« Blog Home

How to Choose the Optimal Secrets Management Solution

Secrets management solutions tend to be critical and will probably accompany your company for years to come, so it’s important to make the right choice.

Here we provide a partial list of tips that can help you choose the best solution for your needs:

  1. Are you using more than one cloud provider or do you plan to use more than one?
    Consider a multi-cloud solution that prevents you from being locked in to one certain cloud provider.
  2. Check if the solution you consider provides a “Zero Knowledge” KMS so your provider doesn’t hold all parts of your encryption key.
  3. Consider a SaaS solution if your environment is connected to the internet. SaaS can save you lots of time on setting up your infrastructure and maintaining the environment in the future.
    Note that a Secrets management solution tends to be a critical environment so it requires a complex and quite expensive infrastructure.
  4. If you take SaaS – make sure it provides a real HA (high availability) and fallback (DR), monitoring, and scaling.
  5. Calculate TCO (total cost of ownership) including planning, cost of infrastructure / hardware (if it’s on-prem), cost of the team who will maintain it, and cost of subscriptions or licensing.
  6. Try the secret management solutions before you buy it!
  7. Check if the solution provides HSM (you might need it if you want to unseal Vault in a secure way).
    Check whether it is offered at extra cost and check whether it requires extra infrastructure and hardware to get it up and running.
  8. Check if the solution supports a variety of use cases including those you might need in the future
  9. Check if the solution provides dynamic secrets in a way which allows you to grant secure remote access for a combination of giving access to certain people + certain machines /services / application + for a limited time (just in time) and by predefined policy.
  10. Do you have enough capacity and knowledge to maintain an on-prem solution by yourself?
    Note that self-hosted / on-prem Vault solutions require lots of time to setup the environment’s infrastructures and maintain it,
    especially if it’s critical environment (for production or used by dozens of users)
  11. Check if the solution supports a scale (growth). You might need to support more users, clients or secrets,so make sure the solution can support it. Make sure the system supports it easily in terms of maintenance operation and cost of infrastructures, so TCO and maintenance costs will not increase unexpectedly.
  12. Test how it would be easy to connect the system to “consumers” (your code; CI/CD system; Kubernetes etc.).
  13. Check how easy it would be to integrate the solution with other systems in your business flow including remote access, SSO authentication etc.

Note this is a partial list. Contact us to get more information and tips: vault@almtoolbox.com