On the 7th of April, HashiCorp announced HCP Vault General Availability, the melding of their Vault product with their HashiCorp Cloud Platform. It is interesting to think how security has moved from a classic castle with moat where entry to your services was though defined guarded entry points, protected by sentries (like WAFs and traditional firewalls) to a position of zero-trust, where entry is granted based on roles and need. HashiCorp has a major if somewhat quiet presence with products like Vault, Boundary and Consul providing identity-driven controls to protect assets in a cloud-first world.
Just like in the physical world where the Castle and Moat have become obsolete due to advances in offensive attacks and modern military strategies, our logical Castle and Moat is no longer sufficient to protect our digital assets. What use is a physical wall when you can just paradrop troops directly into your keeps roof circumventing all your murder-holes and boiling oil.
This means a change in focus from we are safe within my walls, to a position of zero-trust and an assumption that your adversary is within your walls. Traditionally this would have meant this subnet can access this other subnet, edge controls we effectively repeated internally. This is obviously not a secure solution, especially if you were using the same vendor for your bastion and internal checkpoints. A zero-day vulnerability at point A would also work at point B. This obviously changes focus from protecting things to verifying access. Your DBA’s will have elevated access to the Databases, and their identity will be verified, their location may be verified, their device will be verified. But instead of assuming access to IP Address x.x.x.x, the access will be given at a service or name level because there is no guarantee that IP Address x.x.x.x will be available in the more ephemeral environment deployed when using Kubernetes orchestrated Databases.
HashiCorp’s Vault has provided this functionality for a number of years and is a mature solution providing tokenization, certificate management and secret-keeping. However it is not a simple product to deploy, this has simplified somewhat with the release of integrated storage, which removed the requirement for Consul-based RAFT storage. That said, creating a resilient deployment to protect your machine access is still not a trivial task. Enter Vault on the HashiCorp Cloud Platform. We wrote about this when this was announced as a public access beta project and have been following it with interest.
So what is different between Vault GA and Vault Beta?
This is a fully managed service, currently with two tiers a Dev Tier, that is a single node, it supports namespaces and has a 25 client (soft limit) limit on connections, support is provided by email, this is a very cheap entry point ($0.03 an hour) and a Standard SKU that is defined as being production-ready, with a 3-node HA Cluster, 24 hr monitoring and Daily backups. This has full enterprise-level support in place but is significantly more expensive at $1.578 an hour. There is a third option of purchasing an annual contract but you will need to contact the Sales team for information on this option.
The first thing of note is that unlike the Public Beta, there are a number of locations that you can install your Vault instance in; currently, the following five regions are available
To my mind, one major failure is that currently there is no availability in any APAC region, and the solution is still only available on AWS. But as this is a service there is obviously no requirement to have an AWS account.
What is Missing in HCP Vault General Availability?
Currently as already stated it is only available on the AWS platform, but other cloud services are going to be brought online although there is no timeline for this functionality, and you are locked to the Region that your HVN is instantiated in, further down the line support for AWS Transit Gateways will be added. It is nice to have a published roadmap, but again this is lacking details on timelines.
For a 1.0 product, HCP Vault General Availability is an excellent start, and if you are starting on your vault journey going down the HCP route is an excellent solution, however, for me personally this current release fails for not having a defined migration path for those that are currently using the product, this is true for both OSS and the Enterprise version.
As an Enterprise customer, you may be able to gerrymander a migration by setting up replication between your current Enterprise Vault deployment and your instance on HCP and then failing over to the cloud version, but this has not been physically verified. But for those that are using the OSS version, this is not an option and appears to be left in the cold. This will obviously cause a massive amount of friction to enablement for a very large subset of their userbase which is a shame.