Hashicorp Vault - OPEN Public Sector

© 2018 HashiCorp
Vault
Cloud Security Automation

About HashiCorp
Leading Cloud Infrastructure Automation
Founded
2012
Employees
700
Funding
174M
Our software stack enables the provisioning, securing, connecting
and running of apps and the infrastructure to support them.
We unlock the cloud operating model for every business and
enable their digital transformation strategies to succeed.

The Transition to Cloud and Multi-Cloud
Traditional Datacenter
“Static”
Modern Datacenter
“Dynamic”
Dedicated
Infrastructure
Private
Cloud
AWS Azure GCP ...+ + +

“Static”
Modern Datacenter
“Dynamic”
Dedicated
Infrastructure
Private
Cloud
“Tickets-based” “Self service”

“Static”
Modern Datacenter
“Dynamic”
Dedicated
Infrastructure
Private
Cloud
SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT
“Tickets-based” “Self service”

Digital experiences are now the primary
interface between a customer and a
business, or business and business.
Experiences are typically device- and
cloud-ﬁrst: rich, personal interface, with large
scale data processing and intelligence.
Cloud adoption is a secular trend
This patterns demands a change in the
model for software delivery to meet delivery
goals, and transformation objectives.
Digital transformation means pressure on application delivery

Accelerating Application Delivery
Facets of delivering applications
in a multi cloud world
Volume and distribution of services
Ephemerality and immutability
Multiple target environments
?
App
App

Reimagining the stack
The implications of the Cloud Operating Model
Provision
Operations
Dedicated servers
Homogeneous
Capacity on-demand
Heterogeneous
STATIC DYNAMIC

Secure
Security
High trust
IP-based
Low trust
Identity-based
Provision
Operations
Dedicated servers
Homogeneous
Capacity on-demand
Heterogeneous
STATIC DYNAMIC

Connect
Networking
Host-based
Static IP
Service-based
Dynamic IP
Secure
Security
High trust
IP-based
Low trust
Identity-based
Provision
Operations
Dedicated servers
Homogeneous
Capacity on-demand
Heterogeneous
STATIC DYNAMIC

Run
Development
Dedicated
Infrastructure
Scheduled across the ﬂeet
Connect
Networking
Host-based
Static IP
Service-based
Dynamic IP
Secure
Security
High trust
IP-based
Low trust
Identity-based
Provision
Operations
Dedicated servers
Homogeneous
Capacity on-demand
Heterogeneous
STATIC DYNAMIC

The Cloud Landscape
In search of a common model across multi-cloud environments
Run
Development
Connect
Networking
Secure
Security
Provision
Operations
DEDICATED
PRIVATE
CLOUD
vSphere
Hardware
IP:
Hardware
vCenter
vSphere
Various
Hardware
Identity:
AD/LDAP
Terraform
EKS / ECS
Lambda
CloudApp/
AppMesh
Identity:
AWS IAM
Cloud
Formation
AKS / ACS
Azure Functions
Proprietary
Identity:
Azure AD
Resource
Manager
GKE Cloud
Functions
Proprietary
Identity:
GCP IAM
Cloud
Deployment
Manager
AWS AZURE GCP

The HashiCorp Stack
A control plane for every layer of the cloud operating model
Run
Development
Connect
Networking
Secure
Security
Provision
Operations
PRIVATE
CLOUD
AWS AZURE GCP

Private Cloud
Cloud Provisioning with Terraform
A common Cloud Operating Model
AWS Azure GCP
Provision
Operations
Secure
Security
Connect
Networking
Run
Development

Core + Provider Model
● Expose the unique services of each infrastructure
platform, but provide a consistent workﬂow

Core + Provider Model
● Expose the unique services of each infrastructure
platform, but provide a consistent workﬂow
● 200+ Providers exist for any infrastructure or
application element
i. Enabled by the open source model of 1200+
contributors

