Enhance your secrets management strategy with Puppet + HashiCorp Vault
Security is paramount in today's digital world. Bad actors can use sensitive data to wreak havoc across thousands of machines in minutes if organizations do not have a solid cybersecurity strategy. Compliance requirements and regulations are increasingly calling for key management and strong encryption as part of a business's cybersecurity strategy. These are no longer optional but mandatory security requirements as DevOps also gains in popularity for agile development and application deployment.
Securing sensitive data (called “secrets”) — such as passwords, machine credentials, and API keys — is not always simple to manage manually, especially at an enterprise scale. A common challenge is limited visibility across your infrastructure, and another is the struggle to tighten processes and tools to limit users' access to that sensitive data globally. There has to be a way to centrally store, distribute, and track these vital configuration settings while gaining more flexibility, right? The question becomes: How do you get a grasp on enterprise secrets as you increase your automation efforts across your Infrastructure & Operations (I&O) teams?
This blog post explores the importance of secrets management, and how Puppet and HashiCorp Vault adds an extra layer of protection as you continue to build out your cybersecurity strategy.
What is Secrets Management?
Before we dive into secrets management, let’s first explain secrets. Secrets are digital authentication credentials that include passwords, API tokens, encryption keys, certificates, and tokens stored across an IT environment. Secrets management with DevOps tools is critical in securely retaining and tightly controlling access to secrets and sensitive data.
Below is an example of how your automation platform should leverage secrets from a secrets management tool. Agents should be allowed to retrieve secrets from your secrets management platform when a catalog is applied. In this way, the secret data is not embedded in the catalog, and the server never sees it.
In this manifest, call the vault_lookup::lookup function using the Deferred type.
The lookup function will be run on the agent and the value of $d will be resolved when the catalog is applied. This will make a call to https://vault.hostname:8200/v1/secret/test and wrap the result in strings marked as sensitive, which prevents the value from being visibly logged.
Why Secrets Management is Important
Secrets management is more than just adding a few controls around sensitive configuration properties. It is a way to keep secrets secure, not only as they are stationary within your infrastructure but also when they are in transit across your network. IT practitioners should be able to create policies controlling user access and authorization via RBAC.
If your I&O teams are currently using an automation platform and are comfortable with your DevOps and DevSecOps practices, further tightening your security controls is paramount. A recommendation is to integrate your existing automation platform with a secrets management tool. Improve your security posture with another vital mechanism that keeps a detailed log of all requests and responses, further simplifying your organization's compliance workflows and auditing processes.
Are you concerned about keeping your data encrypted as you scale your automation platform?
End-to-end encryption of your secret data provides another layer of protection. Secrets management, coupled with each host system's ability to look up only secrets to which it has access, simplifies the communication across your infrastructure. The central automation server will no longer be responsible for managing access to all the secrets data.
What about secrets sprawl?
Secrets sprawl is another challenge when managing passwords and credentials at scale across enterprise infrastructure. If those secrets are in plain text, then you have an even bigger problem. Most enterprise companies have hundreds or thousands of database, application, development, and production servers, all accumulating secrets data. Whether the data is stored in GitHub, Dropbox, or an internal repository, centrally managing all of your secrets information is critical to keeping sprawl under control.
Do you worry about secrets data stored in your public cloud infrastructures such as AWS, Azure, or GCP?
A solid secrets management plan should integrate with most cloud providers and their authentication methods. Be sure your automation platform follows these same authentications and integration protocols.
Now that you have a solid understanding of the importance of a secrets management strategy, let's bring it all together with Puppet Enterprise and HashiCorp Vault.
Puppet + HashiCorp Vault Together
Suppose you're using HashiCorp Vault to store and control access to secrets. You can add an extra layer of security by integrating Vault with Puppet, allowing Puppet to safely retrieve and distribute secrets used in your automation workflows without storing or exposing the information. Integrating Puppet and Vault for secrets management can reduce secrets exposure and provide a high security level across your environments.
Some of the benefits of integrating Puppet Enterprise and HashiCorp Vault are:
Improve security posture and implement secure automation best practices Increase user control over secrets that affect nodes managed by Puppet Leverage secrets from Vault according to best practices and your organization’s security policy A detailed audit log provides a record of who accessed sensitive data and when, and what actions were taken for enhanced tracking
Puppet + HashiCorp Vault in Action
The high-level steps of how Puppet and HashiCorp Vault interacts are listed below:
- The Puppet agent starts an agent run and communicates with the Puppet server to get the catalog data.
- The Puppet agent authenticates to Vault to get the secrets data via a deferred function utilizing the Vault lookup plugin.
- The Vault lookup plugin authenticates to Vault using the TLS auth method by presenting the Puppet agent SSL certificate.
- Vault validates the Puppet agent SSL certificate by checking that the certificate has been signed by the Puppet Server CA and has not been revoked.
Managing systems at scale and ensuring secrets are stored securely can be difficult for any organization. Puppet has a history of helping some of the largest, most complex Global 5000 companies achieve success with DevOps and security.
If you're looking for where to start or how to scale your current practices, reach out to us to see how Puppet Professional Services can help your organization.