Vaults

All data within your VGS account is stored within a Vault. An Organization can have one or many Vaults which allows full control and isolation over storing sensitive information. You can use multiple Vaults to isolate different domains of data, and to support your Software Development Life Cycle (SDLC) to adhere to compliance and security requirements.

Vaults can be provisioned within a sandbox, live, live EU, live AP or for enterprise customers, a dedicated environment. Sandbox Vaults are free but have limits around availability and performance and are intended for integration and testing only. Live Vaults have higher SLA requirements and can be provisioned across the globe to keep your data close to your users. Vaults handle all encryption, key management and data lifecycle management.

Each Vault has independent credentials and Routes to allow you to determine where your data can flow.

How to Create a Vault

Vaults are managed via the VGS Dashboard or VGS CLI. There is no limit to the number of Vaults you can create.

Patterns and Practices

Separation of Concerns

In software development lifecycles, companies typically create separate and identical systems that isolate each type of environment and responsibility. For example, developers and teams create live Vault environments to house their actual customer data and sandbox Vault environments to enable fast and quick development of their applications without worrying about breaking their Live systems. VGS additionally allows you to create these logical separations of data by creating a new Vault for each environment.

Within each Vault you additionally have credentials which are used to access data and separate credentials which are used to configure the Vault. This separation is critical for being able to demonstrate separation of duty when providing evidence to auditors and security staff. Typically an administrator of your VGS Vault will have access to configure and manage Vault settings in conjunction with a pre-written SDLC policy and then your applications will access, create and read data from within the Vault using a separate set of credentials. This approach of separating concerns like this is a commonly accepted industry best practice and helps you maintain PCI compliance.

Separating Business Unit Data

Typically VGS customers will deploy a Vault per business unit. This allows each business unit to maintain control over their own data and routing to ensure that it's simple to provide lineage and reporting to auditors and security teams. Creating a Vault for each business unit is a simple pattern to implement to satisfy this constraint.

Frequently Asked Questions

How Do I Control Access to Vaults

Users can be provisioned to a Vault with a read, write or admin role. Each role provides a different level of access. For implementing strong SDLC customers will typically provde engineers with write permissions to Sandbox Vaults and then use a service account to manage promoting the configuration of a Sandbox vault to their Live vault via a automated system during CICD such as terraform.

Next steps

• Vault Settings and Configuration Management

• Planning an implementation

• User permissions