# OpenBao and Compliance Frameworks

Secrets management is a core control in every major security framework. OpenBao provides the technical capabilities; VSHN operates them on Swiss infrastructure with ISO 27001-certified processes. This page maps OpenBao features to the CIS Controls, ISO 27001, and FINMA requirements that Swiss enterprises face.

## CIS Controls v8 mapping

### CIS Control 3: Data Protection

CIS Control 3 requires organizations to develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

| Sub-control | OpenBao capability |
|---|---|
| 3.1 Establish data management process | OpenBao provides a centralized secrets inventory. All secrets are stored in defined paths with metadata, replacing scattered credentials in config files and environment variables. |
| 3.6 Encrypt data on end-user devices | OpenBao's Transit engine provides encryption as a service. Applications encrypt data through the API without handling raw keys. Keys never leave OpenBao. |
| 3.9 Encrypt data on removable media | Transit engine encrypts arbitrary data. Backup encryption uses sealed storage with auto-unseal keys stored separately from the data. |
| 3.10 Encrypt sensitive data in transit | All OpenBao API communication uses TLS. VSHN configures TLS certificates via the PKI engine, automating certificate lifecycle management. |
| 3.11 Encrypt sensitive data at rest | OpenBao encrypts all stored data at rest using AES-256-GCM. The encryption key is itself encrypted by an unseal key, providing defense in depth. |
| 3.12 Segment data processing | OpenBao namespaces and policies segment secrets by team, application, or environment. Access policies enforce least-privilege boundaries between segments. |

### CIS Control 6: Access Control Management

CIS Control 6 requires organizations to use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.

| Sub-control | OpenBao capability |
|---|---|
| 6.1 Establish access granting process | OpenBao policies define who can access which secrets at which paths. Policies are code (HCL), reviewable in version control, and applied consistently. |
| 6.2 Establish access revoking process | Secrets have configurable TTLs with automatic expiration. Dynamic credentials (database, cloud) are generated on demand and revoked after use. Leaked credentials can be revoked immediately via the API. |
| 6.3 Require MFA for externally-exposed apps | OpenBao supports TOTP-based MFA for vault access. VSHN can integrate OpenBao authentication with your existing identity provider (OIDC, LDAP). |
| 6.4 Require MFA for remote network access | Service-to-service authentication uses short-lived tokens or AppRole credentials instead of static passwords, reducing the attack surface for remote access. |
| 6.5 Require MFA for administrative access | OpenBao operator access requires authentication through configured auth methods. VSHN enforces MFA for all administrative operations on managed infrastructure. |
| 6.7 Centralize access control | OpenBao serves as a single source of truth for secrets across all applications and environments. One policy engine governs access regardless of where the application runs. |
| 6.8 Define and maintain role-based access | OpenBao's policy system maps directly to role-based access control. Teams, applications, and CI/CD pipelines each get scoped policies that grant access only to the secrets they need. |

### CIS Control 18: Penetration Testing

CIS Control 18 requires organizations to test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.

| Sub-control | OpenBao capability |
|---|---|
| 18.1 Establish penetration testing program | OpenBao's comprehensive audit log records every secret access, authentication attempt, and policy evaluation. This provides the evidence trail penetration testers need to verify that secrets management controls work as designed. |
| 18.3 Remediate penetration test findings | Dynamic credentials mean remediation can include rotating all affected secrets programmatically. If a test reveals exposed credentials, OpenBao revokes and reissues them through automation, not manual processes. |
| 18.5 Perform periodic internal penetration tests | OpenBao's audit logs let security teams verify that access policies are correctly enforced. Policy simulation (dry-run capability evaluation) lets teams test access boundaries without touching production secrets. |

## ISO 27001 alignment

VSHN holds [ISO 27001 certification](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf) for its operations. OpenBao capabilities map to several Annex A controls:

| ISO 27001 Annex A | OpenBao capability |
|---|---|
| A.8.1 User endpoint devices | Transit encryption for data at rest on endpoints |
| A.8.3 Information access restriction | Policy-based access control with least-privilege enforcement |
| A.8.5 Secure authentication | AppRole, OIDC, LDAP, and Kubernetes auth methods with short-lived tokens |
| A.8.9 Configuration management | Declarative policies in version control, auditable configuration |
| A.8.24 Use of cryptography | Transit engine, PKI engine, key management without key exposure |
| A.8.25 Secure development lifecycle | Dynamic credentials for CI/CD eliminate static secrets in build pipelines |

## FINMA considerations

Swiss financial institutions subject to [FINMA Circular 2023/1](https://www.finma.ch/en/documentation/finma-circulars/) (Operational Risks and Resilience) need to demonstrate control over cryptographic key management and access credentials. OpenBao on Swiss infrastructure operated by an ISO 27001-certified Swiss company (VSHN) addresses:

- **Key management under Swiss law**: no exposure to US CLOUD Act or foreign government access
- **Audit trail**: every secret access logged with timestamp, identity, and operation
- **Operational resilience**: HA deployment with automated unseal, encrypted backups, and 24/7 incident response
- **Outsourcing documentation**: VSHN provides ISAE 3402 Type II reports for regulated customers

## How VSHN implements compliance-ready OpenBao

VSHN does not just deploy OpenBao. We configure it for auditability:

1. **Audit logging enabled by default** with tamper-evident log storage
2. **Policy-as-code** stored in version control with review workflows
3. **Automated credential rotation** for database, cloud, and PKI credentials
4. **Encrypted backups** with retention and off-site replication
5. **Access reviews** supported through OpenBao's lease and token introspection APIs

Need a compliance assessment for your secrets management? [Contact us](#contact) for a free consultation.