HCP Vault Radar begins limited beta

At HashiConf last October, we announced HCP Vault Radar’s alpha program. Today, we’re pleased to announce that HCP Vault Radar is entering a limited beta phase. HCP Vault Radar is our new secret scanning product that expands upon Vault’s secrets lifecycle management use cases to include the discovery of unmanaged or leaked secrets. The beta release also debuts new functionality to support role and attribute-based access controls (RBACs/ABACs), as well as new data sources available to scan.

»HCP Vault Radar (beta)

HCP Vault Radar detects unmanaged and leaked secrets so that DevOps or Security teams can take appropriate actions to remediate exposed secrets. Radar scans for secrets, personally identifiable information (PII) or data, and non-inclusive language. It then categorizes and ranks the exposed data discovered by level of risk. Vault Radar evaluates risk according to a range of factors, including:

• Was the secret found on the latest version of the code/document?
• Is the secret identified?
• Is the secret currently active?

HCP Vault Radar supports secret scanning from a command line interface (CLI), and is also integrated into the HCP portal for a better user experience that can help prioritize any unmanaged secrets discovered. With the recently added support for scanning Terraform Cloud and Terraform Enterprise, beta Radar customers will be able to scan the following data sources:

• Git-based version control systems (GitHub, GitLab, BitBucket, etc.)
• AWS Parameter Store
• Server file directory structures
• Confluence
• HashiCorp Vault
• Amazon S3
• Terraform Cloud (new)
• Terraform Enterprise (new)
• JIRA
• Docker images

»HashiCorp Vault integration

HCP Vault Radar also integrates with Vault to scan supported data sources for the presence of leaked secrets currently in Vault that are actively being used. Using additional metadata from the scan and cross-referencing the secrets in Vault Enterprise and Vault Community, Vault Radar will give the secrets it discovers an enhanced risk rating to prioritize which ones may need immediate attention.

»Attribute-based and role-based access controls

The limited beta release of HCP Vault Radar also includes RBAC and ABAC capabilities. The primary difference between RBAC and ABAC is how access is granted. RBAC in Vault Radar allows you to grant access by roles while ABAC allows the organization to define highly granular controls and govern access by user and object characteristics, action types, and more.

RBAC roles generally refer to groups of people with common characteristics, such as:

• Departments or business units
• Security level
• Geography
• Responsibilities

RBAC and ABAC in HCP Vault Radar can help:

• Create a repeatable process of assigning permissions
• Audit privileges and make necessary changes
• Add or change roles
• Reduce the potential for human error when assigning permissions
• Comply with regulatory or statutory requirements

»Getting started

HCP Vault Radar is an exciting new addition to Vault’s secrets lifecycle management functionality. Vault Radar facilitates automated scanning and ongoing detection of unmanaged secrets in various code repositories and other data sources. This critical functionality further differentiates HashiCorp Vault’s secrets management offering by allowing organizations to take a proactive approach to remediation before a data breach occurs. Please review Vault Radar’s product documentation to learn more.

HCP Vault Radar is currently in a private beta program. To learn more or to be considered for the beta program, sign up to receive HCP Vault Radar updates.