Ondat Teams with SUSE to Protect Customers’ Sensitive Data with Enhanced Kubernetes Security

March 29, 2022 Off By David
Object Storage

Ondat announced it is teaming with SUSE to deliver management of digital authentication credentials (secrets management) in Kubernetes to protect access to sensitive data for SunnyVision, a data center infrastructure service provider. This comes just after the release of Ondat’s Trousseau open source project in February. 

Previously, secrets management in Kubernetes was complicated and added lots of components – anathema for security professionals. The Trousseau open source project addresses these issues, leading Ondat and SUSE to team up to provide this enhanced security for their customer, SunnyVision.

With SUSE Rancher and built-in Trousseau, SunnyVision can now leverage the native Kubernetes way to store and access secrets in a safe way by plugging into Hashicorp Vault using the Kubernetes KMS provider framework. No additional changes or new skills are required.

“Segregation of the encryption keys in our multi-tenant environment means every data volume has its own key and has secure access protected from any of the other tenants,” said Bill Wong, CEO, SunnyVision. “Trousseau guarantees the security of keys, and without it this sort of secure data storage for containers would be very complex and near impossible.”

Andy King, partner solution architect at SUSE, said, “The Ondat data platform is used by SunnyVision as the basis for its database as a service (DBaaS) which is attractive to managed service provider (MSP) customers. MSPs are able to build services on the DBaaS to provide customized solutions to their customers. The integration with SUSE Rancher to easily consume Key Management Systems (KMS) addresses the critical need for protecting sensitive data in cloud-native solutions deployed in the Kubernetes ecosystem.”

Trousseau uses Kubernetes etcd to store API object definitions and states. The Kubernetes secrets are shipped into the etcd key-value store database using an in-flight envelope encryption scheme with a remote transit key saved in a KMS. Secrets protected and encrypted with Trousseau and its native Kubernetes integration can connect with a key management system to secure database credentials, a configuration file or TLS (Transport Layer Security) certificate that contains critical information and is easily accessible by an application using the standard Kubernetes API primitives.

“Secrets management has always been one of the most difficult issues in Kubernetes,” said Romuald Vandepoel, principal cloud architect with Ondat and the project lead for Trousseau. “We’re glad to see Trousseau applied to that long-time problem being deployed at major installations as part of SUSE Rancher.”