Organizations are now, almost by default, now becoming multi-cloud operations. No cloud service offers the full breadth of what an enterprise may need, and enterprises themselves find themselves using more than one service, often inadvertently. HashiCorp is one company preparing enterprises for the challenges with managing more than a single cloud, through the use of a coherent set of software tools. To learn more, we spoke with Megan Laflamme, HashiCorp director of product marketing, at the HashiConf user conference, for this latest episode of The New Stack Makers podcast. We talked about zero trust computing, the importance identity and the general availability of HashiCorp Boundary single sign-on tool.
Organizations are now, almost by default, now becoming multi-cloud operations. No cloud service offers the full breadth of what an enterprise may need, and enterprises themselves find themselves using more than one service, often inadvertently.
HashiCorp is one company preparing enterprises for the challenges with managing more than a single cloud, through the use of a coherent set of software tools. To learn more, we spoke with Megan Laflamme, HashiCorp director of product marketing, at the HashiConf user conference, for this latest episode of The New Stack Makers podcast. We talked about zero trust computing, the importance identity and the general availability of HashiCorp Boundary single sign-on tool.
"In the cloud operating model, the [security] perimeter is no longer static, and you move to a much more dynamic infrastructure environment," she explained.
The HashiCorp Cloud Platform (HCP) is a fully-managed platform offering HashiCorp software including Consul, Vault, and other services, all connected through HashiCorp Virtual Networks (HVN). Through a web portal or by Terraform, HCP can manage log-ins, access control, and billing across multiple cloud assets.
The HashiCorp Cloud Platform now offers the ability to do single sign-on, reducing a lot of the headache of signing into multiple applications and services.
Boundary is the client that enables this “secure remote access” and is now generally available to users of the platform. It is a remote access client that manages fine-grained authorizations through trusted identities. It provides the session connection, establishment, and credential issuance and revocation.
"With Boundary, we enable a much more streamlined workflow for permitting access to critical infrastructure where we have integrations with cloud providers or service registries," Laflamme said.
The HCP Boundary is a fully managed version of HashiCorp Boundary that is run on the HashiCorp Cloud. With Boundary, the user signs on once, and everything else is handled beneath the floorboards, so to speak. Identities for applications, networks, and people are handled through HashiCorp Vault and HashiCorp Consul. Every action is authorized and documented.
Boundary authenticates and authorizes users, by drawing on existing identity providers (IDPs) such as Okta, Azure Active Directory, and GitHub. Consul authenticates and authorizes access between applications and services. This way, networks aren’t exposed, and there is no need to issue and distribute credentials. Dynamic credential injection for user sessions is done with HashiCorp Vault, which injects single-use credentials for passwordless authentication to the remote host.
With zero trust security, users are authenticated at the service level, rather than through a centralized firewall, which becomes increasingly infeasible in multicloud designs.
In the industry, there is a shift “from high trust IP based authorization in the more static data centers and infrastructure, to the cloud, to a low trust model where everything is predicated on identity,” Laflamme explained.
This approach does require users to sign on to each individual service, in some form, which can be a headache to those (i.e. developers and system engineers) who sign on to a lot of apps in their daily routine.
Colleen Coll 0:10
Welcome to this special edition of the new stack makers on the road. We're here in beautiful Los Angeles had hacky calm logo, discussions with technologists, giving you their expertise and insights to help you with your everyday work. Infrastructure enables innovation hashey Corp provides consistent workflows to provision, secure, connect, and run any infrastructure for any application.
Joab Jackson 0:40
Hello, and welcome to the latest edition of the new stack makers, podcast and video cast. This week we're back on the road. This is part of our on the road series and where it hashey conf. This is the annual user conference for infrastructure software management provider hashey Corp. And we're here to learn about the latest products and services that they're offering. And they have a compelling story around single sign on zero trust networks and how to put that into motion. Our guest today is Megan Laflamme. And she is a hashey Corp, Director of Product Marketing. Thank you for taking time to talk with us.
Megan Laflamme 1:24
Thank you for having me.
Joab Jackson 1:25
Our readers are probably heard about zero trust. They you know, we've certainly run enough stories on it this year. But they might be wondering, well, how do I with my existing resources? How do I implement zero trust and hashey Corp has a whole stack of software, but also manage offerings that will help do this. And that's what we want to do is we want to delve into how this can be done with some of the new products that were introduced this week. First of all, what is hashey? Corpse definition of zero trust?
