Tech Radar Turns to Secret Management
In January 2021, 140 companies in the CNCF End User Community were asked to describe what software their companies would recommend for managing secrets. Secrets are essential for cloud native computing. Every service requires an API key or credentials, so more software is passing credentials through more services than ever before. Secrets management refers to the tools and technologies used to manage digital authentication credentials. This can include APIs, keys, passwords, tokens, or other credentials used to protect sensitive information across the IT ecosystem.
Of the tools that were evaluated, only one was a stand-alone package that could be run on any platform, HashiCorp Vault. The others were tied to specific platforms, such as Amazon Web Services. The rest of this space is pretty fragmented in terms of different tools being used, said Cheryl Hung, the Cloud Native Computing Foundation vice president of ecosystem who helped oversee the latest CNCF Tech Radar report on emerging cloud native technologies.
In a way, it is surprising that so many organizations have gone with Vault, given the inherent complexities of setting up the software, but these challenges do not seem to be an inhibitor to some organizations; so, kudos to HashiCorp.
Other organizations, however, are happy to let the cloud provider manage secrets. The secrets management features offered by the cloud providers are almost “turn-key,” so onboarding a new operation should be relatively easy, the report noted. The end-users here did not seem to be too worried about being locked into a specific cloud provider, given that the effort to move a secrets management system to another architecture would be far less work than moving a database to a new environment, Hung noted.
The report, and each of the quarterly reports addresses organizations in two different stages of cloud native development. The first type of organization doesn’t have an existing solution and needs to make a decision. This report would help decision-makers for these orgs prioritize what choices to test. “If there were 20 different options, maybe it'll help you prioritize the top three, to look at,” Hung said. The other type of organization already has an existing secrets management system in place, but it wants to benchmark it against peers. “Is there a reason that [other organizations] are using something else? And then might be good reasons for that, so it just helps them benchmark,” Hung explained.
For a deeper dive into this report on secrets, check out our recent The New Stack Analyst podcast.