FAQ

What is the value of adopting Vault Enterprise?

HashiCorp co-founder and CTO Armon Dadgar breaks down the ROI for Vault Enterprise.

Speakers

  • Armon Dadgar
    Armon DadgarCo-founder & CTO, HashiCorp

Transcript

A question we're often asked is, "What is the value for an organization to adopt and use a technology like Vault Enterprise?" I think it's best when understood relative to what they would do if they're not using a system like Vault Enterprise. In many enterprises, what we see is that credentials are sprawled across the entire estate, so you have passwords, API keys, credentials that are plaintext, and app source code, config files, configuration management systems, version control. These credentials live everywhere.

And so the challenges as you talk about that are fewfold. One, we have an incredible risk involved with all these credentials being plaintext everywhere, meaning that if I'm a malicious insider, what are the credentials I can get access to through version control or source code or configurations that would let me get access to customer data and databases or privileged systems that maybe I shouldn't have access to? The sprawl leads to a state where we don't really know who has access to what, and have they leveraged that access?

One advantage of Vault is, how do we take all these credentials and centralize them so they are defined in one location, but we have authentication, we have authorization, we have auditing around who did what when? Now, not only do you need to be authenticated, you have to be explicitly authorized. You have to have a need for that credential before you'll get it from Vault. And even if you do leverage it, we have an audit trail of who did what when. This provides a huge amount of value as we think about the risk of exposure of those credentials across an entire organization.

The other challenges that are very common are things like how we deal with the compliance requirements to do things like password rotation, key rotation, and certificate rotation. In general, what we find is these are manual operations that take development teams days, weeks, or months, depending on the level of sprawling complexity of an application.

Is there an opportunity with Vault Enterprise to take those credentials and not only centralize them, but now we can automate the rotation of them? We can hit APIs and periodically do rotation of encryption keys, of certificates, of passwords, and do it in a way where we only have to talk to a single central system, rather than discover where these credentials are sprawled across the entire estate.

As we think about what it takes for us to meet our compliance requirements, how do we reduce the amount of time, the amount of cost, the amount of man hours involved in doing that by automating away some of those processes?

The other side of it is: how do we get much better about reducing the lifetime of credentials? What we often tend to see is, whether it's a database credential, whether it's a certificate, whether it's API tokens, they tend to be incredibly long-lived. We'll generate database passwords that we rotate every five years. We'll generate TLS certificates that are valid for 10 years. And so the challenge with that is, if these things leak at any point in that window, then we have this sort of huge window where an attacker can use this certificate or this password, because it's valid for years on end.

Versus with Vault, what we try to do is add this capability called Dynamic Secrets, where we'll generate these credentials on the fly. Instead of going to our database and creating a thousand user names, and once every five years rotating the passwords, instead we allow Vault to dynamically connect to the database, create usernames on demand, and revoke them relatively rapidly.

So instead of a credential that's valid for five years, we might have a credential that's only valid for 24 hours, 48 hours, 30 days. And Vault is responsible for that full lifecycle of creating the account, rotating the password, and deleting it at the end of that period of time. So we can start to automate a lot of our user account management activities that traditionally are a manual task to create, audit, and rotate all those credentials.

When we think about the value of Vault Enterprise for most organizations, it's really about how we reduce the risk of these credentials being sprawled everywhere, how we reduce the cost of our compliance, and how we reduce the manpower associated with rotation of all these credentials and user management across a variety of endpoint systems?

More resources like this one

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/14/2023
  • Article

5 best practices for secrets management

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones

  • 1/20/2023
  • Case Study

Adopting GitOps and the Cloud in a Regulated Industry