What are the advantages of Vault encryption as a service?

HashiCorp solutions engineer Lance Larsen explains the value of a high-performance, encryption-as-a-service system like the one in Vault.

HashiCorp Vault's encryption-as-a-service makes security much easier and standardized for developers, but in addition, it avoids the bad practice of trying to roll your own encryption.



We've seen an increasing interest in our customers looking at encryption as a service, and there's a lot of reasons for this. Primarily that having your data encrypted at rest, you might have a transparent data encryption layer under that—Oracle TD as an example—but that doesn't protect you from risk factors like someone exercising SQL injection against your database or dumping out those tables. Anyone with an authenticated SQL client in this example could see that data.

So obviously, having very sensitive data and wanting to encrypt those rows and columns becomes a focus, and Vault is an excellent tool to do just that. What we've seen people doing is, in the same way that AWS Key Vault, or GCP Key Vault, or Azure Key Vault works, you can get the same type of functionality with Vault. Your applications can take plain text, swap it for enciphered text, have a very friendly API to do this, and then go and persist that data, and potentially combine it with transparent data encryption.

Some of the folks that we've been working on to actually scale this out is large retail customers who are protecting their member rewards data, processing these batch transactions in bulk across Asia and now rolling out into North America. We have folks who are large risk and monitoring companies for fraud. Again, they have very sensitive requirements around PII, making intelligent and timely actionable decisions when they detect that their members might be at risk.

And the volumes of these workloads, this isn't just a few hundred requests per second. We actually have these folks rolled out into production with a magnitude of 15,000 to 20,000 requests per second. So, with rate limiting, that can be 2x potentially of what you might get from a cloud provider, and you can have a local replicated vault cluster serving those encryption keys, and doing that in a much more performant way for you.

So, we've actually worked with those folks to drive new features with Vault, especially performance standby nodes—where encryption workloads can essentially now be scaled horizontally across the vault cluster. And for our large gaming customers, that's become extremely important. We're looking at potentially 30 to 40 in the longer-term roadmap of global clusters deployed for Vault. And again, they have data that is very important to the folks that use their services, protecting that around the micro-transactions or credit cards that they're actually using to purchase things in-game.

Again, we're seeing a huge uptake in the interest for encryption as a service. We're continuing to make that feature easier to consume, to provide guidance in how folks are rolling it out. At the end of the day, it's exciting to see that people are having a lot of success, and able to do it at scale. That's super impactful for the business.

More resources like this one

  • 4/11/2024
  • FAQ

Introduction to HashiCorp Vault

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/14/2023
  • Article

5 best practices for secrets management

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones