Token Security For Real-Time Apps with Astra DB Plugin for HashiCorp Vault

Organizations today are recognizing that real-time applications are the backbone for their business. Real-time applications are increasingly mission critical, driving rich customer experiences and increased revenue opportunities. At the same time, it is crucial that the sensitive data and information for these applications is protected and secured. As a result, organizations rely on a data stack that can drive the speed and scale of their real-time applications, while ensuring uninterrupted business operations and robust security for their data. 

DataStax Astra DB is the cloud-native, fully managed, multi-cloud/multi-region DBaaS (database-as-a-service) that helps deliver powerful real-time applications with the speed and scale modern businesses demand, at a fraction of the cost. Based on open source Apache Cassandra, Astra DB offers several built-in security mechanisms to easily ensure the safety of the organization’s data while reducing the operational overhead and Total Cost of Ownership (TCO). 

Astra DB’s built-in security mechanisms include network security via IP Access controls and PrivateLink support, data encryption, role-based access control, single-sign-on (SSO). Also included are application tokens used to connect applications to Astra DB using a variety of developer endpoints. Users can easily create these application tokens and use them within their applications and it is important that these application tokens are secure. 

Token security requires that tokens can be tagged by the users who created them, and that the tokens are identified by some metadata and/or descriptions. This tagging ensures that ownership and usage of tokens is tracked and can be audited. Under certain circumstances, it may also be necessary to have the ability to rotate tokens automatically. This limits the scope of misuse since the validity of tokens is short-lived due to the rotation. This requirement can be extended further by provisioning dynamic tokens, which are leased for a limited period of time.

We are happy to introduce the Astra DB Plugin for HashiCorp Vault which provides all these security enhancements for Astra DB application tokens. Read on to learn more!

Astra DB Plugin for HashiCorp Vault for Token Security

The general availability of the Astra DB Plugin for HashiCorp Vault enables robust security controls for Astra DB application tokens. 

HashiCorp Vault provides the foundation for modern multi-cloud security. It was purpose-built in the cloud era to authenticate and access different clouds, systems, and endpoints, and centrally store, access, and deploy secrets (API keys, credentials, etc.). It also provides a simple workflow to encrypt data in flight and at rest.

With the Astra DB Plugin for HashiCorp Vault, the life cycle management of application tokens is delegated to HashiCorp Vault. The Astra DB Plugin for HashiCorp Vault enables the following capabilities:

• Tracks the creation, rotation and revocation of the tokens to ensure the valid use of the tokens by valid users/roles
• Logs token ownership and usage of tokens, therefore allowing audits on token usage
• Allows associating metadata and keywords with tokens for ease of searchability of tokens
• Helps create dynamic application tokens for Astra DB, which can be leased for a limited period of time, therefore limiting any potential for misuse

These capabilities strengthen the security of Astra DB application tokens and provide a stronger security posture for Astra DB.

How to use the Astra DB Plugin for HashiCorp Vault

The Astra DB Plugin for HashiCorp Vault is offered as an open source plugin and can be downloaded here. Please refer to the technical documentation to install and use the Astra DB Plugin for HashiCorp Vault. You can also view the demonstration video for the Astra DB Plugin for HashiCorp Vault. The Astra DB Plugin for HashiCorp Vault can be used by customers at no additional cost. To use it, it is required to have a functional HashiCorp Vault Open Source or Enterprise deployment. 

Secure your application tokens TODAY

Customers who want to add an additional layer of security for Astra DB application tokens and are already using HashiCorp Vault will benefit from the Astra DB Plugin for HashiCorp Vault. This plugin allows customers to leverage HashiCorp Vault as a way to add an additional layer of security to application tokens and satisfy the needs of SecOps teams so that the application developers can fully adopt Astra as their platform choice. 

The next section gives a quick walkthrough for using the Astra DB Plugin for HashiCorp Vault.

Getting started with Astra DB Plugin for HashiCorp Vault

The Astra DB Plugin documentation provides all the detailed steps to get the Astra DB Plugin installed and configured with an existing HashiCorp Vault deployment. After the plugin is installed, you can follow these steps to get it configured with HashiCorp Vault. 

1. Write the Astra DB “bootstrap” configuration to HashiCorp Vault.
   
   This step will configure Vault with an Astra DB bootstrap token, which will then enable Vault to create and manage subsequent application tokens. As a best practice, the bootstrap token should be the only token created outside of Vault, so that Vault is used to fully manage the lifecycle of all the application tokens.
   
   As part of the configuration, it is possible to set the maximum token lifespan (lease duration). This will be the default lease time for all tokens created with Vault. All the tokens created using this configuration will be limited by this default lease duration, but it is possible to override this lease duration with a shorter value if desired.
   
   Example command:
   vault write astra/config org_id=<ORG_ID> astra_token=<TOKEN> url=https://api.astra.datastax.com logical_name=<LOGICAL_NAME> renewal_time=1d
   
   
2. Once a configuration is in place, Vault users can generate Astra DB application tokens. As part of the token generation, users can define:
   
   a. The role they wish the token to have
   b. A “logical name” for the token so that it is clear what the token is used for
   c. Key/value pair metadata for additional tagging of the token’s intended use
   d. A custom lease time, allowing the creator to override the default/maximum lease duration.
   
   Example command:
   vault write astra/org/token org_id=<ORG_ID> role_name=<ROLE_NAME>  logical_name=<LOGICAL_NAME> lease_time=1h metadata="key1=value1,key2=value2"
   
   
3. Tokens will expire once their lease duration is up. If the user or application using the token needs to continue using it, the token must be renewed. HashiCorp Vault can be used for token renewal.
   
   Example command:
   vault lease renew astra/org/token/<LEASE_ID>
   
   
4. Tokens in the Astra DB GUI can be cross referenced with tokens in HashiCorp Vault by searching for tokens in Vault by the Client ID provided in the Astra DB GUI. This will allow the retrieval of metadata to determine its use/owner, or the token itself.
   
   Example command:
   vault read astra/org/token client_id=<CLIENT_ID>
   
   
5. Tokens can be revoked prior to the lease expiration in the event a token is compromised, or a service is decommissioned.
   
   Example command:
   vault lease revoke astra/org/token/<LEASE_ID>

For a more detailed walkthrough of the integration, see our demo video and take advantage of the Astra DB Plugin for HashiCorp Vault to secure application tokens and manage their lifecycle.

Additional Resources

1. Technical Documentation for Astra DB Plugin for HashiCorp Vault
2. Github Code and Download link for Astra DB Plugin for HashiCorp Vault
3. DataStax Astra DB
4. Register for an Astra DB account
5. DataStax Community Platform
6. DataStax Astra DB Security Overview: Serverless Database-as-a-Service with Enterprise-level Security and Privacy