As agencies continue to migrate to the cloud and adopt DevSecOps practices and tooling, the challenges to protect sensitive data (secrets) and ensure security policies are consistently applied and followed are tougher than ever. Together, Venafi and HashiCorp Vault make it easy for security teams to safeguard secrets and apply consistent policy while enabling development teams to consume those secrets while ensuring compliance.
Listen to the podcast and learn how HashiCorp Vault and Venafi can increase your Zero Trust security posture, establish policy and compliance guardrails, and seamlessly accelerate mission delivery.
During this podcast, you will:
HashiCorp Vault + Venafi: Scaling in Production
Intro 00:14
On behalf of Venafi, HashiCorp and Carahsoft, we would like to welcome you to today's podcast, focused around HashiCorp Vault in Venafi: Scaling in Production, where Paul Cleary, Ecosystems Architect of Venafi, and Larry Eichenbaum, Senior Solutions Engineer for Federal at HashiCorp, will discuss how HashiCorp Vault and Venafi can increase your Zero Trust security posture, established policy and compliance guard rails and seamlessly accelerate mission delivery.
Paul Cleary 00:42
Alright, so Hello, and welcome, everybody. My name again is Paul Cleary, the ecosystem architect here at Venafi. And I'm joined by Larry Eichenbaum, senior solutions engineer at HashiCorp. Today, we're going to be taking a look at the few different ways that organizations are scaling HashiCorp, both in production along with verified to securely use machine identities in their application and deployment pipeline. And when I talk about a machine identity real quick, that's a TLS certificate. And that's something that we'll get into during this presentation here. And so as the ecosystem architect at Venafi, I work with our technology partners, such as HashiCorp, as integrations are built between the Venafi platform and many of the security products that your organizations use every day. Venafi as the cyber security model and machine identity management, securing the cryptographic keys and digital certificates on which every business and government depend on to deliver safe machine to machine communication. The integration that we're looking at today between Venafi Trust Protection Platform and HashiCorp Vault is just one example of the necessity of the ecosystem. It takes really strong collaboration from partnerships like this one, to help eliminate some of that friction between security and development teams, and increase the overall security posture of the organization. Larry, do you want to tell us a little bit about yourself?
Larry Eichenbaum 02:09
Sure. Thank you, Paul. So as Paul said, Christina said, my name is Larry Eichenbaum. I'm a senior solutions engineer here at HashiCorp. I've been working in the DevOps space for about seven, eight years now. And what I found, and one of the reasons that I'm here at HashiCorp is, we find that there's a lot of challenges that customers are having an industry today, especially around how they manage secrets and protect secrets. And HashiCorp is an industry leader in that space. We make it easy and accessible for all of your applications, you're humans, your clients to consume secrets, certificates, all sorts of data that you want to keep secret. And we do so in a very robust manner to enable all of your applications and tools to work together. At the end of the day, it's really a focus on how do we enable your systems to function in this multi cloud world, often paired with on premise, and enable capabilities to allow you to adopt a least privilege aspect and the trust model for your systems. So thank you for being here today
Paul Cleary 03:20
So before we get started, really, we just want to set the stage a little bit. And to do that, then OSI has been helping organizations like yours solve machine identity management challenges for over 10 years. And we really view this space as an authentication issue. And so to that regard, there are really two actors on every network, we have people and machines. And people rely on usernames and passwords to get access to the data and the services that they use every day. But machines don't use usernames and passwords, they still need to authenticate themselves and gain access to these systems. But they use something called machine identities or keys and certificates. Or you may be more familiar with the term non person entities or entities. And so every year businesses are spending $11 billion protecting usernames and passwords. But we're just now starting to get protecting machine identities with that same level of effort. And the bad guys and the threat actors out there have already started to figure this out, and so they start to dedicate more time and resources on compromising these extremely valuable machine identities. The challenges connected with managing machine identities have become much more complex over the last few years, the physical perimeter is gone. As Larry mentioned, organizations are moving more toward a zero trust model. And remote work is routine today. physical security is no longer relevant. So we've got things like the cloud, mobile edge and IoT devices that all need to be authenticated properly and connected to our enterprise networks. So the question becomes how do we allow or deny access? And the answer, as I mentioned on the previous slide is authentication or identity, identity really has become that new perimeter. And so our definition of machines includes all the new technologies found on enterprise networks. These are things like containers, clusters, services, API's. And because all of these require machine identities to communicate securely, we need a method and a platform in place to manage those securely with visibility, intelligence and automation for the organization. And so today, organizations, again, really need a way to manage this wide range of machine identities. And in order to put into put into place an effective machine identity strategy, we need the ability to verify every machine identity that gets issued throughout the organization, we need a system of record that can control access to trusted users to trusted machine. And then we also need the ability for the security teams to have visibility into that issuance process. So wherever teams may be requesting these machine identities, they need to be requested in a way that conforms to the policy set forth by the security teams, as well as gives them visibility into the issuance of those certificates. Right? And so laryea, I believe, HashiCorp Vault can create and store most, if not all of these different machine identities. Is that correct?
