Software Hub has several secret management options that are better than default out of the box option in OCP -
- Internal Vault
- External Vault
- Vault Bridge
Let's review these options.
Internal Vault
IBM Software Hub Internal Vault is primarily intended for use during proof-of-concept (POC) setup. Anything stored within the Internal Vault are encrypted. IBM recommends disabling the internal vault, before you move your POC application into production, in favor of using a production grade external vault in production.
External Vaults
The ideal scenario is where you already have setup an external vault such as IBM Secrets Manager and that is already in use. You had setup access control for your external vault based on your business needs. You keep your secrets, apikeys etc. in that vault. Software Hub provides integration option to such external vaults. Once integrated, Software Hub products can access the secrets stored in your external vault. The key here is to implement a configuration in Software Hub that suits your security needs.
Review vault related permissions to understand how they should be used-
- "Add vaults" permission - This permission is needed to integrate an external vault with Software Hub. Once the external vault is integrated, you can add reference to any number of external secrets.
- "Manage vaults and secrets" permission - With this permission you can remove or undo the vault integration, you can manage as well as add secrets in Software Hub. You can view a list of secrets, that are kept in each vault that are integrated with Software Hub. This option can be used when previous owner(s) lost access, you can transfer manager responsibility to another person.
- Share Secrets - Do not do this.
When integrating external vault, focus needs be on on limiting exposure to the external vaults or to the secrets that are being externalized into Software Hub and Software Hub products. If you cannot limit the number of people with access or if you cannot limit the scope of secrets, you should look into ensuring a granular configuration can be created that enables you to track and manage key usage both from Software Hub products and from the external vault side, effectively.
You should only permit sharing secrets as a last resort.
Bridges to external vaults
Beyond CyberArk and Hashicorp Vault that you can directly integrate with Software Hub, Software Hub provides a vault bridge SDK that you can use to integrate or "bridge" with several other external vaults. The vaults bridge SDK includes examples of bridging to the following external vaults:
- AWS Secrets Manager
- Microsoft Azure Key Vault
- IBM Cloud Secrets Manager
Using the vault bridge SDK, you can dynamically plugs in to the Software Hub platform most key manager or vault. Post integration, IBM Software Hub products can fetch the secrets or credentials from that vault.
Managing secrets using vaults
Please review the vault configuration section in Software Hub product documentation as this would help you make the right choice based on your security needs. Here are the recommendations -
- Disable internal vault
- Disable secret sharing. This encourages your users to be responsible for their own secrets and credentials
- Require use of secrets [stored in external vault] mandatory, when creating connections to databases
Final Thoughts
Better secrets management is key to ensuring data security and privacy. We recommend you use an external vault or integrate Software Hub with a vault service using the bridge SDK that Software Hub provides. Please shore up secret management and establish accountability among your user base. For more information about using secrets in connections, see:
Secret management doesn’t have to be a headache. With IBM Software Hub, you get a secure, automated, and transparent system that scales with your Kubernetes workloads.
If you’re serious about DevSecOps, it’s time to rethink how you manage secrets.