Adam Ochayon
Solution Architect
Published on
October 2, 2024
The modern IT infrastructure landscape has become ever more complex, with the rapid growth of distributed environments across multiple clouds and environments. As businesses adopt more SaaS applications and embrace hybrid setups, the sprawl of technologies used by different teams grows with it. This leads to an increasingly fragmented infrastructure landscape, where maintaining holistic visibility, security, and governance is becoming a greater challenge for security teams.
At the heart of this infrastructure lie the secrets – sensitive information such as API keys, credentials, and tokens, scattered across various systems and applications. These secrets are critical for enabling access to different integrations and services, but also pose the risk of granting privileged access to the wrong people. Managing these secrets efficiently is critical to the security of any modern enterprise. The logical solution to storing these secrets securely is to put them in vaults.
In today’s cloud-driven environments, cloud-native vaults have emerged as the preferred choice for developers. This is due to their seamless integration with the native ecosystem, offering convenience and efficiency. By being tightly coupled with the respective cloud providers’ stack, these vaults allow developers to securely store, retrieve, and manage secrets without leaving their preferred environment and the overhead that might introduce.
For example, AWS offers SSM Parameter Store and Secrets Manager, two different managers that tie neatly into the AWS ecosystem and allow securely storing secrets and granularly managing access, without dealing with the overhead or price of maintaining your own secure vault.
In Azure, Key Vault offers similar features with tight integration into Azure workloads.
These cloud-native vaults simplify secret management for developers, allowing them to focus on coding and delivering features rather than wrangling with infrastructure. They are also often cost-effective compared with dedicated vaulting and secrets management tools, which typically costing an order of magnitude more per secret.
However despite these benefits, this model carries with it the same challenges that are present in other cloud and hybrid environments - how to holistically manage it without losing track.
As cloud adoption continues to accelerate and organizations spread workloads across multiple platforms, an inevitable phenomenon is “secrets sprawl”. With developers being rightfully opinionated about using native tools that best fit their workflow, the idea of a centralized vault becomes more difficult to implement comprehensively and effectively.
This problem gets exacerbated further by the rapid increase in identity sources - in addition to cloud access, many PaaS and SaaS applications have their own internal identity mechanisms and credentials, such as Snowflake, Salesforce, and Github.
This sprawl introduces significant challenges:
Some of the cloud-native vaults provide solutions to these challenges, however as is often true the devil is in the details - auto-rotation, for example, will typically require configuring your own lambda, which creates additional overhead and may leave you open to unsafe flows leading to business disruption.
This leaves security organizations with a difficult tradeoff -
The ideal approach would be to leverage the native vaults that developers already love and the organization is often already paying for, while layering on a centralized governance system to provide visibility and policy enforcement. This allows for the best of both worlds: developers can continue to use the tools they prefer, and security teams can maintain control and oversight across the board.
This is where Oasis comes in. Oasis helps supplement the existing cloud-native vault capabilities by providing:
One of the key advantages of Oasis is its ability to help organizations optimize their secret management strategy, by enabling seamless migration between third-party vaults and cloud-native solutions. Whether you’re looking to take advantage of dev-friendliness and lower costs in cloud-native vaults like AWS SSM Parameter Store, or move sensitive information from a cloud-native solution to a more specialized third-party vault for enhanced security or compliance, Oasis makes the process effortless.
Thanks to our cloud-agnostic and vault-agnostic approach, paired with robust automation capabilities, Oasis allows you to move secrets without interrupting workflows or causing business disruption. The ability to automate migrations, rotations, and decommissioning gives customers a powerful tool to continuously improve their security posture without sacrificing agility or efficiency.
In an age where multi-cloud and hybrid environments are the norm, it’s critical to balance the needs of both developers and security teams. A centralized policy enforcement layer like Oasis, sitting atop the cloud-native vaults, provides this balance, ensuring security without compromising developer agility.