HashiCorp Vault - Secrets Management

Devops

Our approach

Reviewed applications and databases in urgent need of dynamic rotation of credentials.  This assessment involved a deep dive with customer teams, identifying requirements that provided vital inputs for our solution design. This included a review of the existing on-prem and cloud architecture.

"Integrate security into every phase of your cloud journey- Put zero trust into action."

Challenges this customer was facing:

  • The database/system administrators and developers were storing the database credentials on their local devices.
  • These database credentials were stored in plain text and not encrypted.
  • No policy enforcement of password rotation.
  • Database passwords were scattered throughout the enterprise in undocumented locations.
  • Some databases had unchanged passwords for extended periods of time.
  • There were database passwords stored on source control repos that had no audit trails.
  • Expensive compliance audit failures.

Solution Overview

  • High-Level target state Vault architecture (including DR).
  • Summary of Phase 1 Vault architecture, including secrets engines, namespace design, authentication design, policy design, workflows, and overall Vault configuration
  • High-level documentation of planned future implementation phases, where applicable (e.g.,future functionality expansion such as new secrets engines)
  • DevSecOps review (CI/CD workflows, security, IAM, network, etc.)
  • Management presentation summarizing findings including a list of assumptions issues/concerns System,
  • database admin and application dev training of Vault API, UI and CLI

Service Benefits

  • Admins and developers relieved of the burden of secure database password management, as Vault now takes care of dynamically rotating passwords, while providing seamless role-based, role-appropriate access .
  • Greatly improved application and database security, once developers and admins are trained to use Vault's API to store and retrieve passwords from the Vault.
  • Vastly improved access control, auditing and oversight of database secrets.
  • Automation/integration of secrets management, reducing overhead, costs and potential for pilot errors.
  • Regulatory (e.g., FIPS) compliance capability.

Service Timeline and High-Level Milestones

  • Assessment phase: 6-8 weeks.
  • Design phase: 2-4 weeks.
  • Implementation phase (key phase 1 users): 8-10 months.