How Do I Find Budget for Vault?
Feb 25, 2020
There's a good chance that your security team already has a budget for secrets management.
Senior Solutions Engineer, HashiCorp
“How do I find budget for Vault?” This is a great question that we have a lot of times from smaller parts of organizations that really have a need for secrets solutions, but they don't necessarily have the budget to buy an enterprise version of the product.
It's actually easy to find the people with the money, because typically your security teams have budgets to help you solve this kind of an issue.
So the first answer is, Look for your security team. See if they have an existing budget just for secrets management solutions. They may already have some kind of a budget for that.
» Piggyback on bigger projects
The second one is to start to talk around your company and try to understand what your overall security initiatives are. You usually have a CISO or somebody who has this set of initiatives to bring the overall security of your company into a much better environment.
What we typically find with customers that are able to find budget for small teams, is that they roll this up into some other project that is happening company-wide. Those types of things are great places to find the budgets overall that might roll into a security initiative that you might have.
» Combating secrets sprawl
One of the other things that we find is very helpful for people is to prove out why a secrets management solution like this is extremely critical for your organization. And one of the things to focus on is this concept of secrets sprawl. It's this idea that your surface area of where you store your secrets gets large and wide when you don't have a consolidated secrets management solution. What often happens in a lot of organizations is different developer groups or different operator groups will manage their own secrets solution on their own.
In some cases, this could be fine if you're in a small company. As you start to get into larger organizations, this can become a problem, especially for somebody with the title like CISO. Because they have to audit where their secrets are, they have to audit who's accessing these secrets, they have to audit when these things are accessed and when they've been deleted from the system.
» The cost of Vault vs. compliance penalties
In some cases, by regulatory requirements, tracking these things over time, these become very big budget items in terms of the expenses that you could incur if you have penalties, if you're controlled by something like Sarbanes-Oxley or similar types of regulations. If you were to violate some of those regulatory requirements, the cost to your organization can be far greater than anything that you would pay for licenses for Vault.
» Look for a post-breach culture shift
One of the things that we've noticed with our customers who have previously had a data breach and bought Vault to overcome some of the weaknesses that they had within their environment: It isn't so much just around the fact that now they have a consolidated secrets management solution; it's really in and around the culture that happened after they had the data breach.
Anytime you have a massive issue, when the pendulum swings the other way, you have a far different culture than what you started off with when the pendulum was on the other side and you lost your equilibrium.
As a previous operator, it's very difficult for me to go into these post-breach situations. Maybe I'm helping them do an install or trying to place the proper clustering solution inside of their environment. Installing software, configuring that software, and then running that software can be very difficult because people now have very secure laptops where they can't install software that they may want to install for productivity reasons.
They have to go through very difficult processes in order to do this. Their networks often have to translate all of their outbound web requests through some kind of proxying mechanism, oftentimes with very strict security policies.
And lastly, the overall cultural feeling within the organization. “Shame” is maybe not the best way of describing that, but there's generally, some kind of a scar on the organization in general.
The overall cost to the organization is more than just the fact that you had a data breach. Maybe you have some penalties that happened because of regulatory compliance or anything along those lines. But lastly, there’s a cost in speed of operations and agility that slows down your time-to-market when you have such strict security policies in an organization that maybe didn't have these things previously.
When you're trying to find a budget for Vault, think about some of the cultural changes that could occur inside your company if you didn't have a consolidated secrets solution, and how to shore up any of those security policies so that you have the ability to keep your productive culture going over a period of time.