The following is a guest blog post from Aater Suleman, CEO at Flux7. Flux7 is one of HashiCorp's Premier System Integration partners and have successfully helped deploy dozens of customer environments using the HashiCorp stack.
As a HashiCorp consulting partner, Flux7 helps organizations establish a framework for repeatable deployments of Vault on top of their existing infrastructure or as part of a new infrastructure solution. We began working with HashiCorp Vault two years ago in response to increased requests from Chief Information Security Officers (CISOs) who wanted to ensure their company’s cloud migration or greenfield deployment met the organization’s risk, security, and compliance objectives.
Organizations migrating to cloud technologies want to ensure security controls and policies are in place before moving. Whether they recognize it or not, organizations are looking for secrets management, encryption as a service, and privilege access management (PAM).
In addition to continued conversation around cloud migration strategy, we also began fielding concerns over the proliferation of credentials and secrets as organizations adopt microservices. One challenge organizations often face when implementing microservices is the proliferation of secrets. As the number of microservices grows, so too does the number of required credentials, certificates, and logins. This exponential growth drives the need for effective and efficient secret management across multiple levels of the organization.
###Solution After hearing the same concerns and requirements expressed from countless customers, we immediately recognized the value HashiCorp Vault provides:
Centralized management and policy enforcement for any secret, infrastructure, and application
Encryption as a service with the ability to encrypt any static secret
Dynamic secrets with tight security controls
Detailed audit log that tracks the use of secrets
###Miniature Case Study
We recently had the privilege of working with a customer in the healthcare industry who is not only subject to the standard HIPAA requirements, but also has strict internal guidelines to protect the security of its patients' Personal Health Information (PHI). This organization sought best-in-class security for its cloud-based solution and for managing its many credentials. These credentials are of differing kinds including DB passwords, SSH keys, and third-party API tokens that are essential for running their core applications. Given that they have numerous teams working on independent microservices, there is further need for storing certificates that services need to communicate with each other. While there are tens of DBs and a few dozen API tokens, the customer was specifically looking to eliminate persistent SSH private keys required to login to the hundreds of production servers that they manage. We proposed HashiCorp Vault with LDAP authentication and SSH backend as a solution to which the customer agreed. Below we provide certain implementation details.