A single Terraform template contains the
entire infrastructure topology
● Platform services AND the conﬁguration of
any dependencies
i. eg. 4 AWS services plus k8s

Self Service Provisioning
Templates can be made available to
any development team for
self-provisioning
Multi-Cloud Provisioning &
Compliance
Operations teams can enforce security
& policy at provisioning time with
Terraform Enterprise

Before
Developer or
CI / CD System
TF CLI
TF Template

Codiﬁed policies enforce security, compliance, and
operational best practices across all cloud provisioning
Before
Developer or
CI / CD System
TF CLI
TF Template
After
Developer or
CI / CD System
TF CLI
TF Template
TFE
■ Policy
■ Governance

Terraform
Provides the foundation for cloud infrastructure automation using infrastructure
as code for provisioning and compliance in the cloud operating model
Multi-Cloud Compliance & Management to
provision and manage any infrastructure with one
workﬂow
Self-Service infrastructure for users to easily
provision infrastructure on-demand with a library of
approved infrastructure modules
300+
Customers
100K+
Weekly D/Ls
200
Providers
Trusted by:

Private Cloud
Cloud Security with Vault
AWS Azure GCP
Provision
Operations
Secure
Security
Connect
Networking
Run
Development

Vault
Provides the foundation for cloud security that leverages trusted sources of identity to keep
secrets and application data secure in the cloud operating model
Secrets management to centrally store and
protect secrets across clouds and applications
Data encryption to keep application data secure
across environments and workloads
Advanced Data Protection to secure workloads
and data across traditional systems, clouds, and
infrastructure.
300+
Enterprise
Customers
1M+
Monthly D/Ls
2T+
Transactions
Trusted by:

Private Cloud
Cloud Networking with Consul
AWS Azure GCP
Provision
Operations
Secure
Security
Connect
Networking
Run
Development

Traditional Networking
A. Provision load-balancers to create static IP
B. Artifact deployed
C. Firewall rule updated to allow traﬃc
Average time to traﬃc ~ 6 weeks
Load balancer sprawl ($$!) but also as single
point of failure for each service

Networking with Consul
● Service Registry enables Routing
○ From IP-Address to Name
○ Services register and discover each
other. Consul server maintains the map
of service location

○ From IP-Address to Name
○ Services register and discover each
other. Consul server maintains the map
of service location
○ Consul enables routing directly to
services

● Service Segmentation for Security
○ Consul Connect enables
service-to-service communication
○ Foundation of zero-trust model
■ “Service Mesh”

● Service Segmentation for Security
○ Consul Connect enables
service-to-service communication
○ Foundation of zero-trust model
■ “Service Mesh”
A common service registry across heterogeneous environments is the basis
for multi-cloud service networking

Consul
Provides the foundation for cloud network automation as a central service
registry for service-based networking in the cloud operating model
50k+
Used at scale with
50k+ agents
1M+
Monthly D/Ls
Service registry & health monitoring to provide a
real-time directory of all services with their health status
Network middleware automation with service
discovery for dynamic reconﬁguration as services scale
up, down or move
Zero trust network with service mesh to enable
identity-based security enforced at the endpoints via
sidecar proxies
Trusted by:

Private Cloud
Cloud Scheduling with Nomad
AWS Azure GCP
Provision
Operations
Secure
Security
Connect
Networking
Run
Development

Principle: Application Orchestration
Vault enables applications and operators to leverage trusted identities and use Vault to broker
access to diﬀerent clouds, systems, and endpoints.Nomad helps deploy containerized, virtualized or standalone applications on cloud, on-premise
or hybrid infrastructure, with built-in reliability and security

Nomad Use Cases
Flexible Container & Workload
Organization
Deploy and manage any
containerized, legacy, or batch
application.
Multi-Cloud Workload Management
Safely manage workloads across
regions and cloud providers
Eﬃcient Resource Utilization
Increase resource utilization, reduce
ﬂeet sizes, and cut costs.

