Introducing Self-Managed Vault As A Service (VaaS) On Google Cloud

Get a better understanding of VaaS on Google Cloud to bolster your security game.

August 3, 2023 | Feature Highlight | Google Cloud |

Introducing Self-Managed Vault As A Service (VaaS) On Google Cloud

As your SMB scales to new heights, the need for advanced secret management emerges. Manually storing sensitive data like tokens and SSH keys can suffice to a certain extent.

However, as your team expands, It’s essential to simplify the management of authentication credentials, keys, and secrets.

Additionally, security is a concern as you migrate workloads to the public cloud for scalability and cost reasons.

So – what if we told you that you can safeguard your sensitive data in a digital vault?

What is Vault?

Hashicorp’s Vault presents an elegant solution to securely managing your secrets. A vault encrypts your sensitive data to prevent unauthorized access. These vaults are active storage containers.

Think of a vault as a highly secure and encrypted password repository.

Vaults establish secure control of sensitive assets or “secrets” by authenticating them against identity sources like an Active Directory (AD), Kubernetes, and LDAP – amongst other cloud platforms.

Centralizing your secret management via a vault strengthens your DevOps processes by provisioning an additional layer of database security.

In a nutshell, here are some of the critical benefits of a secrets Vault:

  • Centralized Control

    Your organization might have several stakeholders belonging to various functions. Instead of separately managing their individual “secrets,” a Vault collates all sensitive assets into one central location.

  • Enhanced Productivity

    Authentication becomes more secure and hassle-free.

  • Lifecycle Management

    A vault streamlines the process of password rotation and helps you monitor and track all secrets across your organization. Vaults also generate transient dynamic secrets like SSH Keys, DB passwords, PKI certifications, etc. – and manage their lease & rotation.

  • Legal Compliances

    Auditing secrets is a tedious task. A Vault allows you to comply with intricate data regulations such as CERT, HIPAA, and FDCC.

Did you know that enterprises with efficient DevOps implementations are 50% more efficient at resolving security issues? The same can be applied to your SMB! Reach out to D3V for an end-to-end DevOps solution for your cloud monitoring and CI/CD pipelines.

Setting up a Self-Managed Vault Service

It’s time to get a little techie. Here’s how you can self-host a Vault service on Google Cloud: Guide on Vault cluster deployment in Kubernetes (K8s). In this case, you will leverage Google Cloud Storage (GCS) as the backend infrastructure for your Vault’s assets.

We at D3V implemented an interesting twist to the Vault deployment. Instead of deploying the Vault instance on K8s, we self-managed the Vault on GCP (using a MIG setup).

  1. Created a statefulset MIG instance group that runs the latest vault binary.
  2. Used GCS as a backend storage for Vault. Data written locally on the GCE VMs is replicated to GCS via GCSFUSE and GCS bucket is always kept upto update with the data stored on the individual VM instances.
  3. Updated Vault configuration to expose the MIG group as a LB external IP.

Quick Brief on the MIG

GCP Managed Instance Groups (MIGs) enable you to operate applications on several identical VMs. Using MIGs, you can ensure scalability and high availability for your workloads. You also have access to vital MIG services, including auto-healing, auto-updating, and multi-zone (regional) deployments.

What is Cloud Storage Fuse (GCS FUSE)

Google Cloud Storage FUSE (GCSFUSE) is an open-source FUSE (Filesystem in Userspace) adapter enabling you to mount Google Cloud instances as filesystems on MacOS or Linux.

Leveraging GCS Fuse for your vault hosting helps reduce overhead deployment costs. Cloud Storage FUSE is available for free. However, the storage and metadata loads get charged like any typical cloud storage.

You can run GCS Fuse as long as you have connectivity to GCP – including GCE (Google Cloud Engine VMs)

Google’s Collaboration with Hashicorp’s Vault

Google’s KMS (Key Management Service) module takes your Cloud security to the next level. KMS provides centralized, scalable and seamless cloud key management.

Recently, Google launched a Cloud KMS secrets engine exclusively for HashiCorp Vault. Here are some of the unparalleled benefits:

  1. Familiar APIs and authorization

    With the secret engine, you can use the VAULT API to create new KMS configurations.