Megan Laflamme 1:56
Yes. So at hashey Corp. We believe that zero trust security is predicated on identity. This is the idea that you trust nothing, and you authenticate and authorize everything from applications, network services, and people. Everything must be authenticated, authorized by identity.
Joab Jackson 2:19
Actually, current networks do that. No, I know, I sign on and you don't like go to a database off the sign or the database? How is this different?
Megan Laflamme 2:27
Yeah. So I think it's helpful to think about the traditional approaches to access. So historically, where there was traditionally the four walls of a data center, we call this a castle and moat approach where you know, everything outside is bad, and everything inside is good. And there's typically, you know, one point of entrance and exit into that datacenter, whether it's, you know, through a VPN or firewall. And now in the cloud operating model, that perimeter is no longer static, and you move to a much more dynamic infrastructure environment. And so now, it's critical to identify either databases like applications and machines, based on their logical identity, to apply the same concept of identity to people based on their role and what they can access within that network and locked down services that they cannot access. And the same thing with network services, like load balancers and such, so that you can ensure this web server can talk to this API.
Joab Jackson 3:39
Excellent, excellent. For I understand, this will become a lot harder as organizations inevitably start to use multiple clouds.
Megan Laflamme 3:48
Exactly. So we just announced that hashey COMM new solution for secure remote access, that rounds out zero trust security solutions. So as I mentioned at the foundation of all of this is identity. Yeah, so vault has traditionally been machine to machine authentication and authorization solution. As you expand into multiple data centers and multiple clouds, Vault becomes that global identity broker across all of your environments. And then sitting on top of that platform, you can use vault to identify your machines for mo authentication and authorization across them. And then we also have console on the Hashi Corp cloud platform as well. That solution focuses on that network challenge of which database can talk to which web server for example, oh, so it focuses on that network solution. And then as of this week, we have just launched boundary on the Hashi Corp cloud platform, which addresses secure remote access for users. And our focus here is really on streamlining the developer work Allow for access to critical infrastructure. I was about
Joab Jackson 5:03
to say if I had to log into every one of the applications I use on a daily basis, that would be a giant headache. But I guess I don't do this with with now, how was boundary different from just opening up a secure connection through open SSH?
Megan Laflamme 5:19
Yeah. So I think it's helpful to think about some of the traditional challenges in access workflows today. So if I'm thinking about a technical persona, like a developer or a Production Support Analyst, typically there's multiple systems have controls for access in the organization today, that could be an SSH bastion host or jump host firewall controls, and privileged access management solutions. And the challenge with those traditional access solutions today is they're typically if you take a VPN, for example, when somebody logs into the network, they typically have access to everything through that VPN. firewalls, for example, typically IP network location, address, which really falls apart in the cloud operating model, where you have dynamic ephemeral resources. And then privilege access management solutions today are typically very UI driven, and manual. And all these things slow developer productivity, you've got ticketing systems in place, sometimes it takes days, two weeks to get access to that critical infrastructure. So with boundary on the Hashi Corp cloud platform, what we've done is really streamlined that access workflow, and enabled a much more improved security posture. And there's a few ways that we do that. So focusing on that developer workflow that starts with authentication authorization, so we integrate with leading identity providers via Oh, IDC, such as Azure AD. Okta paying, for example. And that is the foundation of that human identity. So you're leveraging your trusted identities within the organization. So developer can just SSO into boundary. And then boundary becomes that very smart Identity Aware Proxy, that becomes a proxy for access to that back end infrastructure.
Joab Jackson 7:19
If I go to a database, I don't have to type in my credentials.
Megan Laflamme 7:24
Exactly. And so with boundary, we enable a much more streamlined workflow for permitting access to critical infrastructure, where we have integrations with cloud providers, or service registries. And that automates, ultimately, the targets under management, so that when somebody logs into boundary at runtime, they have availability to the targets that they're authorized to have access to. And that is updated automatically within boundary. So they just log in, and they ultimately see this database that they can connect to, or this web server that they're authorized to connect to.
Joab Jackson 8:06
And you can do that through the command line, or
Megan Laflamme 8:09
Yeah, we offer boundaries available, we have a desktop client windows, as well as Mac support and command line as well. And behind the scenes,
Joab Jackson 8:19
it's console, feeding the authentication information.
