Our DevOps consultants often get asked about the use of specific technologies and if they would make a good fit for the inquirer’s organization. One of those technologies that we frequently field questions about is HashiCorp Vault. As a result, we think you’ll be interested in this short story of a financial services organization who moved to Vault to improve its secret management system. (For a fuller version of this story, please access the case study here.)
As a publicly traded company managing highly sensitive personal financial data, the company is subject to multiple security regulations and has an overall climate that embraces assertive risk management. However, the financial services firm was relying on a solution for secret management that did not meet the demands of these high security needs. For example, secret leaks were difficult to detect, it didn’t support dynamic secrets and it was difficult to rotate secrets frequently. Having researched a solution, this organization sought a high availability design with HashiCorp Consul and Vault that would result in near-zero downtime for its applications and users while addressing these specific concerns.
This payment card provider reached out to Flux7 DevOps consulting experts, a HashiCorp partner, to assist. We went to work, helping them install and configure a high availability Consul and Vault cluster on top of its existing infrastructure.
The project had three goals:
- Guide the financial services organization’s architects and developers during installation and configuration of Vault and Consul.
- Instruct the company’s teams how to use Vault and on the use of various backends and the workflows around each one.
- Establish security automation.
As part of its implementation structure, Flux7 puts a strong focus on teaching its clients the skills needed to maintain and build upon their solution and this installation was no different; the customer learned from Flux7 security consultants along the way how to create and configure it moving forward. The result: a highly available federated installation of Vault and Consul that the team could actively manage themselves.
Secret rotation had been a security concern for this company. As a result, we used Vault’s capabilities for automatic rotation to ensure that we were able to handle rekeys and rotation of keys in this highly available deployment. Another key part of the project was to make sure we established automatic rotation of root account credentials for middleware services without manual intervention and with minimal application downtime. Our architecture ensured that the Consul-template securely communicated with Vault, cycling root credentials based on lease expiration.
Vault secret management is a solution of choice when building highly secure and highly available systems. By proactively building a cloud security architecture in throughout the AWS IT management process, this firm has decreased risk from manual management. The firm’s high availability design for Consul and Vault means that the system has zero downtime for applications and users.
For further reading on how Flux7 helps organizations establish a framework for repeatable deployments with HashiCorp Vault configuration services to establish a Vault secret store on top of existing infrastructure, or as part of infrastructure solutions we design and create for you:
- Improved credential management hardens security, maintains RPO and RTO goals at a health records company
- Flux7 SmartStart Eases Vault Technology Adoption
- Handling Secrets in Microservices
- Flux7 helps customers securely run applications in the cloud with Vault
Interested in getting tips, best practices and commentary delivered regularly? Click the button below to sign up for our blog.