Nomad
Provides the foundation for cloud application automation by enabling
workload orchestration in the cloud operating model
Container Orchestration for deploying, managing and
scaling containerized applications
Legacy Application Orchestration to containerize,
deploy and manage legacy apps on existing infrastructure
Batch Workload Orchestration to enable ML, AI, data
science and other intensive workloads in high
performance computing (HPC) scenarios
Trusted by:
4.7k+
GitHub Stars
20k+
Monthly D/Ls

A Common Cloud Operating Model to
Accelerate Application Delivery
App
?

App Operations

App
Operations
Security

App
Operations
Security
Networking

App
Operations
Security
Networking
Development
App

App
Operations
Security
Networking
Development
App
GOVERNANCE
POLICY

Securing a datacenter was easy...
● All unauthorized traﬃc or access could be
restricted/blocked
● Networks were trusted and apps and databases
can interconnect with ease
● Four walls and trusted network protected secrets
and sensitive information
But what happens when your apps and infrastructure
extend to the multiple datacenters, cloud, or all the
above?

Run
Development
Dedicated
Infrastructure
Scheduled across the ﬂeet
Connect
Networking
Host-based
Dynamic IP
Service-based
Dynamic IP
Secure
Security
High trust
IP-based
Low trust
Identity-based
Provision
Operations
Dedicated servers
Homogeneous
Capacity on-demand
Heterogeneous
STATIC DYNAMIC

1 2 3
© 2018 HashiCorpVAULT PRINCIPLES
Vault
Principles
API
Driven
Use policy to codify, protect,
and automate access to
secrets.
$ curl
--header "X-Vault-Token: ..."
--request POST
--data @payload .json
https ://127.0.0.1:8200/v1/secret/config
47

1 2 3
Vault
Principles
Secure with any
Identity
Leverage any trusted identity
provider, such as cloud IAM
platforms, Kubernetes, Active
Directory, to authenticate into
Vault.
48

1 2 3
Vault
Principles
Extend
and Integrate
Request secrets for any system
through one consistent,
audited, and secured workﬂow.
49

© 2018 HashiCorpVAULT PRINCIPLE 50
Guiding Principle:
Identity Brokering
● Authenticate and access different clouds, systems,
and endpoints using trusted identities
● Leverage multiple identities across different
platforms with single policy enforcement
● Integrate trusted identities in the same application
workflow to reduce operational overhead

Vault
Provides the foundation for cloud security that leverages trusted sources of identity to keep
secrets and application data secure in the cloud operating model
Identity of requester
authenticated against any
identity model prior to
granting access
Policies deﬁned by the
Security team and
enforced at runtime.

© 2018 HashiCorpUSE CASE: SECRETS MANAGEMENT
Secrets for applications and systems need to be
centralized and static IP-based solutions don't
scale in dynamic environments with frequently
changing applications and machines.
BEFORE
● Reduced productivity from secret sprawl and
conﬁguration complexity
● Increased cost with redundant management and
diﬃculty in adopting new systems
● Increased risk with more complexity, thereby
increasing the threat surface and risking
non-compliance with major regulatory laws and
requirements
The ChallengeUse Case:
Secrets
Management
Centrally store, access
and distribute
dynamic secrets
across applications,
systems, and
infrastructure.
53

© 2018 HashiCorp
Vault centrally manages and enforces access to
secrets and systems based on trusted sources of
application and user identity.
AFTER
● Increase productivity & reduce time to deploy security
workﬂows with centralized management
● Control costs with automated compliance and policy
management, controls to support teams to self-manage
their own environments
● Reduce risk with dynamic secrets, control groups, and
other tools to allow Vault to conduct security operations
while protecting sensitive information in ﬂight and at rest.
The SolutionUse Case:
Secrets
Management
Centrally store, access
and distribute
dynamic secrets
across applications,
systems, and
infrastructure.
USE CASE: SECRETS MANAGEMENT 54

