Extending Vault: Zero Trust with HashiCorp Boundary

Author: John 'JJ' Jarvis
Release Date: 28/01/22

HashiConf Global is a wrap, and, along with loads of Kubernetes integrations, a main theme was the importance of zero trust as a security model for modern organisations. In a multi-cloud context, this can be summarised as four pillars: human authentication and authorisation, machine authentication and authorisation, human-to-machine access, and machine-to-machine access.

Fingerprint on a padlock icon

Authentication and authorisation

Across these four pillars is a consistent requirement: identity-driven controls. This is the key to HashiCorp’s security model, including HashiCorp Vault: in order for any machine or user to do anything, they must identify who or what they are—and have a trusted source vouch for them, in a process we call authentication—which then defines, through policies, what they’re allowed to do—in a process, we call authorisation.

HashiCorp Vault provides an automated workflow for both people and machines to centrally manage access to credentials and encrypt sensitive data through a single API. Companies use different identity platforms for federated systems of record, and HashiCorp Vault leverages these trusted identity providers as the foundation of this identity-based access and security.

Terraform 101 + Controlling Cloud Costs: Virtual Hands-On Workshop

Join HashiCorp and Somerford for a Terraform hands-on workshop focused on minimising cloud waste.

Most Recent Post:

Operation cog

Human-to-machine access: HashiCorp Boundary

Traditionally, solutions for safeguarding user access required distributing and managing SSH keys, VPN credentials, and bastion hosts. This created credential sprawl, associated with overly permissive access to entire networks and systems. HashiCorp Boundary, working with HashiCorp Vault, solves this, by providing simple, secure remote access to dynamic sets of hosts and services without managing credentials, IP addresses, or exposing your network.

(The final pillar, of machine-to-machine access, is provided by HashiCorp Consul. See the HashiCorp whitepaper, Trust Nothing. Authenticate and Authorise Everything. for more details on Consul’s role in this space, and the Consul docs for more info on it as a service mesh and beyond!)

Magnifying glass over bar char pointing to people icon

Boundary 0.7

With the release of Boundary 0.7, automated discovery of targets and services means access-on-demand to dynamic infrastructure; no more manually configuring targets, host sets, etc. with what they have called Dynamic Host Catalogs. To see this in action, I highly recommend a talk by the Boundary team, at HashiConf Global. They also demonstrate how sales analysts, in their cogent scenario, would use their own tooling (that they’re used to) to generate reports, etc., using credentials procured through Boundary; and, similarly, how database administrators would use Boundary to procure credentials they then use in PGAdmin — a PostgreSQL administration tool — to fix problems with a database.

More Resources like this one:

HashiStack in 2021: 5 Things You May Have Missed

HashiConf Global 2021 Recap Video

Get in Touch

Contact John or the rest of our pre-sales team through our contact form.

Scroll to Top