Podcast
Root Causes 203: What Is a Credential Vault?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
January 31, 2022
Credential vaults are necessary for secure and functional secrets management for automated systems like DevOps or Robotic Process Automation (RPA). This episode explains how credential vaults work and details their benefits.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanWe want to talk about credential vaults. What are credential vaults at a high level?
Jason SorokoCredential vaults are really about making sure that your secrets management is rational, and these will cover a few use-cases - a lot of DevOps automation, robotic process automation, anywhere where in some sort of automation system, typically code based. Even sometimes low code based, you keep your authentication credentials behind an API, therefore, instead of hard coding credentials into code, you are basically calling an infrastructure that’s helping you to authenticate. It’s essentially an abstraction layer to aid in automated authentication.Tim CallanFirst of all, there’s a security benefit. I mean, as soon as you start to say, hard coding your credential into your code, I go, yikes because we’ve seen that be a problem plenty of times in the past. But also, there’s sort of a future proofing benefit to this.Jason SorokoHuge. So, again, any kind of abstraction layer to authentication is a good thing because your authentication method through time may change. Think about a cloud database. What might today or yesterday have been a username and password might tomorrow involve perhaps a second factor of authentication or eventually go to a certificate-based authentication. If you are using a good credential vault, then more than likely the way in which you’re calling the API of that credential vault might not even have to worry about the type of credential. So, those kinds of things are helping you not only to do things more securely but as you say, reducing the friction of change in terms of how you authenticate through time.Tim CallanPresumably a modern enterprise, and you and I have talked about this in the past, has different credentialing methods for different systems that might depend on when they were built or somebody’s assessment of the risk involved or what kind of platforms they’re on. There’s a bunch of reasons why that might happen. Credential vaults also I think could help you deal with the difference and the vagaries between these different systems to give you a consistent interface in every case.Jason SorokoI can tell you that there are a lot of different credential vaults out there. I wouldn’t say a ton, but there’s a number of them out there - some of them very, very purpose built for what they do, some of them obviously very focused on certain kinds of DevOps features, some of them very specifically set up for RPA, but the concept is very similar, and that’s why we’re talking about it kind of in one bucket here today.Tim CallanSo, not to put too fine a point on it, and it’s kind of implied in the name credential vault, but what is the concept? Walk us through what happens.Jason SorokoImagine that you are as part of your DevOps application rollout, you have to log into your public cloud, whatever IAM system is behind that, and then you are also having to log into perhaps an application within it specifically, perhaps a Linux server to administrate it, and then you are uploading code, which then needs some sort of IAM up on the server, and then all of a sudden you need to be able to plug into a database, you have to authenticate to a database to retrieve data in order to make a decision about how you make a configuration. Well, that database authentication requires another credential. And those credentials can span everything we talked about, everything from just plain old username and password if it’s a legacy system, to something perhaps needing a second factor of authentication. Perhaps you’re even needing a certificate-based authentication. You could have a blend or mix of all of those things, which each one of them may need to have a lookup to its own identity and access management system - its own IAM. And so, every one of those logins needs a bit of work, and rather than hard coding that into your Ansible or your Chef or your Puppet or whatever it is you’re coding, perhaps even other low code systems, it would be just far superior to be able to say, hey, I need to log into this database. Please retrieve everything I need to be able to do that. Therefore, your code is very clean, it’s very future proofed, and certainly, the biggest problem being solved, as you said, you do not want to have hard coded credentials floating around, and we have seen those problems, and we continue to see those problems.Tim CallanSo, if all the goodies are sitting in the vault, how do we protect goodies in the vault?Jason SorokoI think the way that it works is, you can put a very high level of authentication against your credential vault. Here’s what I would suggest as a really good idea. Basically, as part of your scripting management, the ability for this scripting to be able to make an API authentication call, I’m going to suggest a certificate-based authentication. So, in other words, there’s probably a certificate being used that you’re challenged for as part of the automatic process, and that headless system just takes that takes what it needs, private key never leaves a safe place and authentication is achieved. Therefore, yes, there is a chicken and egg problem that needs to be solved, but thankfully in modern times, we are able to get key material where they need to be in a secure manner, and therefore, that one master authentication controls your ability to then retrieve other forms of credentials.Tim CallanAnd that’s PKI based, so that’s the strongest form of authentication there can be. So, that’s as good as it gets.Jason SorokoYes, and that’s one way of doing it. There are other ways that it has been done because of perhaps, maybe the thing that’s being called or the system that’s being programed on is legacy. There are limitations that obviously older forms of authentication can handle, but I would like to make the argument that any automated system really shouldn’t be using human forms of authentication such as username and password and certainly adding in second factor. That’s really meant for people. Any time you’re truly automating something, it’s best when you’re using a certificate.Tim CallanAnd where would this credential vault live? Like, is this on a secure piece of hardware or something along those lines?Jason SorokoIt can be. I’ve certainly seen appliances where these things are installed. Sometimes it’s a server in-house that’s hardened, but quite often it can also be a cloud implementation. Here’s quite often what I see, Tim, is very modern credential vaults right now for very paranoid customers will ultimately allow the customer to hold the private key, basically the master credential of the credential vault. Therefore, that resides in-house, and the rest of the infrastructure is occurring in the cloud.Tim CallanSo, is there a risk factor there? What would happen if that private key, that master key, let’s say, was lost and was not recoverable? At that point, my credential vault can’t be used. It has to be recreated before I can use those automated systems. Would that be correct?Jason SorokoWell like any PKI, any kind of root key like that needs to be protected. The bonus, though, is that because of the fact that all of your credentials are being protected in one place, if all of those secondary credentials were somehow known to be compromised, then a good credential vault could also act as a - think of it like a very powerful password manager and able to flip those passwords. And that’s just part of the natural part of the system anyway. In other words, because of the fact that this is an abstraction layer, essentially a heart, it allows for good credential management behind the scenes minimizing pain of the consumption of those credentials.Tim CallanBecause the stuff external to the vault doesn’t have to change. The stuff external to the vault is just requesting your credential, and if those credentials get updated, modernized, refreshed, that’s separate to all of that other code. That code just keeps doing what it’s doing.Jason SorokoSo, I’d like to argue that it kind of is best practice. Yes, you’re absolutely right. There is a, there’s always a risk in having credentials stored anywhere, but if they’re stored in a place where your ability to maintain and change and monitor the system is maximized, that’s kind of your best-case scenario.Tim CallanThat’s great. Did we miss anything on the subject of credential vaults?Jason SorokoNo. I would say though, Tim, that some of you who have Privileged Access Management Systems, some of you who have RPA, some of you who are running DevOps, some of you who are running low code systems, I can tell you, you probably have a credential vault in there somewhere. It’s something that check it out. I think in modern times it’s best practices to use and it’s good to know a little bit more about it. It’s one of those pieces of infrastructure that could easily be overlooked if you weren’t looking for it. Chances are, it’s in there somewhere.Tim CallanGreat. Alright, well, thank you, Jason. That was a good introduction to a fundamental and valuable element behind Access Management, and I’m glad we talked about it today.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