Larry Eichenbaum 06:33
Yeah, well, that actually is very correct. So with Vault, we can apply and leverage authentication and authorization as to mechanisms to control access, and enable those different types of machine identities to communicate with one another. As as we know, as we are building up microservices, and applications that are really leveraging newer technology stacks, it's necessary for those communications to happen incredibly fast. And we need them to be incredibly secure. And with Vault with all those identities, one other thing that we do is we ensure that every request or every transaction is both authenticated and authorized. Because just because some system or tool was permitted to make a connection or communicate 30 minutes ago, doesn't necessarily mean that they should be permitted to communicate now, for reasons and to bring in that layer of additional security is, is really key into how these tools interact and work together.
Paul Cleary 07:33
Excellent. Yeah, thanks. Very good point. So just to keep sending that stage just a little bit before we get into a demo and example, use cases we've got in a picture. And so human identities are really literally the tip of the iceberg in huge organizations that you guys work in every day, they represent a fraction of the overall identities that organizations need to manage to confirm or deny access to those systems that we talked about. And on top of that, the network is changing faster and faster every day, the number of people in the world is going to remain relatively flat. And we've seen that over the past 15 years. But the number of devices is growing. And even larger than that. The problem is applications. Applications really are machines as well, because they need those machine identities to authenticate and gain access to other applications and devices. And so these are growing at an exponential rate, with a huge inflection point last year in 2020. And it's these systems, these automated connections that keep businesses running. And so that's why it's incredibly important to be able to manage the security surrounding these machine identities effectively. And so for the rest of this presentation, we're taking a look at an example customer. It's a financial services company that has about 44 billion in annual revenue as of 2019. And they've got a little over 65,000 employees. They did use a combination of our plugins, which we'll get to in a moment, the different integration paths that are available between Venafi and vaults. But they are really solving this problem for over 8000 applications in their organization. And that's both internal and external. And so as they thought about different strategies to accomplish this goal, they had a few problems to solve that they were thinking about as they defined requirements. And so they needed application deployment teams that could get machine identities fast without breaking their their standard DevOps pipeline. And so this shouldn't introduce any type of ticketing or change requests, nothing like that. That's going to be a potential bottleneck. In that process, the second requirement is the info security team must be aware of those machine identities. So the end users that are requesting these certificates, may should again be able to do that quickly. But the vault I'm sorry, the the Venafi teams or security should be aware anytime those certificates are being issued. And then finally, once they've built out that process and have tested things successfully, they need the ability to fully automate, right. So any type of automated build pipeline, or anything of that sort, once it's fully tested should be fully automated, and again, require no human intervention, no introducing of any bottlenecks in that process.
Paul Cleary 10:45
And so the customer from our example, they really embrace that Venafi calls certificate as a service. This is a solution design, which at the really highest level, basically says the information security, or the PK AI team in an organization should develop a means for application developers and deployment teams to get the machine identities that they need, whenever they need them, without having to wait for the security team to go through those outdated and manual tasks that could cause the bottlenecks that I talked about. So those are things again, like manually checking certificate issuance policies, or entering and subsequently waiting for change requests to go through. Even emailing or or physically handing over and entity certificates on flash drives, and all of that type of process, we need a way to automate the issuance, as well as the delivery of those certificates to the end applications and entities that require them. And so, most organizations, they were already undergoing a digital transformation process and adopting these DevOps practices. And in the last year, we've seen those efforts increase drastically both in scope and timeline for really one simple reason they, they didn't have a choice, they they had to do it, they had to adopt over 2020. And so what we've seen is that many of our customers have maybe not started using the Venafi platform in their DevOps environments, it might even be that they don't have I'm sorry, they do have both technologies, Venafi and HashiCorp in place, it's just that the teams haven't been connected yet. And if they maybe only knew of the possibilities that the options available to integrate, both teams would benefit and the overall security posture of the organization would increase. And so I mentioned a couple of minutes ago that we do have really three different usage patterns. The first is what we call the Venafi Secrets Engine. And this is what allows for HashiCorp Vault users to get any publicly trusted certificate from really any of the 40 plus certificate authorities that the Venafi platform integrates with. And so this allows for, again, vault users to continue using the same process that they use day in and day out for the history of their career to request a certificate from vault. But on the back end, volunteers reaching out to Venafi. And in our demo, we're going to be using a Microsoft CA, but that could easily be Digi cert, it could be entrust global sign. And the one of the other