, and logins. This exponential growth drives the need for effective and efficient secret management across multiple levels of the organization.
After hearing the same concerns and requirements expressed from countless customers, we immediately recognized the value HashiCorp Vault provides:
We recently had the privilege of working with a customer in the healthcare industry who is not only subject to the standard HIPAA requirements, but also has strict internal guidelines to protect the security of its patients' Personal Health Information (PHI). This organization sought best-in-class security for its cloud-based solution and for managing its many credentials. These credentials are of differing kinds including DB passwords, SSH keys, and third-party API tokens that are essential for running their core applications. Given that they have numerous teams working on independent microservices, there is further need for storing certificates that services need to communicate with each other. While there are tens of DBs and a few dozen API tokens, the customer was specifically looking to eliminate persistent SSH private keys required to login to the hundreds of production servers that they manage. We proposed HashiCorp Vault with LDAP authentication and SSH backend as a solution to which the customer agreed. Below we provide certain implementation details.
Their application deployment is a standard container-based microservices solution which uses registrator to detect new Docker containers and register them with Consul. They use NGINX as an API gateway and a load balancer between the containers of the same service. The NGINX configuration file is dynamically generated and updated by Consul Template, which pulls real-time configuration data from Consul. All microservices have ingress through NGINX.
We decided to deploy Vault with the same cluster to keep things consistent. Since Vault has no state of its own, it is container-friendly and can be easily deployed just like another microservice. The only difference was that access to Vault was configured differently at NGINX to block any external traffic from accessing the Vault.
Running this organization’s system with ECS and Docker containers means that it can be quickly and easily recreated. For example, if a node were to crash, a replacement is recreated within milliseconds. Moreover, using Docker also means that the Vault system is secure from the outset; there is no concern about introducing a vulnerability from a corrupted source. And, Docker containers are immutable. Together, these concepts in action mean that secret management is created and housed in a secure fashion and can easily be recreated in the same way, if needed.
HashiCorp Vault addressed the healthcare provider's key goals through:
Learn more by visiting Vault's page.
Learn about a Vault SlackBot made by DigitalOnUs.
When multiple teams use Consul, it becomes difficult to correlate manually managed policies with the identity accessing it. In this blog, we'll show you an automated method to ensure least-privilege access to Consul using Terraform and Vault.
We are happy to announce that we have an officially supported HashiCorp Vault GitHub Action. GitHub Actions allow you to easily automate your CI/CD developer workflows to run actions against repositories based on triggers within GitHub. The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.