HashiCorp Cloud Can Now Spin up a Single Sign-on Zero Trust Network

By adding Boundary to its cloud platform, HashiCorp prepares enterprises for the standardization that will be required for multicloud use.

Oct 5th, 2022 9:00am by Joab Jackson

Featued image for: HashiCorp Cloud Can Now Spin up a Single Sign-on Zero Trust Network

Feature Image: HashiCorp CEO Dave Mcjannet kicking off HashiConf 2022.

The HashiCorp Cloud Platform now offers the ability to do single sign-on, reducing a lot of the headache of signing into multiple applications and services. Safer too, arguably.

This approach, can “really standardize developer access for multicloud environments, and automates workflows for easier onboarding of users and target resources that better aligns to the cloud operating model,” explained Megan Laflamme, HashiCorp director of product marketing, in an interview with The New Stack.

With this release, HashiCorp is preparing for a wave of enterprises who will be using multiple clouds and must start thinking about how to organize and standardize across the clouds.

The HashiCorp Cloud Platform (HCP) is a fully-managed platform offering HashiCorp software including Consul, Vault, and other services, all connected through HashiCorp Virtual Networks (HVN). Through a web portal or by Terraform, HCP can manage log-ins, access control, and billing across multiple cloud assets.

Boundary is the client that enables this “secure remote access” and is now generally available to users of the platform. It is a remote access client that manages fine-grained authorizations through trusted identities, first released as open source in 2020. It provides the session connection, establishment, and credential issuance and revocation.

The HCP Boundary is a fully managed version of HashiCorp Boundary that is run on the HashiCorp Cloud.

HashiCorp unveiled this offering at its annual HashiConf Global, being held this week in Los Angeles.

Zero Trust Security

With zero trust security, users are authenticated at the service level, rather than through a centralized firewall, which becomes increasingly infeasible in multicloud designs.

In the industry, there is a shift “from high trust IP based authorization in the more static data centers and infrastructure, to the cloud, to a low trust model where everything is predicated on identity,” Laflamme explained.

This approach does require users to sign on to each individual service, in some form, which can be a headache to those (i.e. developers and system engineers) who sign on to a lot of apps in their daily routine.

With Boundary, the user signs on once, and everything else is handled beneath the floorboards, so to speak. Identities for applications, networks, and people are handled through HashiCorp Vault and HashiCorp Consul. Every action is authorized and documented.

Boundary authenticates and authorizes users, by drawing on existing identity providers (IDPs) such as Okta, Azure Active Directory, and GitHub. Consul authenticates and authorizes access between applications and services. This way, networks aren’t exposed, and there is no need to issue and distribute credentials. Dynamic credential injection for user sessions is done with HashiCorp Vault, which injects single-use credentials for passwordless authentication to the remote host.

During Wednesday’s HashiConf keynote, HashiCorp Chief Technology Officer Armon Dadgar explained how all the elements fit together for zero trust security.

In a zero trust network, a user being on the network does not, by itself, indicate they should have any privileges for any application on that network (which can be the assumption on legacy networks today). Instead, every user, application and device must be authorized. “The basis of that authentication and authorization for us is identity,” he explained.

HashiCorp CTO Armon Dadgar.

Instead of adding firewall rules, the organization should create a rule based on logical user identity, one that identifies what resources a user can access. “You have to shift the controls fundamentally, to think about managed identity,” Dadgar said.

What does this mean in practice? First, there is the single sign-on that established the entity of the user, either through classic authentication tools like Active Directory of LDAP, or the cloud identity providers such as Azure AD or Okta. Boundary can be useful because it unifies the many disparate sources of identity.

Applications and services must also be identified, which then allows policies to be built around them, such as a rule that allows a database to talk with Web servers. Vault manages the certificates that authenticate the apps and Consul can set the paths across these different applications, by using these policies.

Say the web developer needs SSH to get into the production environment, or a database admin needs to get to the database? In this case, Consul knows the location and identity of the database, and Boundary can provide the credentials for the database administrator. In this way, HashiCorp’s combined portfolio of tools can be used to establish a unified zero trust system, one that can even span multiple cloud providers.

HashiCorp has provided a guide to getting started on HCP Boundary.

.@armon demonstrates how to provision user single-sign on across multiple clouds/apps using @HashiCorp Boundary… #Hashiconf pic.twitter.com/QrhdPYpdQT

— Joab Jackson (@Joab_Jackson) October 5, 2022

Joab Jackson is Editor-in-Chief for The New Stack, assuring that the TNS website gets a fresh batch of cloud native news, tutorials and perspectives each day. He has reported on infrastructure IT for over 25 years, including stints at IDG...