The following is a guest blog post from Aater Suleman, CEO at Flux7. Flux7 is one of HashiCorp's Premier System Integration partners and have successfully helped deploy dozens of customer environments using the HashiCorp stack.
As a HashiCorp consulting partner, Flux7 helps organizations establish a framework for repeatable deployments of Vault on top of their existing infrastructure or as part of a new infrastructure solution. We began working with HashiCorp Vault two years ago in response to increased requests from Chief Information Security Officers (CISOs) who wanted to ensure their company’s cloud migration or greenfield deployment met the organization’s risk, security, and compliance objectives.
Organizations migrating to cloud technologies want to ensure security controls and policies are in place before moving. Whether they recognize it or not, organizations are looking for secrets management, encryption as a service, and privilege access management (PAM).
In addition to continued conversation around cloud migration strategy, we also began fielding concerns over the proliferation of credentials and secrets as organizations adopt microservices. One challenge organizations often face when implementing microservices is the proliferation of secrets. As the number of microservices grows, so too does the number of required credentials, certificates, and logins. This exponential growth drives the need for effective and efficient secret management across multiple levels of the organization.
After hearing the same concerns and requirements expressed from countless customers, we immediately recognized the value HashiCorp Vault provides:
- Centralized management and policy enforcement for any secret, infrastructure, and application
- Encryption as a service with the ability to encrypt any static secret
- Dynamic secrets with tight security controls
- Detailed audit log that tracks the use of secrets
» Miniature Case Study
We recently had the privilege of working with a customer in the healthcare industry who is not only subject to the standard HIPAA requirements, but also has strict internal guidelines to protect the security of its patients' Personal Health Information (PHI). This organization sought best-in-class security for its cloud-based solution and for managing its many credentials. These credentials are of differing kinds including DB passwords, SSH keys, and third-party API tokens that are essential for running their core applications. Given that they have numerous teams working on independent microservices, there is further need for storing certificates that services need to communicate with each other. While there are tens of DBs and a few dozen API tokens, the customer was specifically looking to eliminate persistent SSH private keys required to login to the hundreds of production servers that they manage. We proposed HashiCorp Vault with LDAP authentication and SSH backend as a solution to which the customer agreed. Below we provide certain implementation details.
Their application deployment is a standard container-based microservices solution which uses registrator to detect new Docker containers and register them with Consul. They use NGINX as an API gateway and a load balancer between the containers of the same service. The NGINX configuration file is dynamically generated and updated by Consul Template, which pulls real-time configuration data from Consul. All microservices have ingress through NGINX.
We decided to deploy Vault with the same cluster to keep things consistent. Since Vault has no state of its own, it is container-friendly and can be easily deployed just like another microservice. The only difference was that access to Vault was configured differently at NGINX to block any external traffic from accessing the Vault.
Running this organization’s system with ECS and Docker containers means that it can be quickly and easily recreated. For example, if a node were to crash, a replacement is recreated within milliseconds. Moreover, using Docker also means that the Vault system is secure from the outset; there is no concern about introducing a vulnerability from a corrupted source. And, Docker containers are immutable. Together, these concepts in action mean that secret management is created and housed in a secure fashion and can easily be recreated in the same way, if needed.
HashiCorp Vault addressed the healthcare provider's key goals through:
- Management of Dynamic and Static Secrets. For this firm's passwords and third party API keys, Vault dynamically creates secrets, generating them automatically and on demand. Moreover, Vault dynamically creates secrets that expire within a given time period to meet their specific HIPAA and security requirements.
- Vault SSH Secret Backend. This firm secured its AWS and SSH credentials using the Vault SSH Secret backend, which dynamically generates SSH credentials for the company's remote hosts. This removes the need to share private keys with all users needing access to infrastructure, further enforcing the company's security policies.
- Auditing. By integrating Vault with Splunk (this company's log management system), the security team now has a full view into the provenance of a credential, including who used a secret, when, and on which systems. Vault has allowed this organization to establish an effective balance between security and agility. This balance has resulted in less day-to-day management for both the security and development teams, allowing them to dedicate more time to strategic initiatives and ultimately meaningful business benefits.
Learn more by visiting Vault's page.