Microservices and Secrets Management – Comparison of Vault Solutions
microservices-secretsmanagement

As Microservices is now becoming the most preferred method for creating cloud native distributed applications, it poses many security challenges. Secrets Management is a critical component of container based application security.

Most common entities that need to be secured in microservices based applications are –

  • Database credentials
  • Cross service credentials / tokens
  • API keys and Access Tokens
  • SSL/TLS certificates

In Monolithic model, secrets are usually stored in code, config files or data tables etc. This causes huge security risk as secrets can easily get compromised. Moreover there is no centralization of secrets which makes secrets rotation very complex and time taking.

With Microservices, there is a need for centralized secrets management solution which can handle the security challenges with minimum intervention.

Requirements not limited to –

  • Secure storage of different secret types like tokens, creds, certificates etc.
  • Key Rotation
  • Data Encryption
  • Versioning
  • Full Audit logging
  • REST APIs (for easy integration and automation)
  • Fine grained Access Control

There are multiple Vault solutions from different cloud provides like (Azure Key Vault, AWS KMS, GCP KMS etc) and open source products like Hashicorp Vault which offer rich features for secrets management.

Lets do a comparison for some of the most widely used Vault solutions – Azure Key Vault, Hashicorp Vault and Kubernetes Secrets.

This is effectively a Hashicorp Vault vs Azure Key Vault comparison but we have also included Kubernetes Secrets as it comes inbuilt with Kubernetes cluster and can be considered for some use cases.

Comparison of Vault Solutions from Operations Point of View-



Hashicorp Vault Azure Key Vault Kubernetes Secrets
Documentation Link Link to Documentation Link to Documentation Link to Documentation
Operation and setup Open source so needs operation effort to setup and manage stack and availability Paas solution so needs no/minimum operations effort to manage. Built into Kubernetes so no separate management required.
Pricing Open source so only infra cost. For enterprise setups where DR and backups are required, enterprise license needs to be purchased. https://azure.microsoft.com/en-us/pricing/details/key-vault/ Built into Kubernetes so no extra cost
Replication and DR Replication and DR supported only in enterprise versions. Vault Enterprise The contents of key vault are replicated within the region and to a secondary region at least 150 miles away but within the same geography. This maintains high durability of your keys and secrets. See the Azure paired regions document for details on specific region pairs. Same as Kubernetes cluster
Audit logs Detailed audit logs are captured. Yes Kubernetes Auditing is part of the kube-apiserver, and will log all requests that the API Server processes for audit purposes.
Access Control Fine grained roles and policies can be defined to control and provide access to different paths (where secret engines are set) Secret engines can be setup at diff paths based on customer, environment or Data Center etc. Access control based on Azure creds, service principals and identities.
API and CLI API and CLI providing full functional capability https://www.vaultproject.io/api/secret/ REST API https://docs.microsoft.com/en-us/rest/api/keyvault/
Security Vault data is encrypted at rest as well as during transit. ¬† In case of compromise, vault provides a sealing capability which can block/lock the vault restricting any kind of access. Managed and secured by Microsoft implemented industry standard security algorithms. Kubernetes secrets are only base64 encoded by default.   Kubernetes 1.13 and above supports encryption but has to be configured explicitly.
Backup and High AvailabilitySelf OperatedManagedSelf Operated

Feature Comparison –

Feature Hashicorp Vault Azure Key Vault Kubernetes Secrets
Secret Storage Yes Yes Yes
Dynamic Secrets (secrets created at runtime and expired after use) Yes No No
Certificate Management Yes Yes Yes, (certs stored as secrets)
Data Encryption Yes Yes Yes (Needs additional config)
Key Rotation (Lease and Renewal) Yes Yes No
Secrets Versioning Yes Yes No
Access control (ACL) Yes Yes Yes (no control on pod admin access)
Audit Logging Yes Yes Yes
Integration with variety of Databases and Tools Yes No No
Custom Plugin Support Yes No No
Kill Switch In case of compromise (seal vault) Yes No No
Enterprise Support Yes Yes No
APIs Yes Yes Yes

Conclusion

Hashicorp Vault is currently a market leader in vault solutions and has the most comprehensive feature coverage. The biggest challenge with Hashicorp Vault is to operate and manage it. As a user you are responsible to setup, maintain HA, backup, scalability etc which can take quite some operations effort.

Azure Key Vault on the other hand is completely managed by Azure and is one if its tier 1 services. So as a user you only have to worry about its integration and forget about everything else.

If you go with Hashicorp Vault Enterprise then the cost difference between Azure Key Vault and Hashicorp Vault can be significant. Hashicorp Vault Licensing model is quite complex and high on cost. Hashicorp Vault Enterprise costs around $300K per cluster while Azure Key Vault costs only around $0.03/10,000 transactions.

Kubernetes Secrets is a built in service of Kubernetes and requires no additional operations effort. It has its own limitations as mentioned in the comparison.

Let us know about your experience and views on secrets management and vault solutions in comments.

Checkout more articles on Microservices.

Vault High Availability Architecture.

Categories
Comments
All comments.
Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.