How HCP Vault Secrets, Radar Fight Sprawl of Corporate Secrets
SAN FRANCISCO – HashiCorp, the open source-based Infrastructure as Code (IaC) software maker, can now find those old enterprise skeletons in closets, keep a company’s current IT secrets secret and make the process of doing it similar to using a regular cloud-based service.
At its recent HashiConf developer and partner conference, the San Francisco-based company unveiled a slate of new cloud-based services, including an alpha program for its HashiCorp Cloud Platform (HCP) Vault Radar, the general availability of HCP Vault Secrets, secrets sync beta for Vault Enterprise, and HashiCorp Vault 1.15. These new tools are designed to help enterprises secure their applications and services as they use a cloud operating model to enable their advancement from legacy data centers to the cloud.
Out of Beta
HashiCorp announced the beta program of Vault Secrets for Kubernetes last May. Secrets management for IT systems is the process of securely storing, managing and rotating sensitive data, such as passwords, API keys and encryption keys and certificates. Secrets are essential for the operation of many IT systems but obviously can be a major security risk if not properly managed.
Secrets sprawl is the uncontrolled proliferation of secrets throughout an organization’s infrastructure. When secrets are not properly managed, they can be easily exposed to attackers, leading to data breaches and other security incidents.
CEO Armon Dadgar told a packed house of about 1,300 at the conference that secrets management in 2023 needs a “multitenanted cloud data solution so that administrators don’t need to think about managing a cluster or scaling it — and that’s really much more of a SaaS-type experience.”
Since the public beta launched in May, Dadgar said: “We’ve had over 1 million secrets accesses, hundreds of organizations sign up and thousands of applications connected. We’ve gotten great feedback on it.”
New capabilities in Vault include:
- Centrally managing and enforcing access to secrets and systems based on trusted sources of application and user identity.
- Eliminating credential sprawl by identifying static secrets hardcoded throughout complex systems and tooling across an entire cloud estate.
- Reducing manual overhead and risk associated with managing access to infrastructure resources such as SSH, VPNs, applications and services.
- Automatically implementing authentication and authorization mechanisms to ensure that only authorized services can communicate with one another.
HCP Vault Radar will seek out old, dead secrets and become an adjunct application in the company’s toolkit. “Many enterprises struggle with the step before secrets management: finding all of the untracked secrets sprawled across their IT environments,” Dadgar said.
Last July, HashiCorp announced that it acquired BluBracket, whose application enabled users to scan, identify, and remediate secrets inadvertently stored in source code, development environments, internal wikis, chat services and ticketing systems. Secrets scanning is important for organizations working to control their sprawl without compromising efficiency. At the conference earlier this month, HashiCorp announced the integration of BluBracket IP into the HashiCorp product line as HCP Vault Radar.
HashiCorp also integrated Vault Radar’s secrets detection functionality in Git-based version control systems, AWS Configuration Manager, and directory structures in the HCP ecosystem, Dadgar said.
Vault Radar automates the detection, identification, and removal of secrets in code. It also categorizes secrets, ranks them by risk, and provides a means to remediate them. Categories can include personally identifiable information (PII), non-inclusive language (NIL), code analysis (SAST), Infrastructure as Code (IAC) risks and dependency vulnerabilities.
The app works across multiple Git providers and integrates with enterprise CI/CD tools, version control, code servers, identity and access management (IAM) systems, messaging, ticketing and other IT resources.
Organizations interested in testing these new features can request to be a part of the company’s early access program. Vault Radar is scheduled to be released in beta in January 2024 and we anticipate general availability later in 2024.
HCP Vault Secrets features three key benefits:
- Centralized secrets management: Centralize secrets lifecycle management in one place so users can eliminate context switching between multiple secrets management applications.
- Secure secrets when and where you need them: Improved secrets versioning and access control setup ensures secrets can be securely synced to multiple specific destinations, including AWS Secrets Manager, GitHub Actions and Vercel. Alternatively, app secrets can be fetched using CLI, API, Terraform, or Vault Secrets Operator. So there are lots of options.
- Get up and running for free: Users and organizations can get started with HCP Vault Secrets via the free Community edition or the standard paid tier.
Automating Executables for TerraForm
Waypoint templates, a special project of company co-founder Mitchell Hashimoto‘s, was announced last year. It’s now been fortified with new functionality. Chris Van Wesep, VP of Product Marketing, told The New Stack that one of the longtime fundamental needs in development is to “abstract away all that complexity under the covers, and enable developers to have templated environments that they can self-service deploy.
“They need templates that fit the type of application that they’re looking to deploy, and it just works for them,” Van Wesep said. “That’s what Waypoint templates are about. It is an automation of calling TerraForm executables that have been set up to provision and secure underlying infrastructure for folks.”
The new workflow features include app templates, which enable enterprise platform teams to abstract and standardize application scaffolding; and add-ons, which help define application dependencies, such as infrastructure resources, using HashiCorp Terraform, and make them available to application developers as dependencies.