Extending Vault: Zero Trust with HashiCorp Boundary
Author: John 'JJ' Jarvis
Release Date: 28/01/22
HashiConf Global is a wrap, and, along with loads of Kubernetes integrations, a main theme was the importance of zero trust as a security model for modern organisations. In a multi-cloud context, this can be summarised as four pillars: human authentication and authorisation, machine authentication and authorisation, human-to-machine access, and machine-to-machine access.
Authentication and authorisation
Across these four pillars is a consistent requirement: identity-driven controls. This is the key to HashiCorp’s security model, including HashiCorp Vault: in order for any machine or user to do anything, they must identify who or what they are—and have a trusted source vouch for them, in a process we call authentication—which then defines, through policies, what they’re allowed to do—in a process, we call authorisation.
HashiCorp Vault provides an automated workflow for both people and machines to centrally manage access to credentials and encrypt sensitive data through a single API. Companies use different identity platforms for federated systems of record, and HashiCorp Vault leverages these trusted identity providers as the foundation of this identity-based access and security.
Terraform 101 + Controlling Cloud Costs: Virtual Hands-On Workshop
Most Recent Post:
Human-to-machine access: HashiCorp Boundary
Traditionally, solutions for safeguarding user access required distributing and managing SSH keys, VPN credentials, and bastion hosts. This created credential sprawl, associated with overly permissive access to entire networks and systems. HashiCorp Boundary, working with HashiCorp Vault, solves this, by providing simple, secure remote access to dynamic sets of hosts and services without managing credentials, IP addresses, or exposing your network.
(The final pillar, of machine-to-machine access, is provided by HashiCorp Consul. See the HashiCorp whitepaper, Trust Nothing. Authenticate and Authorise Everything. for more details on Consul’s role in this space, and the Consul docs for more info on it as a service mesh and beyond!)
Boundary 0.7
With the release of Boundary 0.7, automated discovery of targets and services means access-on-demand to dynamic infrastructure; no more manually configuring targets, host sets, etc. with what they have called Dynamic Host Catalogs. To see this in action, I highly recommend a talk by the Boundary team, at HashiConf Global. They also demonstrate how sales analysts, in their cogent scenario, would use their own tooling (that they’re used to) to generate reports, etc., using credentials procured through Boundary; and, similarly, how database administrators would use Boundary to procure credentials they then use in PGAdmin — a PostgreSQL administration tool — to fix problems with a database.