benefits of the Venafi platform is the ability to enable crypto agility. So while we're using Microsoft CA in our demo, and maybe a customer's using Microsoft CA in their environment, you would be able to really quickly with the just a few button clicks in the Venafi platform, change what certificate authority fulfills these requests. And so from a vault user’s perspective, nothing has changed there, they're still requesting a certificate from vault. But on the back end, maybe now it's being requested and issued through any search or interest as opposed to their internal Microsoft yet. And so it's really powerful in that if you ever had any type of CA compromised or you are using an internal Microsoft CA and now the Root of Trust has expired and it's time to recreate that entire pie. You can do it in essentially a few clicks with the Venafi platform. Next, we're going to take a look quickly at the Venafi monitor engine. And what this monitor engine allows it again, you get the same benefit from an end user of vault, and I'm sorry, an end vault users perspective. Nothing has changed from their day to day process, they're still able to again request those certificates from vault. The difference here is maybe they need that immediate issuance that vaults offers right and in the previous example, if you're using something like the Microsoft CA internally, as you'll see when Larry and I get to the demo those requests take about five seconds or so. And it's because that PK AI is all in turn, right. So you can imagine if you were requesting certificates out from a global sign or a Digi cert or any trust, depending on any approvals that may be set up on the CA side, those recordings can take anywhere from the five seconds that we're about to see to five minutes, two, sometimes three days, it just depends on what's been set up at the certificate authority side of things. And so what end users get with the Venafi, a monitor engine is the ability for vault to continue issuing those certificates, which we'll see happens in less than one second. It's that instantaneous issuance for DevOps pipelines or immediate application deployment that they need, and they're used to. But at the same time vault is sending all of those requests back to Venafi, after the fact, so that the security team has visibility into all the machine identities that get issued. And then before the certificate request is actually fulfilled by vault, it's doing a check on the current policy that is pulled from the Venafi platform. So if for whatever reason, the the vault user requests a certificate that maybe it's a typo on the domain, or maybe they're requesting a certificate for a domain that the security team has not yet enabled, they get an immediate error message that says, hey, the vault policy doesn't match the verify policy. And so we're not going to issue this certificate. And then lastly, the last integration pattern that I want to talk about it, it's very similar to this vault monitor engine that we talked about. The only difference is the four vault issue certificates. It's getting a subordinate ca certificate, and an issuing policy from the Venafi platform. And so again, you get that speed of issuance from vaults, which is the instantaneous certificate issuance time. But in this case, those certificates are chained up through the enterprise trusted root. And that could be the public route from Digi cert or or n trust that we talked about. Or it could be your your internal Microsoft PCI, or something similar to that. All right. Now, before Larry and I get into the actual demo portion, I do want to reiterate that this particular example of customer, they're using a combination of all three of those design patterns that I just highlighted, depending on each of their applications use cases. And so I'm not able to replicate the scale of their infrastructure for this demo. But it's important to note that it does contain a number of vault clusters that were utilizing performance replication or dr purposes. And another thing to note here is actually during the deployment and testing phase with this customer, we actually ran into a couple of issues when integrating very specific versions of bolts with very specific versions of Venafi inside that cluster. And I bring that up, because it's this collaboration between HashiCorp and Venafi. Our support teams that are ecosystem and partnership teams, that enabled us to get to the root cause quickly and publish an update that solve the issues for this customer before they moved into production. And so security administrators at this customer have been able to rapidly scale and offer that certificate as a service model to the rest of the organization, making it easy for developers and deployment teams to get the machine identities that they need as soon as they need them, still using their native tools. And with that, we will wrap things up here. And just to kind of summarize what we've looked at and talked about this application team at our example, customer really came away with the following facts right. And this goes back to the requirements that they had set forth for this effort, vault teams, they need an easy and seamless way to get enterprise trusted certificates into their application pipeline, especially as organizations adopt more cloud native and DevOps practices. Not only that, but the info security teams must have the ability to set policy on those certificates and have visibility into their issuance and usage. And finally, when these teams are able to work together successfully, really everybody benefits, right and info security is assured, DevOps remains fast. And the organization is more secure, because of the combined effort and collaboration between those two teams. And with that, I want to thank everybody again for joining. And, Christina, if we have any questions?
Christina Flear 19:47
Yeah, thank you both. That was great. Like you said, we're gonna move into our q&a session. Feel free to continue to ask any questions in the q&a pod at the bottom of your screen. We'll try to get through as many as time allows, and any additional questions will be followed up by our team inherit Carahsoft. So our first question is, how do you reduce the time for issuing a certificate?
