IT pros who manage large distributed infrastructures need automated, distributed security tools, but these tools...
can be a big bite for them to swallow.
HashiCorp's Vault Enterprise, which saw a 0.7 release this week, is one example of how even the latest and greatest distributed security tools must add a spoonful of sugar to make their medicine go down more easily for enterprises.
Eventually, most of the IT services that enterprises deploy will be built from open source products, such as Vault, said Pravir Chandra, CTO of security architecture at Bloomberg, the global finance, media and tech company, based in New York, who said he is currently "kicking the tires" on the product.
Whether open source software will have the manageability enterprises need to operate it remains to be seen, Chandra added.
"Traditionally, open source projects haven't been the best at doing that," he said. "But over the last couple of years, open source projects have realized that adoption is wholly contingent on the ability for someone to operate their tools efficiently at scale."
Distributed security adds crucial high availability
This week's HashiCorp Vault Enterprise release adds some critical enterprise availability and scalability features, such as regional replication and horizontal scale-out for the central Vault management server, as well as a new UI and more granular access-control policies.
Replication is the standout feature of this release for one HashiCorp Vault customer who moved to Vault Enterprise soon after it was launched last September. Geographic replication means an entire data center or region can be lost, and a mirror of the Vault server will support access to security credentials at a secondary site, so operations continue.
William Bengtsonsenior security program manager for Nuna Inc.
"The replication across data centers was very important. And now, we don't have to manage that ourselves," said William Bengtson, senior security program manager for Nuna Inc., a healthcare data analytics company in San Francisco. Nuna uses Vault to centrally manage secrets and other security domains for millions of healthcare records, including the 74 million records in the U.S. government's Medicare and Medicaid data sets.
Previously, Nuna cobbled together remote backups using snapshots of Vault's underlying MySQL database, but these amounted to standby backups, rather than real-time mirrors. Now, Nuna will be able to recover its Vault infrastructure more quickly in the event of a data center issue, Bengtson said.
Slick tech, but adoption takes time and training
Vault also enables enterprise IT to dynamically issue credentials for a short period of time, which Bengtson uses heavily because Nuna frequently rebuilds an immutable infrastructure composed of Amazon Elastic Compute Cloud instances.
Nuna doesn't yet use containers, which often get mentioned in the same breath as HashiCorp Vault. Vault can handle secrets for all types of systems, but the learning curve to deploy the software can be steep -- even without the complications of microservices, Bengtson said.
"Getting developers up to speed on Vault has been something of a struggle," he said. Going from one system where everyone had access to keys to another where access is restricted has required a shift in mindset, Bengtson said.
Even after initial adoption, there are many practical complications for a large enterprise to overhaul its security and access control to use a distributed security technology such as HashiCorp Vault.
"For any company our size, we have systems that we use for doing password management and rotating credentials, and we're probably a long way off from tying them all back into one centrally managed system," Chandra said. "We've got [Vault] up in the lab, and we're trying to start out in the cloud and container space, and then go back and see if we can retrofit some of these other systems."
HashiCorp Vault roadmap includes fine-grained controls
HashiCorp has some other big fish on the line. SAP Ariba, which processes a trillion dollars' worth of transactions per year, is a reference customer, as is DevOps software-maker Atlassian.
Such enterprises have clamored for features like geographic replication prior to this release, acknowledged HashiCorp's co-founder and CTO, Armon Dadgar. And there's still plenty on the roadmap, as HashiCorp Vault Enterprise continues in its quest to meet the needs of large, complex environments, he added.
One customer told HashiCorp it needed to manage 100 million encryption keys. This customer is trying to do authorization as a service, or per-customer encryption as a service, which opens up a new use case for HashiCorp Vault Enterprise, and is one project underway for future releases, Dadgar said.
Other projects in the works are more granular support for multifactor and consensus authentication, in which two people need to enter keys at the same time to access a particularly sensitive system. Right now, those features are supported for logging into Vault, but not for specific workflows within the environment. For example, if a user is already logged in but tries to SSH into a machine, Vault will prompt him to perform another level of secondary authentication.
Peek into the DevOps compliance tool shed
Meet the four horsemen of the DevOps toolchain
Advanced shell scripting is the path to automation