What is our primary use case?
This is a Secrets Management framework to manage a keystore, certificates, and passwords dynamically in a Platform as a Service context, such as Vanilla Kubernetes Platforms, Rancher, Meso, Tectonic, and Origin/OpenShift Enterprise Platforms.
Whatever the platform, this product can help provide good security and be PCI Compliant.
How has it helped my organization?
It is an added value for our customers to have a Secrets Management workflow available that is PaaS/CaaS/KaaS Platform agnostic.
Furthermore, for Private and Hybrid Clouds such as AWS and Azure, it helps us to address multiple use cases that are not covered by AWS KMS, Azure Key Vault, or even with Hardware Security Modules that are limited by key type and size.
What is most valuable?
The dynamic secrets and key revocation feature help us to mitigate some risks easier for our customers, starting at the beginning of their development, without service downtime.
Starting integration of this product at the CI/CD software factory level helps make it easier to expand the environment when needed.
What needs improvement?
A Service Mesh workflow connected within Vault workflow would be difficult to integrate, depending on the SI complexity and security compliance.
A drawback for some clients who have to be PCI compliant is that they still need to use and subscribe to an HSM (Hardware Security Module) solution.
For how long have I used the solution?
I started using this solution two years ago.
What do I think about the stability of the solution?
Consul, the backend of Vault, is a distributed and highly available system and suitable for intensive production workloads.
What's my experience with pricing, setup cost, and licensing?
The community edition is a place to start, where the development framework is already in place. When moving to production it is easy to make the switch and there are no additional development costs.
Once used in the framework, developers gain time to address authentication and authorization issues, which are managed once at the vault level and no more.
Which other solutions did I evaluate?
For PKI management, TLS certificate renewal or revocation "cert-manager workflow" can be useful but, at times, not as compliant as expected.
Which version of this solution are you currently using?