Megan Laflamme 8:25
So on the back end, that's actually a great question. One of the value propositions of boundary is that now you're not only not exposing the network any longer to that end user, you're also not exposing credentials. And we do that through an integration with vault. So when somebody goes to connect to that target, let's say it's a database boundary will talk to vault and vault will mint a one time credential, inject that into the session. And so the user is never exposed to those database credentials.
Joab Jackson 8:58
Nice. Nice. So it's they're not floating out there on the network. Exactly. Let's make sure I get this correct. As a developer, I signed on once when I sign on, and all the normal apps I go through. I don't have to sign on any longer. It's single sign on.
Megan Laflamme 9:14
Yes. Through boundary as that proxy, wow. That'd be nice. Yes.
Joab Jackson 9:18
Well, let's talk about so you could you could cobble all this together internally for your own organization. Or I guess you could use the Hashi Corp. Cloud Platform platform. Exactly. How do I do that? I got a bunch of resources. I got this, which is a service managed service. How does that work? How do I put that together?
Megan Laflamme 9:38
Yeah, so I think hashey Corp has really pioneered zero trust security in the cloud. So now with the Hashi Corp cloud platform, we have managed offerings of Vault console and boundary. So it's much easier to get up and running on these zero trust security solutions. And developer for example, could just go to The Hashi Corp portal, try boundary for free, and could ultimately set up access for themselves to their critical resources in under 15 minutes.
Joab Jackson 10:11
Wait. So before I get to the organizational level, as a developer, I could try it just for my own.
Megan Laflamme 10:17
Exactly, exactly. So that could prevent somebody who's VPN running into, you know, five VMs a day, they can set up their own targets within boundary to streamline access for themselves. ATP boundary also has several capabilities that address some of the more sophisticated access needs for an organization, as I mentioned, being able to connect to cloud providers such as AWS and Azure, that ensures that regardless of where infrastructure resides, your development workforce, or anyone who needs backend infrastructure access, has that access to resources, regardless of where it lives. And as I mentioned, with that integration with vault, the ability to leverage dynamic secrets, so you have just in time credentials, ensures that no one has access to credentials, which are often today, stored in static locations. Maybe in GitHub, you might see it in Confluence, or shared across Slack. So that really improves security posture while improving developer productivity.
Joab Jackson 11:30
Very nice. Very nice. Terrific, and well, that also, I guess, I would work for the CI CD process as well. Yes, in addition to working for any sort of happen,
Megan Laflamme 11:42
exactly. Yeah. So today, boundary supports TCP protocols, as well as SSH, and then anything running over TCP such as RDP, SSH database and the likes as well.
Joab Jackson 11:55
Terrific. Is this also a good approach for, I guess, standardizing across different clouds sky? This is just a way to abstract clouds.
Megan Laflamme 12:05
Exactly. So this is one single workflow, regardless of where that infrastructure resides. So you're really abstracting away a lot of the different workflows to get into infrastructure, whether it's on prem, or on AWS, or an Azure. This is one workflow that is consistent and standardized for people who need access to that back end infrastructure. All right,
Joab Jackson 12:31
fantastic. Is there anything else about boundary or about the whole zero trust that you think our listeners and viewers might be interested in?
Megan Laflamme 12:38
Absolutely. So if they try hashey Corp boundary today, you can access that for free, as well as HCP, Vault and HCP console. So I encourage anyone to just try it out. And we look forward to hearing from them.
Joab Jackson 12:54
All right. All right. Well, Megan, thank you so much for taking time to talk with us and get us up to speed on zero, trust me, and thank you listeners and viewers for tuning in. And we'll see you at the next episode of the new stack makers the on the road series.
Megan Laflamme 13:10
Thanks for having me.
Colleen Coll 13:12
Infrastructure enables innovation. hashey Corp provides consistent workflows to provision the cure, connect and run any infrastructure for any application.
Alex Williams 13:25
Thanks for listening. If you'd like the show, please rate and review us on Apple podcast Spotify, or wherever you get your podcasts. That's one of the best ways you can help us grow this community and we really appreciate your feedback. You can find the full video version of this episode on YouTube. Search for the new stack and don't forget to subscribe so you never miss any new videos. Thanks for joining us and see you soon.
Transcribed by https://otter.ai