Large Retailer Secures HashiCorp Vault Access
Complex multi-cloud setup with difficult Vault access.
High-maintenance, homegrown identity system.
Cumbersome enrollment and identity secret management.
Aembit simplifies and secures Vault access.
Replaced DIY identity system with efficient, policy-based access.
Streamlined credential management, enhancing security.
The retailer has a complex multi-cloud and on-premises environment running hundreds of applications in Kubernetes, as well as virtual machines. They also have thousands of retail locations in addition to ecommerce operations, all of which must securely interact with other key applications and sensitive data stores.
The organization knew that in a dynamic, continually changing environment, they needed to create a stronger identity control plane to secure access among applications.
It knew that a critical place to begin was providing simpler and secure access to HashiCorp Vault. Like any other business, its Vault represents highly sensitive data that, if compromised, could provide an attacker with the ability to move throughout the organization’s systems and capture sensitive information. Securing Vault access was particularly challenging given that access to Vault is required across clouds and from retail locations.
Currently access Vault requires two steps:
- Getting the workload an identity secret that will authenticate it to Vault – often called the “ Secret Zero” or bootstrap problem;
- Enrolling the workload in Vault, so the workload will have the right access rights when it accesses Vault.
The organization developed their own system to address both the Secret Zero problem and enrollment into Vault. However, this system required significant developer maintenance and more development as the workload footprint grew larger, and as it became more complex, across more compute environments (more types of workloads, Kubernetes, VMs, OSes).
The Solution & Benefits
The organization deployed Aembit as its Workload IAM platform. The first project was to secure access to Vault and reduce the ongoing cost of implementation and maintenance with the associated infrastructure.
Implementation drove a number of critical benefits:
Solve Secret Zero
Using Aembit’s ability to cryptographically attest to the identity of applications, the retailer eliminated the need for a bootstrap secret. Based on identity (but without a secret), Aembit provides a dynamic access credential for the workload to access Vault.
Instead of enrolling each new workload in Vault, Aembit issues short-lived credentials (JWTs) that authorize access to Vault with claims that limit access to the right set of secrets. Moving from a token that only represents identity to a credential that includes access rights simplifies the workflow and makes policies more dynamic.
Eliminate the DIY Identity System
The company now uses Aembit to provide policy based access to Vault, eliminating the need for the homegrown identity system. This eliminates the need for the company to maintain and upgrade their previous system, and gives them the benefit of Aembit’s ongoing engineering innovations.
Securely Provide Multi-Cloud Access to Vault
Although Vault supports access based on native cloud identity (attestation), this becomes difficult across clouds. Vault may be able to authenticate workloads in the same cloud, but cannot authenticate workloads in another cloud. Aembit solves this, by being the workload IDP between workloads and Vault, using the native identity of the Workload from whichever cloud it is in, and granting the workload an appropriate access credential to Vault with the right access claims based on policy.
Simplify Credential Management
Aembit enables identity-based access to resources while eliminating the need for workloads to store a sensitive Vault credential. Aembit continually verifies the identity of the application and provides an access token. This reduces attack surface and radically simplifies credential management.
The retailer’s deployment of Aembit can now be used to secure access to other sensitive applications beyond Vault, and can be used to provide a single workload-to-workload access management system across the organization.