Want to secure workload access to LLMs like ChatGPT? Join Our Webinar | 1 pm. PT on June 18

Blog

Announcing Virtual Machine Support for Workload IAM

Secure your Vault by providing policy-based access from workloads based on cryptographically verifiable identities instead of bootstrap secrets.
AembitHashiCorp-Vault

Aembit now allows you to secure HashiCorp Vault, while reducing its operational burden on developers and DevOps teams. This capability is generally available today, and is also available in our self-service free tier that supports up to 10 production-class workloads.

With this new capability, you can now secure your Vault by providing policy-based access from workloads based on cryptographically verifiable identities instead of bootstrap secrets, paired with the ability to implement conditional access based on the workload’s security posture. You can enable this across all of your cloud and on-prem environments, without making code changes to your applications.

Secrets Managers are Essential to Modern Applications

Secrets managers (sometimes referred to generically as vaults) are essential in modern applications because they serve as the guardians of sensitive data, safeguarding critical secrets, certificates, and encryption keys. Secrets managers have grown from being just a secure repository for these secrets to attempting to add robust access controls and automation for secret lifecycle management. Whether it’s protecting API keys, database credentials, or cryptographic assets, Vaults are the “password managers” of machine-to-machine access, helping businesses safeguard the integrity and confidentiality of data in their most sensitive applications.

Using HashiCorp Vault for secrets management can bring significant benefits to an organization, but it also comes with its share of burdens that impact both the DevOps teams managing it and the developers who are integrating it into their applications. So – just like user access evolved – we think machine to machine access is ready for IAM as well.

When working with our customers, we saw some common challenges, such as the “secret zero” problem, access control, policy management, token management, dynamic secrets, and logging.

Our goal with this new capability is to allow customers to take full advantage of their Vault investment with lower friction and operational overhead. 

Securing Vault with Workload IAM

If you’re just learning about Workload IAM, this technology enables your workloads to access sensitive data and applications based on their identity and posture, combined with an access policy versus simply by having a secret.

Aembit-IAM-HashiCorp-Vault-as-Service

This is a simple and powerful approach to securing Vault access, or access to any sensitive data or application in your environment.  Deploying Aembit gives your team a few advantages:

  • Define identity-based access policies to control access to Vault

Vault contains sensitive information, and the proverbial ‘keys to your kingdom.’ Aembit gives your DevOps and security teams a central, policy-based method to control which applications have access to your Vault, based on their cryptographically validated identities. (For more on this, see ‘How Aembit Works’). Easily visualized in our UI, it also enables your teams to leverage policy as code to add or block Vault access as needed.

Aembit-HashiCorp-Vault-IAM-Policy
This Aembit Policy provides identity-based access via a dynamically minted Vault client token to HashiCorp Vault from a real-time inventory application that runs in Kubernetes. It works for initial access (secret zero) and subsequent access attempts.
  • Eliminate the secret zero problem
Typically when applications come online for the first time, they need a bootstrap secret in order to access the Vault. This initial secret is typically sent out-of-band – that is, a human needs to manually deliver the secret or devs need to build a secondary capability to deliver it – and enable the application to access Vault. This bootstrap secret is a risk to your organization: not only does it present a risk if someone gets a hold of it, but the manual processes involved mean that the secret may exist in many places in addition to the application itself (like chat, email or elsewhere). With Aembit, no bootstrap secret is needed. Our identity-based access management capabilities mean that Aembit can provide Vault access for a new application using environmental metadata such as a service account token to attest to its identity, combined with a policy that permits its access.
  • Eliminate complex Vault integration
HashiCorp Vault is powerful, but oftentimes complex to operate in a secure and consistent manner. The Aembit Edge simplifies how you integrate vault into your environment by providing the ability to do no-code auth. The Edge sits next to your applications, as a sidecar in K8s or as an agent in a virtual machine, and enables you to run your Vault with no further integration into your workload. Upon each request from a workload to your Vault, the Edge transparently intercepts requests, and works with the Aembit Cloud to validate its identity and its access rights. Upon approval, Aembit Cloud mints a short-lived access token that allows the workload to access vault with the right permissions and sends it back to the Edge. Finally, Edge injects the token into the request and forwards it to your Vault. One more win here? Your application never sees – and never stores – the Vault access credential. This radically reduces key sprawl and your risk of stolen credentials.
  • Implement conditional access to Vault
With Aembit protecting your environment, we can also provide conditional access to your Vault based on elements beyond a validated identity. This allows you to assess the posture of your workload before they access your critical data. For example, today you can check if a workload is being actively managed or secured by Wiz or CrowdStrike as part of an access policy before providing a credential to the requestor. Aembit plans to regularly introduce new forms of conditional access to give you both a flexible and also a comprehensive approach to assessing the security of your workloads.
Aembit-Conditional-Access-Rule-for-HashiCorp-Vault
Conditional access rules require workloads to meet additional conditions before they access sensitive resources such as your Vault. This example requires Wiz to be actively managing the cluster.
  • Provide centralized visibility, logging, and audit of your Vault access – based on identity instead of secrets.
We regularly see customers struggling with an effective strategy for audit, compliance, and incident response related to the usage of your Vault. With Aembit, we provide a central source of log data structured specifically for reporting access requests. We tie those requests (and subsequent successful connections) to identity to provide you the most actionable set of data possible. By tying these requests and the logs themselves to identity, we avoid a common issue: When access requests are logged in a target service based on a secret, you don’t know if that secret has been reused in multiple applications or, worse, compromised.
Aembit-Hashi-Vault-Access
Aembit logs provide identity-based access logs that provide a structured, and consistent view on how applications are accessing sensitive resources such as HashiCorp Vault. These logs provide a faster, more meaningful data source in the event of incident response or auditing.

Protect HashiCorp Vault Today, Everything Else Tomorrow

Aembit’s model is to provide you a centralized workload identity provider that can offer IAM between all of your critical applications. You can start by securing access to HashiCorp Vault today, and then easily extend the same model across all of your sensitive databases, applications, SaaS Services, and even third-party APIs in the future. Along the way, you can reduce friction for your DevOps teams who need to manage these connections and lift a burden from developers who otherwise have to program strong, sophisticated auth when they instead could be focused on features that drive your own product forward.

Get Started Today: Free and on Your Own

The Aembit free tier is designed to provide highly reliable, highly performant Workload IAM to you today. It’s designed to be self-service, so you can get started whenever the inspiration strikes. We’re, of course, happy to help you on your journey. Whatever you choose, get started on improving your HashiCorp Vault experience today.

You might also like

Discover how these different approaches can work together to protect your organization's sensitive data and ensure seamless operations.
Stolen identity data remains part of a large percentage of breaches, according to the annual landmark report.
The updated framework addresses the need to secure non-human identities. Here's how that can extend across the guidance's five key functions.