Paul Cleary 20:05
Yeah, good question. So we looked at a couple of different plugins, I would say, depending on the specific needs of the organization, one of those plugins may be better suited than the other, right? If, if you need the ability to interact with publicly trusted CA, or a CA, that's not vaults, you'll want to test out and explore that first plug in the Venafi secrets engine. If speed of issuance is important that you actually really do need that instantaneous sub one second issuance time, that's the point where you'd want to explore the the monitor plugin and potentially the subordinate ca use case that we talked about, but again, didn't didn't really see, but it works the exact same way as that monitor engine that we looked at. So again, I would say just to summarize an answer to that question. If speed of issuance is important to the applications, you'll want to check out that monitor plugin, that's going to be the best bet.
Christina Flear 21:11
Thank you. Our next question is kind of piggyback on that, if the Venafi platform is down how does the CA authority work for the certificate?
Paul Cleary 21:20
Yeah, another good question. So this really goes back to that last example that we just showed, if for whatever reason, the Venafi platform does go down, that's where the vault issuance using that monitor plugin, it's still going to remain active and available. So your DevOps pipelines, your your CICD processes, all of those can continue requesting the certificate. And then once the connection from the Venafi platform is reestablished, or or maybe the Venafi server as rebooted or finished it update, whatever caused it to be unavailable. At that time, you get all of those certificates in the inventory after that connection is re established, if you're asking about the external public CA's during aVenafi downtime window, that would be one situation where you're not going to be able to make that request, right, if you're using the Venafi VA plugin to reach out to into cert or interest or global sign or any of our other public VA's at that point that that is something that you would need the benefit platform available for.
Christina Flear 22:27
Thank you. Our next question is, are there any additional licenses required to support these integrations?
Paul Cleary 22:34
And another good question. So So yeah, there, there are no additional licenses from a Venafi or Vault perspective. Everything works out of the box with our open source integrations. The one note that I'll make is is the reference architecture at the sample customer. They are using some performance replication and things like that, which I do believe require a vault enterprise license. And Larry can keep me honest there if needed.
Larry Eichenbaum 23:04
Yeah, that's absolutely correct, Paul. So if you are taking advantage of the disaster recovery, or performance replication features, as well as many of the other capabilities within vault that extend beyond certificates, those may require that enterprise license but the ability to utilize plugins such as the identified plugins that we highlighted, that that in and of itself, you can perform with all versions, including open source of support.
Christina Flear 23:33
Thank you. Our next question is, if we've already implemented vault as the certificate issuer for some application teams, how difficult will it be to introduce the monitoring and policy controls after the fact?
Paul Cleary 23:44
That's another good one. So it's some, it's pretty easy, I'll say that it's going to depend a little bit on the specific use case and exactly what the end goal is. But for the most part, you're able to insert these plugins very easily into existing vault infrastructure. So if an organization out there is already using vault to issue certificates, then really introducing the monitor plugin that we that we just looked at. It shouldn't change the end users workflow at all. That's really the goal of that integration is to allow the security teams to get the visibility and the policy ability that they need without affecting the developers workflow at all. So they can continue using volt the same way that they have, but at the same time, give that visibility and the ability to put a policy on the vault requests to the security team. So I would answer that and say it. It does depend slightly, which version of the integration that you're looking to implement, but overall, we've designed it in a way to be as seamless and as easy to implement as possible and both new and existing For cellular.
Christina Flear 25:02
Thank you. Our last question is, is there a reason companies choose to use one Vault Venafi plugin over the other available options?
Paul Cleary 25:09
Yeah. And that was it kind of goes along with the the first question that was asked, it really will depend on the end need of that specific application. In our example, right, we did see that this customer is using a combination of the three different versions of the plugin. So some of their applications, I'm assuming probably the external facing applications, those are probably going to be better served with the TKI backend login that allows you to issue publicly trusted certificates through vault. For those maybe internal applications or test applications that are going through a DevOps optimization, I'll call it. So you're really getting certificates on a very rapid basis, maybe once a day, once an hour even. For those ones, the the benefit and monitoring engine is going to be the best use case because, again, they get that instantaneous issuance time available to them and really don't need to worry about long lived certificates that are going to be expired at the end of the day. Anyway.
Christina Flear 26:22
Thank you so much. Is there anything else you'd like to add before we close today?
Paul Cleary 26:26
Nothing for me, no. Thank you, Christina, and Carahsoft and the audience.
Outro26:31
Thanks for listening. If you'd like more information on how Carahsoft, Venafi or HashiCorp can assist your organization, please visit www.carahsoft.com, or email us at Venafi@carahsoft.com or HashiCorp@carahsoft.com. Thanks again for listening, and have a great day.