© 2018 HashiCorpUSE CASE: DATA ENCRYPTION
All application data should be encrypted, but
deploying cryptography and key management
infrastructure is expensive, hard to develop
against, and not cloud or multi-datacenter
friendly.
BEFORE
● Increased costs around HSMs and support
● Reduced productivity with multiple workﬂows/APIs to
learn cryptographic standards across an organization
and diﬀerent projects and restricted access to HSMs
● Increased risk with multiple attack surfaces to intercept
and steal sensitive data
The ChallengeUse Case:
Data
Protection
Protect sensitive data
with centralized key
management and
simple APIs for data
encryption.
56

© 2018 HashiCorpUSE CASE: DATA ENCRYPTION
Vault provides encryption as a service with
centralized key management to simplify
encrypting data in transit and at rest across
clouds and datacenters.
AFTER
● Reduce costs around expensive HSMs and licensing
● Increase productivity and revenue with a consistent
workﬂow and cryptographic standards across an
organization
● Reduce risk of data exposure by encrypting sensitive
data in transit and at rest using centrally managed and
secured encryption keys in Vault, all through a single
workﬂow and API
The SolutionUse Case:
Data
Protection
Protect sensitive data
with centralized key
management and
simple APIs for data
encryption.
57

© 2018 HashiCorpVAULT UNSEAL
Shamir’s Secret Vault Unsealing
▪ Protect Encryption Key with Master Key
▪ Split Master Key into N shares
▪ K shares to re-compute Master
▪ Quorum of key holders required to unseal
▪ Default K:5, T:3
Shared keys Master keys Encrypted keys
61

Automated Vault Unsealing
▪ HSM encryption key protects master
key
▪ Communication with HSM via PKCS11
API to decrypt Master Key
HSM key Master keys Encrypted keys
PKCS11
62

Cloud Key Service Automated Vault
Unsealing
▪ Cloud based encryption key protects
master key
▪ Supported cloud services:
▪ Google Cloud Key Management Services
▪ AWS Key Management Services
▪ AliCloud
▪ Azure Key Vault
Cloud based key Master keys Encrypted keys
63

© 2018 HashiCorpDISASTER RECOVERY REPLICATION
Multi-site replication topology
Active Standby
Active Standby
Active Standby
Active Standby Active Standby
Active Standby
Performance
Replication
PerformanceReplication
DR
Replication
DR
Replication
DR
Replication
Active
Cluster
Standby
Cluster
67

© 2018 HashiCorpVAULT ADOPTION
About Vault
250+ Enterprise Customers Worldwide
1M+ Monthly Downloads
10.4K+ Github Stars
2T+ Transactions
Product Launch2014
69

© 2018 HashiCorp
ORGANIZATIONAL COMPLEXITY
OPEN SOURCE AND ENTERPRISE
Vault
Adoption
Enterprise products
build on open source
to address
organizational
complexity.
Adoption
Open Source Enterprise
Advanced
Scale
Strategic
70
Secrets, identity,
and policy management
Governance & Policy
Multi-datacenter & Scale
Secrets, identity,
Advanced Data Protection
Secrets, identity, and policy management

© 2018 HashiCorpOPEN SOURCE AND ENTERPRISE
Vault
Packages
Enterprise products
build on open source
to address
organizational
complexity.
ORGANIZATIONAL COMPLEXITY
Secrets, identity,
INDIVIDUALS
Open Source Enterprise
Platform
TEAMS
SUPPORT
Secrets, identity,
Collaboration & Operations
Enterprise
Modules
ORGANIZATIONS
SUPPORT
Secrets, identity,
Collaboration & Operations
Governance
& Multi-datacenter
71

www.hashicorp.com
hello@hashicorp.com
Thank you

Hashicorp Vault - OPEN Public Sector

More Related Content

What's hot (20)

Similar to Hashicorp Vault - OPEN Public Sector (20)

More from Kangaroot (20)

Recently uploaded (20)

Hashicorp Vault - OPEN Public Sector