Learn secrets management with HCP Vault Secrets

The transition from conventional on-premises datacenters and environments to dynamic, cloud infrastructure is complex and introduces new security challenges for organizations to consider. There are more systems to manage, more endpoints to monitor, more networks to connect, and more people that need access. The potential for a breach increases significantly - becoming only a matter of time — without the right security posture.

Secrets management challenges

For secrets management, organizations typically adopt a siloed solution(s):

• An offering from a cloud service provider (CSP)
• A homegrown solution built on a combination of several services across multiple CSPs and other vendors

This can lead to a number of many challenges.

Secret sprawl

Organizations that use multiple secrets management tools increase their risk of a breach due to secret sprawl across different systems, files, and repositories. Organizations that leverage static secrets are at a higher risk of breach.

Operational overhead

Organizations that manually manage workflows for secrets management spend time managing the deployment, updates, scale, reliability, security, compliance, and support for the rest of the teams in the organization.

Capabilities to deliver security automation

As organizations scale their secrets management workflow they will look to manage the complete lifecycle of secrets and sensitive data, requiring advanced capabilities, integrations, and support.

Solution

HCP Vault Secrets is a secrets management service that allows you keep secrets centralized while syncing secrets to platforms and tools such as CSPs, GitHub, and Vercel. Developers can quickly access secrets when and where they need them, reducing the risk and increasing efficiency.

HCP Vault Secrets is a multi-tenant SaaS offering meaning organizations do not have to run or own their own secrets management solutions. This allows you to rely on HashiCorp to manage the deployment, updates, scale, reliability, security, compliance, and support of HCP Vault Secrets.

Concepts

• Project: Projects are part of the HashiCorp Cloud Platform (HCP) resource hierarchy where applications are configured.
• Application: Applications are where secerts are created and managed. Applications can contain different secret types.
• Secrets: Secrets are sensitive data (i.e. credentials) which can be managed as static, auto-rotating, or dynamic secrets.

Secret types

HCP Vault Secrets offers different types of secrets to support various use cases.

Dynamic secrets

Dynamic secrets are created just-in-time by an issuing service when integrated with HCP Vault Secrets. When issued, the dynamic secret has a predefined lifetime, called a time-to-live (TTL). HCP Vault Secrets returns the unique credential to the requester along with a unique identifier that allows the secret to be audited, and revoked early if supported.

Dynamic secrets are useful for ephemeral workloads in environments with stringent security requirements such as cloud deployments or microservices architectures. They are also useful for time-bound workloads such as Kubernetes CronJobs or Terraform runs.

Auto-rotated secrets

Auto-rotated secrets allow organizations to ensure that static credentials are not long lived. With a supported provider, HCP Vault Secrets can automate the rotation of secrets that are otherwise static, such as vendor API keys.

Auto-rotated secrets are well suited for more static or critical workloads where frequent restarts can cause performance issues or outages. An example would be a long-lived workload or application that requires continuous access to a database or cannot handle credential updates without restarts.

Static secrets

Static secrets are manually manged by an organization. Vendors may not support auto-rotation or dynamic secrets. HCP Vault Secrets securely stores static secrets, and versions the secrets when they are manually updated.

Next steps

In the next section, you will learn how to manage permissions for HCP Vault Secrets.