HashiCorp launched a new open source project this week that aims to help IT pros manage cloud security at a logical service-oriented level, rather than relying on static infrastructure concepts that are becoming outmoded in the cloud-native world, such as IP addresses.
HashiCorp Boundary, available in version 0.1 on GitHub as of this week, provides a centralized interface and set of standardized workflow tools for cloud access control, alongside integrations with third-party identity management providers such as Okta, open source LDAP, and Microsoft Active Directory.
Boundary, the first new project launched by HashiCorp since Nomad in 2015, fills an emerging cloud security need within the HashiCorp portfolio, as well as cloud-native environments in general. It allows users to manage human access to back-end services based on user identity, rather than IP addresses, firewall rules, VPN and SSH servers, and private network boundaries.
“The challenge with the IP-based approach is that it’s very brittle,” said Armon Dadgar, CTO at HashiCorp, in a keynote at the HashiConf Digital virtual event this week. “It works great in a very static environment, but the moment we have endpoints that are auto-scaling up and down, we’re deploying new services, maybe we’re running on Kubernetes … we have a challenge to keep these IP rules up to date.”
Users can cobble together similar self-service access portals using homegrown integrations with APIs for single sign-on tools, said EMA analyst Steve Brasen, but Boundary offers a cleaner approach that’s easier to customize.
“You can do this on your own, but you have to build through an existing API or kludge something together without access to the source code,” Brasen said. “It’s easier and cleaner to be able to go into the source code with something like Boundary.”
Boundary centers user identity for cloud security
Traditional access control workflows disclose credentials to users, first to access a private network where applications are located, and then to log in to the application resources themselves, such as a database server. Users can at least potentially access other resources on the private network or leak application credentials, which introduces security risk, according to Dadgar.
Boundary, by contrast, introduces a new workflow in which users authenticate with an identity provider and access applications through a catalog, without needing to access the overall network. Once the user selects an application or service to access, Boundary can issue a “just in time” time-limited credential for that specific session through integration with HashiCorp’s Vault, which doesn’t disclose the credential information to the user.
John MitchellIndependent digital transformation consultant
It’s still early for Boundary — a commercially supported version for enterprises won’t be out from HashiCorp until next year — but the overall shift toward identity-based cloud security has been long-awaited by some IT pros.
“I remember talking with [Dadgar] about the central role of identity — because getting identity right is the only way to get [security] policy right — in our very first conversation more than five years ago,” said John Mitchell, an independent digital transformation consultant in San Francisco, who also used HashiCorp products in his previous role as chief platform architect at SAP Ariba. “If you don’t have a grip on identity, you don’t have the ability to actually know what’s going on.”
Typically, lower-level cloud security approaches allow IT pros to only approximate and make assumptions, Mitchell said, based on which IP addresses accessed which back-end systems, from what geographic location and at what time of day.
To Mitchell, tracking and controlling access based on a verified user identity makes that information more trustworthy.
“We’re coming back to this concept of actual identity and how you control the actual chain of things,” Mitchell said. “That means auditability — you can verify and get longitudinal information about security tooling and how it’s tied together in a chain, and that’s way more valuable than this aggregate ‘I had 12 logins from this IP address.'”
The identity-based approach also allows for more flexible policies that can follow users as they travel, rather than disallowing all logins to systems from a certain geographic region, then having to scramble to “punch holes” in those policies if, for example, a company’s CEO travels with the sales team to China, Mitchell said.
Elsewhere, Boundary may be useful to enforce best practices for cloud security that small and midsize organizations may skip because they are too labor-intensive, said Phil Fenstermacher, a systems engineer at William & Mary, a university in Williamsburg, Va. Fenstermacher downloaded version 0.1 of Boundary to start assessing the tool as soon as it became available this week.
“A lot of places probably end up cutting some security corners, in the sense that, ‘Our DBAs already have access to all of the data, so what’s the harm in them being able to ping or connect to the SSH port on the application server — we might as well just expose it because it’s easier,'” he said. “The idea of an ephemeral credential that can tie into services that aren’t easy to integrate with single sign-on … could eliminate a lot of overhead.”
Cloud security tools evolve, but face ‘the human problem’
More sophisticated cloud access control tools are a big step toward solving traditional security blind spots, but Mitchell warned that large enterprise organizations will still be challenged by cultural inertia as they try to assimilate them.
The benefit of the auditability and observability made possible by a tool such as Boundary is that it can quickly pinpoint the source of problems — but that can sometimes be a source of embarrassment that users would rather avoid, Mitchell said.
Users must also factor the learning curve into the cost of adopting new cloud security tools. However, the upside of this with Boundary is that it doesn’t replace traditional low-level security tools, instead creating a workflow above them, Fenstermacher said.
“It’s loosely coupled, which is also why things like Vault are so popular,” he said. “If Boundary goes away, the static credentials will still work — it doesn’t require us to turn off what’s working today to use it.”
Organizations also have powerful incentives to take new approaches to cloud security now that COVID-19 has forced a large-scale shift to remote work that requires users to access company assets from a variety of locations, said EMA’s Brasen.
“There are challenges with VPN, which can introduce more access friction to end users, who have to install and access a VPN client before accessing network services,” he said. “That kind of friction is definitely something users want to reduce amid remote work.”