  2. Higher Security Standards

    Cloud KMS Keys undergo cryptographic operations on a FIPS 140-2 Level 3 HSM – an ultra-secure standard for the GCP Key Vault.

Why Google Cloud Storage (GCS) and Vault Are a Match Made in Heaven

GCS boasts some scintillating features that simplify your Vault server management. The key is to use GCS Fuse as your backend storage method for self-hosting the Vault. Additionally, you can use KMS for the seal management of your Vault Server.

The result is that your Google Compute Engine (GCE) server will present secrets to you and you alone. There is no third party having access to your secrets.

Self-Managed Vault vs Vault (SaaS)

The Google Marketplace does feature a SaaS Vault offering. However, by self-hosting the Vault service – there’s a massive cost-cutting potential. Moreover, the self-managed choice is relatively more secure since there’s no third party involved in handling your sensitive data.

Wrapping Up

As small and medium-sized businesses scale, the need for advanced secret management emerges. The manual storage of sensitive data such as tokens and SSH keys is no longer sufficient when teams expand, and security is a concern. Hashicorp’s Vault presents a secure solution by encrypting sensitive data to prevent unauthorized access. Centralizing secret management via a vault strengthens DevOps processes by providing an additional layer of database security.

Benefits of a secrets Vault include centralized control, enhanced productivity, lifecycle management, and legal compliance. Self-hosting the Vault service provides cost-cutting potential and increased security, as there is no third party involved in handling sensitive data. Google’s KMS module and Cloud KMS secrets engine, along with GCS Fuse, provide unparalleled benefits for secure Vault server management.

If you or your team would like assistance in setting up VaaS on Google Cloud, reach out to our experts today for a free technical consultation.

Author

Harsimran Singh Bedi

Dheeraj Panyam

Principal Cloud Architect
Dheeraj has been working as a Google Cloud Professional Architect for the past 5 years helping design solutions and architecture set up on public cloud platforms. Dheeraj also has 20+ years total experience across App Development, Production Support, QA Automation & CloudOps.

Related Posts

What Our
Clients Are
Saying

Working with D3V was hands down one of the best experiences we’ve had with a vendor. After partnering, we realized right away how they differ from other development teams. They are genuinely interested in our business to understand what unique tech needs we have and how they can help us improve.

Lee ZimbelmanWe had an idea and D3V nailed it. Other vendors that we had worked with did not understand what we were trying to do – which was not the case with D3V. They worked with us through weekly meetings to create what is now the fastest and most accurate steel estimating software in the world. Could not have asked for anything better – what a Team!

We used D3V to help us launch our app. They built the front end using React and then pushed to native versions of iOS and Android. Our backend was using AWS and Google Firebase for messaging. They were knowledgeable, experienced, and efficient. We will continue to use them in the future and have recommended their services to others looking for outside guidance.

Constrained with time and budget, we were in search of an experienced technology partner who could navigate through the migration work quickly and effectively. With D3V, we found the right experts who exceeded our expectations and got the job done in no time.

Protecting our customers data & providing seamless service to our customers was our top priority, which came at a cost. We are very satisfied with the cost savings & operational efficiency that D3V has achieved by optimizing our current setup. We’re excited about future opportunities for improvements through deriving insights from our 400 million biomechanics data points.

Our experience with D3V was fantastic. Their team was a pleasure to work with, very knowledgeable, and explained everything to us very clearly and concisely. We are very happy with the outcome of this project!

Jared Formanr

Jared Forman

CEO & Co-Founder, OSMix Music

Lee Zimbelmanr

Lee Zimbelman

IT Director, BLI Rentals

Terry Thornbergr

Terry Thornberg

CEO, Fabsystems Inc.

David Brottonr

David Brotton

CEO & Founder, Squirrelit

Dr. A. Ason Okoruwar

Dr. A. Ason Okoruwa

President, Bedrock Real Property Services

Ryan Moodier

Ryan Moodie

Founder, DARI Motion

Schedule a call

Book a free technical consultation
with a certified expert.

Schedule Call

Get an estimate

Fill out our form to hear back with a project’s cost estimate. No meeting required.

Get Estimate

Get in touch

Send a message to D3V team.

Let’s Talk