HashiCorp Vault vs. CyberArk: Secret Management Solutions

There is an old saying, “Two can keep a secret if one of them is dead.” Yet, in our digital era, organizations like HashiCorp Vault and CyberArk transcend this dated philosophy.

HashiCorp Vault and CyberArk have developed platforms allowing multiple applications to securely access and share 'secrets' — credentials granting system authorization, be it passwords, database accesses, API keys, or TLS certificates.

Let's delve into the details of these two of the most popular secret management solutions. By the end of this article, you will have a broad understanding of what HashiCorp Vault and CyberArk do and how they compare with one another.

What Problem Does Secret Management Solve?

Before HashiCorp and CyberArk, many applications suffered from 'password sprawl.'

Quick Definition: Password Sprawl is the widespread and unmanaged dispersal of passwords across systems and platforms, often due to users having multiple accounts or poor management practices, leading to heightened security risks. Credentials, including database and certificate passwords, were haphazardly scattered throughout configuration files, source codes, and request headers. Ultimately, these details would end up in version control, such as GitHub where anyone could see them. 

This is a serious issue because you would have no idea who can view passwords. Even worse, there is no way to record whether the password was viewed or not. That makes things gravely insecure, and it is difficult to rotate out the passwords once they expire. The challenge wasn’t just about keeping passwords hidden but also about managing and updating them securely. Let's delve into how HashiCorp Vault and CyberArk have tackled this issue head-on.

What is HashiCorp Vault?

HashiCorp Vault is a centralized secret management application that encrypts credentials both at rest and in transit. It was founded in 2012 as a full-service secret manager operation.

HashiCorp Vault automatically audits and records any users who access secrets, allowing applications to retrieve the credentials for automated operations. Pictured below is an example of the HashiCorp Vault UI:

In addition to a UI, HashiCorp Vault has an API that allows you to control every aspect of your secrets programmatically. This facilitates automation and non-human interaction. 

Numerous organizations around the world have put this software to great use. One such example is LG, a major electronics and appliance company, which leveraged HashiCorp Vault technology to create a scalable and reliable cloud management infrastructure. The organization increased its security posture by centralizing its secrets and having services pull credentials directly from the Vault. By the end of the project, the company was able to reduce the amount of time required to create a cloud pipeline and increase the resilience of their applications. 

HashiCorp Vault Pricing 

HashiCorp Vault offers four different tiers of pricing. All of these are accurate at the time of this writing.  

• HCP Development — Starting at $0.03 per hour.

• HCP Standard — Starting at $1.58 per hour.

• HCP Plus — Starting at $1.84 per hour.

• Custom — Contact Sales for pricing

The HCP Development is so inexpensive because it is not meant for production environments. It is meant for developers to use as a single instance to develop proof-of-concepts and learn how the technology works. All production environments will need a “Standard” edition or higher. 

HashiCorp Vault offers a 30-day free trial for those interested in getting their feet wet. 

What is CyberArk?

CyberArk, which was founded in 1999, is older than HashiCorp. Regarding secret management, CyberArk can be thought of as the incumbent that HashiCorp Vault is looking to oust. CyberArk allows users to log onto machines while still keeping the password hidden from the user. It will record the user’s interaction with the machine. 

Let’s think of how this would be useful in the real world. Let’s say a production server needs an emergency patch. For example, a vulnerability that gives a hacker access to a server is uncovered. Normally, the IT team performs patches through an automated process. Yet, this patch must be installed immediately and downloaded directly from the vendor’s website. 

CyberArk allows any authorized user to access the machine without needing the password. Instead, CyberArk stores the password in a central location and provides it anonymously for a session. CyberArk then times and records that session and safely stores it for recording and accountability purposes. This is a key feature because not only does it store the password, but it also limits the amount of time the machine can be logged on, and video records the entire interaction. 

This adheres to a core security principle called the Zero Trust. It has nothing to do with believing employees have bad intentions but rather that mistakes happen. If employees share passwords to access an important production server, it will almost certainly become compromised.

Pictured below is an example of the CyberArk UI: 

CyberArk Pricing

CybeArk Identity is just one of the many services that CyberArk provides. It has five pricing tiers, starting at $3 per user per month, and the highest tier is $5 per user per month. In other words, if you had five users on the $5 monthly plan, that’d be $25 monthly.

One thing to consider is that these are not necessarily “good, better, best” versions of the same product. They are different editions of the same product meant for different use cases.

CyberArk Adaptive MFA ($3 per user per month)

• Provides MFA to all CyberArk access points: This means all methods of accessing your software and hardware must go through a multi-factor authentication process.

• Endpoint protection: CyberArk will leverage device location, browser, and the OS to assist in user authentication. 

• Context-based: CyberArk will analyze the context of the login. It eliminates log data reviewing by leveraging AI to identify anomalous access conditions. That means if someone gains access to the server in some weird way, CyberArk will notify you immediately.

CyberArk Single Sign On ($2 per user per month)

This tier is geared more towards individual teams. It provides: 

• Adaptive access: CyberArk will analyze user activity and execute policies.

• Remote work: Provides users with the ability to sign into the server remotely.

• App integration: Allows you to use CyberArk authentication with other applications.

CyberArk Workforce Password Management ($5 per user per month)

This tier is very similar to the first one but also gives the user access to the CyberArk Vault, which we’ll review shortly. 

CyberArk Identity Lifecycle Management ($4 per user per month)

This allows users, such as HR personnel, to provision RBAC roles to users easily. It provides the following:

• Dynamic access: Automatically provision roles based on a list of apps in the CyberArk integrated cloud. So, for example, let’s say you wanted to give someone access to Microsoft Outlook; it could be done quickly and easily from here.

• Policy-based provision: Automatically provision or remove roles to employees as they enter and leave the company.

• Centralized management: All access, even access within individual apps, can be controlled from one central location. 

CyberArk Identity Compliance ($5 per user per month)

The final offering is an auditing interface that provides logs and various analytics on the organization’s overall security posture. 

• Access certification: Provides the ability to review, approve, and revoke access privileges in different safes.

• Access discovery: Review all resources and entitlements provided to users, including access to SaaS applications.

As briefly mentioned, CyberArk also has a Vault capability very similar to Hashcorp Vault. CyberArk allows users to log into CyberArk and retrieve a password. Otherwise, the secret is sent with encryption to a CI/CD build to verify credentials.

For example, let’s say an application needs access to an SQL database on startup. The applications will be programmed to make a REST call to the CyberArk safe and retrieve the required information. CyberArk allows that password to be dynamic. That means even if the application somehow accidentally logs the password, it will be one that quickly expires. This gives hackers a much more difficult target when trying to hack a system.

HashiCorp Vault vs. CyberArk: Final Thoughts

In this article, we've explored both CyberArk and HashiCorp Vault in-depth. While they have distinct features, they ultimately serve similar purposes. Both have excellent cloud-native support and are compatible with Azure, GCP, AWS, and Kubernetes.

It is important to remember that CyberArk has many more services aside from CyberArk Identity and Vault. However, to figure out how much you’ll have to shell out, contacting a CyberArk representative is recommended. CyberArk is widely used by large enterprises. However, it may be overkill if you are in a small shop.

If your company needs to make a decision, giving their free trials a go is highly recommended. Review the tutorials and decide which one seems easier and most compatible with your existing architecture. Both HashiCorp Vault and CyberArk are titans when it comes to secret management, and you can’t really go wrong with either one of them.

Ready to learn more? Take our HashiCorp Certified: Terraform Associate (003) Online Training.

Not a CBT Nuggets Subscriber? Get a free week now.