New HCP Vault Secrets, Radar, and other features fight secret sprawl

Today at HashiConf, we are pleased to announce the alpha program for HashiCorp Cloud Platform (HCP) Vault Radar, HCP Vault Secrets general availability, secrets sync beta for Vault Enterprise, and HashiCorp Vault 1.15. These new capabilities help organizations secure their applications and services as they leverage a cloud operating model to power their shift to the cloud. Enabling a cloud operating model helps organizations cut costs, reduce risks, and increase the speed at which developers build and deploy secure applications.

The new capabilities boost Vault’s focus on helping organizations use identity to achieve their security goals by:

• Centrally managing and enforcing access to secrets and systems based on trusted sources of application and user identity.
• Eliminating credential sprawl by identifying static secrets hardcoded throughout complex systems and tooling across your entire cloud estate.
• Reducing manual overhead and risk associated with managing access to infrastructure resources like SSH, VPNs, as well as applications and services.
• Automatically implementing authentication and authorization mechanisms to ensure only authorized services can communicate with one another.

Below is a closer look at each of the Vault announcements made at HashiConf:

»HCP Vault Radar (alpha)

Organizations can significantly reduce their attack surface by leveraging Vault to manage secrets, enforce authentication, and rotate credentials regularly. However, many enterprises struggle with the step before secrets management: finding all of the untracked secrets sprawled across their IT estates.

In June, HashiCorp announced the acquisition of BluBracket, a company that focused on enabling customers to scan, identify, and remediate secrets inadvertently stored in source code, development environments, internal wikis, chat services, and ticketing systems. Secret scanning is essential for organizations working to control secret sprawl without compromising efficiency, speed, and innovation. Today, we’re updating the HashiCorp community on our progress integrating BluBracket technology into the HashiCorp product line.

The initial deliverable built from the BluBracket acquisition is called HCP Vault Radar. Additionally, we have successfully integrated Vault Radar’s secret detection functionality in Git-based version control systems, AWS Configuration Manager, and directory structures in the HCP ecosystem.

HCP Vault Radar automates the detection and identification of unmanaged secrets so that security teams can take appropriate actions to remediate issues. It scans for the following types of information, then categorizes and ranks what's discovered by risk.

• Secrets
• Personally identifiable information (PII)
• Non-inclusive language (NIL)

HCP Vault Radar also protects code from leaking into public repositories and helps prevent secrets and intellectual property from getting into the wrong hands. HCP Vault Radar works across multiple Git providers, integrates with enterprise CI/CD tools, version control, code servers, identity and access management (IAM) systems, messaging, ticketing, and many other IT resources.

Organizations interested in testing these new features can request to be a part of our early access program. HCP Vault Radar is scheduled to be released in beta in January 2024 and we anticipate general availability later in 2024.

»HCP Vault Secrets (GA)

HCP Vault Secrets — generally available today — is a new software-as-a-service (SaaS) offering of HashiCorp Vault focusing primarily on secrets management. HCP Vault Secrets was released in beta earlier this year as an even faster, simpler way for users to onboard with Vault secrets management. The general availability builds on the beta release with production-ready secrets management capabilities, additional secrets sync destinations, and multiple consumption tiers.

HCP Vault Secrets sharpens the focus on secrets management with three key benefits:

• Centralized secrets management: Centralize secrets lifecycle management in one place so users can eliminate context switching between multiple secrets management applications.
• Secure secrets when and where you need them: Enhanced secrets versioning and access control setup ensures secrets can be securely synced to multiple destinations, including AWS Secrets Manager, GitHub Actions, and Vercel. Alternatively, app secrets can be fetched using CLI, API, Terraform, or Vault Secrets Operator.
• Get up and running in minutes, for free: Users and organizations can get started with HCP Vault Secrets in minutes via our free offering or our standard paid tier.

To get started, sign up for HCP Vault Secrets for free and check out our HCP Vault Secrets documentation on HashiCorp Developer.

Learn more: HCP Vault Secrets is now generally available

»Vault Enterprise secrets sync (beta)

Cloud secrets sync, previously available only in HCP Vault Secrets, is now available as a beta feature in Vault Enterprise 1.15. Secrets sync allows platform teams to centralize their secrets management while still letting developers easily consume secrets as needed within the applications they use every day.

As more and more organizations adopt a multi-cloud approach, they face challenges around isolated secrets management, compliance, and reporting tools, as well as protecting expanded attack surfaces. Isolated secrets management solutions are primarily concerned with unifying secrets across solutions that are specific to their own platform, which can’t provide a complete solution and therefore is not suitable for multi-cloud environments. They also lose the ability to centrally provision and rotate secrets based on the best practices they’ve established. That leaves organizations faced with leveraging multiple logging tools to show auditors that they are within compliance. Finally, multi-cloud environments present a larger attack surface, making secrets management and compliance more important than ever.

Vault secrets sync bridges this multi-cloud secrets management divide between solution providers by helping teams update, rotate, and revoke secrets across multiple platforms. Used in conjunction with Vault’s existing automation functionality, secrets sync can execute these tasks automatically. Without secrets sync, organizations’ visibility into their secrets will be fragmented amongst different platforms and create a prohibitive level of risk.

The new Vault secrets sync beta release supports the synchronization of secrets to multiple platforms, and more are planned for the feature’s general availability:

• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud
• GitHub
• Vercel

Learn more: Visit our developer documentation or the Vault product page.

»HashiCorp Vault 1.15

HashiCorp Vault 1.15, released last month, includes a broad range of updates, including new graphical user interfaces, PKI certificate management customizations, and several new beta features. Notable updates include:

New landing page dashboard: Vault 1.15 introduces a landing page dashboard that provides a more comprehensive and unified overview of important information about a Vault instance. From this new view, customers can quickly see key information like client counts and config details and take quick actions.

Certificate issuance external policy service (CIEPS): With the release of CIEPS, Vault enables fine-grained control over issued certificates using custom policies in a customer-defined service outside of Vault. Using CIEPS, customers implement a custom service that can be called by the Vault PKI secrets engine to evaluate and override original certificate-request content. This capability helps customers ensure Vault PKI-issued certificates meet corporate compliance standards.

Vault Enterprise seal high availability (beta): This new feature lets enterprise customers use independent seals retained in multiple key management services (KMS) providers, helping to ensure continuity of business operations.

Event monitoring (beta): This feature, now in beta, lets subscribers register to be notified of changes to their key-value (KV) secrets. Initially released as an alpha feature in Vault 1.13, event monitoring now adds full policy support, namespaces, and an API.

Learn more: Vault 1.15 brings UI updates, PKI enhancements, new betas, and more

»Get started and go deeper with Vault

The new options for identity-based security with HashiCorp Vault — including HCP Vault Radar, HCP Vault Secrets, Vault Enterprise secrets sync, and other features in Vault 1.15 — fight secret sprawl, reduce operational costs, improve speed of delivery, and lower risk in multiple ways. They also provide the flexibility to choose cloud-based multi-tenant or dedicated approaches, self-managed or HashiCorp-managed, and Vault community options to fit your organizational standards and preferences.

For more information about the latest releases of Vault Enterprise, visit the Vault Enterprise release page. To learn more about HCP Vault and Vault Enterprise, or to get started with HashiCorp Vault, visit the Vault product page and contact HashiCorp Sales.