HashiCorp, a leader in the DevOps marketplace, today released Vault, a
unified solution for secure key and secret management complete with
in-transit encryption, key rolling, key revocation, and detailed audit
logs. This is HashiCorp's sixth open source project along with Vagrant,
Packer, Serf, Consul, and Terraform. Collectively these projects have
millions of downloads, and users from AOL, Disqus, Twitch, Akamai,
Expedia, Mozilla, and others.
Vault is designed for modern
enterprise organizations -- organizations that build applications for
the distributed, dynamic infrastructure era and view application
security as a top priority. Vault can be implemented in existing
infrastructures and applications to securely manage and organize the
increasing number of services and corresponding credentials. Vault is an
essential piece of the HashiCorp application delivery and lifecycle
management suite, as it securely manages secrets and tokens used by Packer, Terraform, Consul, and the commercial product Atlas to create, configure, and orchestrate applications for the modern datacenter.
Responsible secret management is one of the most difficult unsolved or
unaddressed problems in modern datacenter automation and microservice
architectures. It is a necessary component that enables services to
securely communicate without hardcoded or insecurely stored credentials.
Secret management is increasingly important as enterprises adopt
distributed source code management and move towards microservices and
container architectures. These trends increase the number of secrets
required to connect services and expand the surface area for an attack,
both in terms of potential infiltration points and internal damage in
the event of a compromise. Existing solutions in the secret management
space such as hardware HSMs are impossible to deploy in the cloud, or
prohibitively expensive to anyone but the largest companies.
"Groupon is a multibillion dollar commerce company and in order to
protect our customers and merchants from all kinds of threats, we take
security seriously," said Sean Chittenden, Operations Architect at
Groupon. "Operationally, Vault promises to significantly simplify and
enhance the security against internal threats and other service
lifecycle management challenges. Based on our diligence and initial
testing, HashiCorp has released another solid product that the industry
can benefit from."
In addition to cloud-ready deployments, Vault
brings unique features to secret management -- Vault dynamically
generates secrets as they are requested, leases them for a period of
time, and then can automatically renew access with a new key. Secrets
generated by Vault can be thought of as one-time use passwords that can
only be used between specific services. This is unprecedented
functionality that holds several benefits and demonstrates how Vault is
built for modern, distributed architectures:
- Reduce the period of time an attacker has to infiltrate the infrastructure in the event of a security breach. The attacker only has a short window of opportunity before the secret gets re-generated and access is revoked.
- Limit the internal surface area of a breach to a single application instance.
Each secret grants specific, limited communication permissions. If a
secret is compromised, it only provides access to a single service and
not the entire infrastructure.
- Generate an audit trail of service communication. Each
time a secret is generated it creates an audit log which can be used to
determine the specific compromised resource in the datacenter. For
example, if an application that does not have access to a database
attempts to make a connection, it is clear that there has been a
compromise.
- Simplify security for large operations and infrastructures.
Vault lowers the barrier to entry for organizations to use responsible
secret management to secure their distributed infrastructure.
Administrators have visibility into how services are connecting in the
datacenter, and can quickly revoke access credentials in the event of a
breach.
"HashiCorp's Vault is one giant leap
forward for practical security in a cloud environment," said Rob Witoff,
Director at Coinbase. "The Shamir implementation is one of the best
innovations we've seen for practical cloud security."
"Cisco is
committed to helping organizations protect their intellectual property
in an increasingly connected world. HashiCorp's Vault is a gigantic leap
forward for secret management in distributed service architectures,"
said Keith Chambers, Technical Leader at Cisco Cloud Services. "Cisco is
pleased to announce that Vault is used in our open source microservice-infrastructure community project to secure both the infrastructure and the containerized applications it hosts."
Vault stays true to the Tao of HashiCorp (https://hashicorp.com/blog/tao-of-hashicorp.html).
It is a user-friendly product that solves a specific problem with
excellence, and further shows HashiCorp's commitment to elegantly
solving the hardest problems in distributed systems and datacenter
automation.
"I'm incredibly proud of Vault and the team behind
it," said Mitchell Hashimoto, Co-Founder and CEO of HashiCorp.
"HashiCorp continues to push the boundary for operational excellence in
many categories, now including security."
Availability
Vault is free and open source, and available to download today at https://vaultproject.io.