Security has always been an “afterthought” for most companies for a very long time. In past year, hackers stole millions of Google+ users data and with Facebook–Cambridge Analytica data scandal, Security is something that can’t be taken for granted. More and more companies are opting for vulnerability scanners and encryption tools.
Vault is one of the open-source tools by Hashicorp that provides a secure, reliable way to store and distribute secrets like API keys, access tokens, and passwords. If you are storing sensitive customer data or trying to be PCI DSS compliant then Vault has become a default standard.
Vault Architecture:
Few useful features of vault and use cases:
Sometimes we pass API keys as environment variables to docker containers in docker run command, Since these will be in plain text, If these commands are git or someone can see your command line history then anyone can steal the creds. With vault you can pass on the encrypted data and make these data expire after accessing it one time.
Most of the companies create db users like “webuser” or “appuser” and Application will access the database using these credentials. However the major problem is that these passwords are never rotated on a regular basis, Since these passwords are hardcoded in application codebase, Anyone with these passwords can steal your data.
Vault can create dynamic db users and rotate the password on a scheduled basis. Your application code can talk to the vault and get a temporary DB user for accessing the database.
Vault can create temporary AWS IAM users/roles dynamically and delete these users after sometime.
Suppose you have a use case where you have to provide one time server access to someone. Vault can do this with SSH PAM
Many are aware of Google authenticator to generate time based OTP, But few of the compliances don’t recommend you to use Google authenticator, Vault can be used as TOTP generator, Whenever you copy an OTP, vault will record this in logs.
Build Your Own Certificate Authority (CA) with Vault
Vault can encrypt the data/images with strong encryption algorithm
Secrets like API keys can be stored in vault
Vault can force the OS not to write vault data from memory to disk.
Vault records everything (requests and responses), It can write audit log to multiple places (So even if someone try to modify your audit logs in one place, still logs are there in different places)
If a hacker tries to disable vault audit logs then vault will automatically locks itself and stops working. Even the audit logs are also encrypted as well
We will be continuing with the Vault Installation in the next part.
You’re one step closer to optimize your IT operations in the cloud.