When Venafi announced the creation of the Machine Identity Management Fund in December 2018, OpenCredo, a U.K.-based software consultancy specializing in machine learning, cloud and DevOps applications, was named as one of the three inaugural developers. They started by building the industry’s first open source Kafka connector to the Venafi Platform. Since then, they’ve created two more Venafi solutions: Secure Software Pipeline Verifier and Venafi-Vault Wizard.
In this post, we chat with Trent Rosenbaum, lead consultant at OpenCredo, about Venafi-Vault Wizard, a free standalone utility that simplifies the setup and configuration between the Venafi Trust Protection Platform or Venafi as a Service and HashiCorp Vault. Says Paul Cleary, senior ecosystem architect at Venafi: “HashiCorp Vault is one of our most used integrations but it doesn’t come without its complexities. Venafi-Vault Wizard provides users with an easy-to-use wizard that makes the initial setup almost dummy-proof, which is especially important as organizations begin to embrace the #fastsecure mindset.”
Zero Trust with cert-manager, Istio and Kubernetes
Increasing visibility without slowing down developers
What led to Venafi-Vault Wizard’s development? What problem did it seek to solve?
Trent: Getting machine identities isn’t normally within the scope of most developers, and it isn’t natural for developers to have to procure their machine identities directly from Venafi. So, oftentimes it’s easier for them to just spin up a standalone instance of Vault and use that machine identity in the application they’re building.
The problem with that, of course, is this happens out of band, and InfoSec has no visibility, let alone the ability to put policy on that. So, InfoSec relies on the Venafi-Vault integration, which makes it easy for developers to access machine identities while at the same time providing InfoSec visibility into how they’re being used. So, our goal with Venafi-Vault Wizard was to take a valuable integration and not only make it easier to set up but also optimize the way the two systems work together by streamlining the integration process.
How does Venafi-Vault Wizard make this important integration easier to set up?
Trent: The Wizard makes it really easy to produce a configuration file that can be reused with multiple instances of Vault. The end user is asked a set of questions, and from that, Venafi-Vault Wizard sets roles and permissions accurately and properly. In addition to guiding them through the configuration process with these questions, we also give examples of configurations based on best practices.
Then this configuration file can be repeated throughout the environment without having to go through the Wizard again and again. You can just say, “Here’s my config. I want exactly what I did last time on this new machine.” And it’s easy to make minor customizations to those config files depending on the types of environments you want to use the integration in, say, Kubernetes or whatever.
This guided instruction framed by the questions the Wizard asks provides guardrails so that you aren’t wasting time exploring other areas that aren’t relevant. You get exactly what you need for your use case, and it’s easy.
What other benefits does Venafi-Vault Wizard provide users?
Trent: In addition to providing our users a way to make their deployments consistent and relevant to their environments, Venafi-Vault Wizard also provides them with an audit trail they can use. And that’s especially useful when you’re using us to integrate the Venafi Platform and Vault in different types of instances. And it helps people offload aspects of management, such as versions of Vault with cloud-managed instances, by letting us handle the heavy lifting of what needs to be done.
What excites you most about the work you’ve done on Venafi-Vault Wizard?
Trent: We want to champion equal partnerships between development and InfoSec teams and that requires communication. And it also means learning how to communicate about the things that are meaningful to each group. We hope that Venafi-Vault Wizard can be used to help guide conversations in the sense that it’s at once simple to use and yet extremely informative and powerful. It helps both groups get done what they need to get done while bringing about greater understanding.
And really, that’s what the Venafi ecosystem represents to developers—ways to further the conversation and improve collaboration going forward.
In our follow-up OpenCredo interview, I chat with Hieu Doan, DevOps consultant at OpenCredo about Secure Software Pipeline Verifier.
Why Do You Need a Control Plane for Machine Identities?
Related posts