»HashiCorp Cloud Platform Roles/Responsibilities

Last Updated: August 2021

Security of the HashiCorp Cloud Platform (HCP) is a shared responsibility between HashiCorp and the customer. This shared model can help reduce the customer’s operational burden, as HashiCorp manages and controls certain components of the system, such as management of the operating system (e.g. updates and security patches), while the customer assumes the responsibilities and management of access management, multi-factor authentication (MFA), and configuration of access control lists (ACLs). As HCP is run entirely out of the public cloud, there are certain components that they are responsible for, such as physical security of the facilities in which the service operates. Customers should carefully review the model outlined below to better understand the specific responsibilities that are under the customer’s control.

»The Shared-Responsibility Model

It's important to distinguish between the security of the cloud versus security in the cloud. The former is the responsibility of HashiCorp, while the latter is the responsibility of the customer.

Before diving into the details, there is one important aspect to consider, which is the inherited security controls from the public cloud provider. In this case, the public cloud provider manages the physical and environmental controls — meaning they are responsible for anything related to the physical data center and relevant controls.

As for the security of the cloud, this responsibility lies with HashiCorp. This includes controls related to high availability, vulnerability and patch management, upgrade cycles, backups, authentication, and authorization mechanisms.

The customer, on the other hand, is responsible for the security in the cloud, meaning user access management, roles and permissions, configuration of ACLs, and proper data governance.

»Shared Responsibility Model for HCP

Responsible for:Responsibility
CustomerSecurity in the application- Information and data transferred to/from HCP
- User access, accounts, and identities
- Roles and permissions
- Control of when to update to major versions of HashiCorp services
- Multi-region availability
HashiCorpApplication security in the cloud- Application management
- AuthN and AuthZ mechanisms
- Backups
- Operating system
- Virtual network controls (segmentation) and firewalls
- Encryption at rest and in transit
- Software upgrades, bugs, and fixes
Public Cloud ProviderSecurity of the cloud infrastructure- Platform and supporting applications
- Compute resources
- Physical (hosts, network, DC)
- Physical networking
- Storage

»HCP Data Collection and Storage

HCP, like any Software-as-a-Service (SaaS) provider, collects and stores data. This section breaks down what data is being collected, why it’s being collected, and where it’s stored.

First, data is collected in the control plane, which is responsible for orchestrating the entire lifecycle of a cluster: creation, upgrades, snapshots, and, finally, destroying the cluster.

Second, data is collected in the data plane, which is where our customers are able to customize the clusters, utilize the cluster, and request audit logs from HCP.

Lastly, data is collected from customers that use HCP, such as IP addresses, name/email, and credit-card number.

The tables below show what data is collected —and why — in the HCP control plane and data plane:

HCP Control Plane

DescriptionWhat is collectedWhy it's collected
UsersFrom customer’s use of the HCP portal or public APIs: Individuals or service accounts who establish an account with us, or otherwise use our Websites, products, and/or services- Name
- Email
- GitHub username (only if GitHub authentication is used to log into HCP)
- Credit-card number, billing address
- To access our products and websites, products, and/or services
- Billing
- Identity verification
- 2-factor authentication
User organization networkingNetworking and Cloud provider/datacenter details needed to establish encrypted connections- Networking service identifiers related to the user organization’s cloud provider
- Cloud-provider account ID for user organization
- User organization’s cloud provider network subnets and routes
To establish an encrypted network connection from HCP to the user organization’s cloud provider
Audit logsAudit logs for HCPAudit log messages for user and service-principal activity on the platform- Compliance, security, and audit purposes.
- Product support
Product telemetryData gathered on the performance and use of the service and service componentsMeasurements on:
- API Performance times
- Application error information
- User feature-usage statistics and API calls
- User agent information
- IP Addresses
- Page views and other clickstream data
- Adherence to service level objectives (SLOs) and service level agreements (SLAs)
- Compliance, security, and audit purposes.
- Product support
- Product performance

HCP Data Plane

DescriptionWhat is collectedWhy it's collected
Service logsLogs derived from HCP managed servicesLog messages- Adherence to service level objectives (SLOs) and service level agreements (SLAs)
- Compliance, security, and audit purposes
- Product support
SnapshotsData snapshots/backups derived from HCP managed servicesData snapshots- Compliance, security, and audit purposes.
- Backup and recovery
Product telemetryData gathered on the performance and use of the service and service componentsMeasurements on:
- API Performance times
- Application error information
- User feature-usage statistics and API calls
- Adherence to service level objectives (SLOs) and service level agreements (SLAs)
- Compliance, security, and audit purposes.
- Product support
- Product performance

»Frequently Asked Questions

Which Public Cloud Provider regions are currently supported?

HCP Vault and Consul currently support the following regions:

  • AWS Virginia - us-east-1
  • AWS Oregon - us-west-2
  • AWS Ireland - eu-west-1
  • AWS London - eu-west-2
  • AWS Frankfurt - eu-central-1

Where is the data stored in a HCP Vault cluster?

  • HCP Vault Customer Data is stored encrypted in the same region as the HCP Vault cluster.
  • Cluster snapshot data is currently stored and encrypted in the US.
  • Audit logs are stored and encrypted in the same region as the Vault cluster.
    • Note: Audit logs are retained by HashiCorp for 12 months, then deleted.
  • The company may also have access to other data, such as metadata and analytics data, that will be stored in the US.

Where is the data stored in a HCP Consul cluster?

  • HCP Consul customer data is stored encrypted in the same region as the HCP Consul cluster.
  • Cluster snapshot data is currently stored and encrypted in the US.
  • The company may also have access to other data, such as metadata and analytics data, that will be stored in the US.