The Swiss Federal Railways (SBB), renowned as one of the most punctual railway operators in the world, has embarked on an ambitious "Strategy 2030" digital transformation to enhance the customer experience, improve efficiency, and move toward carbon neutrality. This strategy required interconnecting thousands of systems, from traffic management and ticketing to vast networks of IoT devices on trains.
To support this massive digitization, SBB's development teams needed a modern, highly available, and scalable method to manage thousands of application secrets (certificates, tokens, and credentials). Their core challenge was to eliminate hard-coded, plain-text secrets and establish security automation across critical IT systems without compromising the high availability required for 24/7 railway operations.
SBB required a solution that was resilient, stable, and offered a developer-first approach. To meet these stringent requirements, SBB partnered with Adfinis, a global open source service provider specializing in planning, building, and running cloud-native and Linux-based workloads.
Adfinis was brought on board to provide the end-to-end expertise for the implementation of HashiCorp Vault, the industry-leading identity-based secrets management platform.
Adfinis guided SBB through the entire adoption journey, encompassing strategy, architecture design, and engineering. The Adfinis team engineered the setup of four highly available Vault clusters on SBB’s OpenShift platforms, based on a multi-cloud strategy that was custom-built (AWS and Swiss OTC).
A key success factor was Adfinis's emphasis on automation and Infrastructure as Code (IaC). Adfinis confirmed the entire configuration was defined in code, implementing a true GitOps approach. This automation laid the groundwork for future platform resilience.
“Collaboration was very important and at the core of the relationship. We provided the Vault experience from the beginning to go-live.”
Michael Hofer | CTO at Adfinis
Through the strategic partnership with Adfinis, SBB successfully deployed a hardened, resilient secrets management platform in under six months. Adfinis's architecture design not only met SBB's immediate security needs but also delivered long-term operational agility. We, at Adfinis, are proud to support organizations like SBB in building secure, scalable, and automated platforms based on open-source principles.
Vault is resilient, stable, and highly available, and it’s like a Swiss army knife of secrets management, providing many integrations out of the box with a fast-paced roadmap.
Andreas Meister | Engineering Team Leader and Security Architect at SBB
Vault is a tool that helps organizations keep their data safe by securely managing access to secrets, like passwords, API keys, and sensitive information. With Vault, you can control who accesses what, ensuring only authorized users or applications have the necessary keys. Adfinis helps you get the most out of Vault with setup, support, and training tailored to your needs. This way, your team can confidently manage sensitive data and streamline security, even in complex cloud environments.