Vault
Next steps
HashiCups has successfully concluded their POC of Vault and they are ready to design their production environment.
Give us your feedback
We value your opinion. Please answer a short survey to give us your feedback. It helps us improve the educational contents to close the knowledge gaps.
POC review
When HashiCups started their journey to learn about Vault, there were several crucial requirements set by the CTO and CISO that any solution needs to met.
Customer data encrypted
All HashiCups customer data must be encrypted. Alice learned, with a through review of the Vault documentation that Vaults security model shows that data stored in Vault is encrypted and secure.
The team found they can also leverage Vault to encrypt customer data coming into their own application(s) without having to implement their own cryptographic libraries by leveraging the Vault transit secrets engine.
Restrict access and time box access
HashiCups wants to restrict access to their secrets management solution, and external services by eliminating long-lived credentials. By leveraging Vault identities, and Vault policies they can ensure that only the people or workloads that require access to a resource can request it.
Dynamic secrets engines such as database secrets engine or a secrets engine for public cloud provider allow them to create just-in-time credentials for access to those environments. These dynamic secrets greatly reduce the likelihood of credentials becoming compropised or leaked.
When HashiCups combines Vault policies and dynamic secrets engines, they can be sure that only the right people or workloads are getting access to their environment.
Allow teams to securely store secrets
Through the use of Vault secrets engines, HashiCups can design a strategy that allows all teams to securely store and share sensitive information. Teams at HashiCups can store static secrets using the key/value (KV) secrets engine or take advantage of Vaults cubbyhole secrets engine to allow individuals to share information.
Disaster recovery and scalability
Vault Enterprise allows HashiCups to enable disaster recovery support, and add scale-out replicas to improve performance using Vault Enterprise replication.
Multiple deployment options and avoiding vendor lock-in
The final HashiCups requirement was to ensure that any new solution is not isolated to any one provider. HashiCorp Vault provides multiple versions to support HashiCups requirements, and multiple deployment options.
HashiCups can run Vault on bare-metal servers, virtual machines, or containers managed by various container orchestration platforms such as Kubernetes or OpenShift.
Vault can also support dynamic secrets for major cloud providers such as AWS and Azure, and supports authentication using single sign-on allowing HashiCups to leverage any number of services without being locked-in to a single provider.
Platform team next steps
The platform team will review HashiCorp's Well Architected Framework. This framework provides best practices for organizations adopting HashiCorp products.
The framework pillars include:
Architect next steps
Alice, the lead architect for the HashiCups platform team, will meet with teams across the company to gather technical and business requirements. This will help with preparing a complete Vault design than can be used by the operations team who will deploy and configure Vault.
- Review Vault reference architecture
- Use Vault documentation to select plugins that support HashiCups business and technical requirements.
Operations next steps
When Alice completes the Vault design, Oliver and the operations team will deploy and configure Vault with the required plugins and policies.
- Configure and unseal Vault
- Create policies to manage access
- Enable and configure auth methods
- Enable and configure secrets engines
Developer next steps
Danielle and the rest of the development team will start planning how they can integrate their applications and platforms with Vault.
SRE next steps
To ensure Vault is available and not causing errors, the site reliability team lead by Steve will prepare to integrate Vaults observability sources into their monitoring and SIEM platforms.
In addition to each team preparing for the Vault implementation, several team members will be pursing Vault certfications such as the Vault Associate certification to validate their knowledge of Vault.