Modern secrets management for a modern railway operator

Why Vault: The secrets management journey

Engineering Team Leader and Security Architect, Andreas Meister has been at the heart of the company’s digitization. He received internal inquiries about secrets management as early as March 2019. Safeguarding credentials has become a major point of emphasis during the company’s transformation. 

Meister and his teams gathered requirements for a potential secrets management solution. Any platform the group chose would have to properly store secrets, streamline access to those secrets, and minimize business risk along the way. Based on these requirements, it quickly became clear that HashiCorp Vault best met SBB's needs. 

“There are three main reasons why we chose Vault,” Meister revealed. “The developer-first approach is a perfect match for SBB IT; Vault is resilient, stable, and highly available; and it’s like a Swiss army knife of secrets management, providing many integrations out of the box with a fast-paced roadmap.”

From zero to production in 6 months flat

"For a project to be successful, the right people have to work together," Meister underscored. Collaboration would be key for the entire Vault implementation journey. The application security team worked with SBB’s identity & access management (IAM) team. Every SBB stakeholder worked with Adfinis, a global open source service provider specialized in planning, building and running cloud native and Linux-based workloads.. 

Michael Hofer, Chief Technology Officer at Adfinis, summarized the joint effort between the two companies. “Collaboration was very important and at the core of the relationship. We provided the Vault experience from beginning to go-live.” Adfinis guided SBB through the Vault adoption trail, including strategy, architecture design and engineering. Importantly, the collaboration ensured SBB’s site-reliability engineers could take over core aspects of operating Vault.

SBB and Adfinis implemented four Vault clusters on OpenShift platforms operated by SBB. The primary clusters leveraged AWS and the secondary clusters, Swiss OTC, T-Systems' private cloud platform.

 "When building the platform, we placed great emphasis on automated processes. This means that the entire configuration is in code and GitOps is not just a buzzword. The team was able to perform a complete migration from one cloud platform to another within a few hours," emphasized Hofer.

With all stakeholders working together, getting Vault up and running was seamless and quick. "It is really impressive how fast our colleagues have built the Vault platforms in under 6 months and have already taken the first customers on board," said Meister. 

A renewed emphasis on customer orientation

"A platform, no matter how good, does nothing for the company if it is not used. That's why we have invested in the training and awareness of developers, but also in automation," explained Meister.

Beyond Vault implementation, SBB’s AppSec team organized various presentations and Vault trainings. Meister’s teams also developed comprehensive documentation with tutorials for developers. To tie everything together and streamline developer access to Vault, Meister’s teams enhanced SBB’s Developer Self Service Portal. Now, developers can order access to Vault (and other tools) without invoking manual processes. Automating this process guarantees strong Vault governance by enforcing least-privileged access.

The journey goes on

Meister recognized the potential for the secrets management effort to be the foundation for future transformations.

“This was our lighthouse use case,” he said.

Today, other applications at SBB’s disposal can also benefit from Vault, even if those apps don’t come with native Vault integration. That other applications can already leverage Vault is evidence of its power as a light tower. The solution gives SBB’s developers the tools they need when they need them without fear of exposing valuable credentials. Vault has strengthened SBB’s security in the right place.