New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier
The latest Security Lifecycle Management (SLM) features from HashiCorp Vault, Boundary, and Consul help organizations offer a smoother path to better security practices for developers.
HashiCorp is focused on helping organizations integrate and automate security into developer workflows. At HashiConf, we are sharing recent and upcoming additions to our Security Lifecycle Management (SLM) products — HashiCorp Vault, Boundary, and Consul — that help make adopting a secure path fast and easy for development teams.
We are pleased to announce that HCP Vault Secrets is now ready for enterprise workflows with new capabilities for secret auto-rotation (GA), dynamic secrets (in public beta), and dynamic cloud credentials for HCP Terraform. Additionally, HCP Vault Radar is now in public beta, Boundary now offers transparent sessions (in public beta), and Consul DNS views are now available.
» HCP Vault Secrets offers enterprise workflows
HCP Vault Secrets is a centralized cloud-native secrets management solution to store, access, and synchronize secrets at scale across third-party tools and clouds. It removes the operational overhead of manually managing secrets by automatically centralizing and applying industry best-practice security workflows to secrets in minutes. Today at HashiConf, we are announcing key updates focused on making the most secure path the easiest one for developers to follow.
» Reduce risk of static secrets with auto-rotation
Auto-rotation, now generally available in HCP Vault Secrets, allows organizations to set up regular automatic credential rotation and eliminate high-effort, manual rotations of static secrets. This saves organizations significant time and resources while also improving their overall security posture and simplifying compliance.
With the GA release of auto-rotation, HCP Vault Secrets supports rotation for:
- AWS IAM user access keys
- Google Cloud service account keys
- MongoDB username and password
- Twilio API keys
See HCP Vault Secrets auto-rotation in action.
» Generate credentials on demand with dynamic secrets
Dynamic secrets support, now in public beta for HCP Vault Secrets, offers dynamic security token service (STS) credentials for AWS and Google Cloud, along with dynamic cloud credentials for HCP Terraform. Dynamic secrets are short-lived, on-demand credentials that are unique to each client. They carry significantly less risk than long-lived static credentials and have advantages over auto-rotated secrets in different contexts.
» Secure cloud provisioning with dynamic provider credentials
HCP Vault Secrets’ support for dynamic cloud credentials in HCP Terraform helps secure the infrastructure provisioning workflow. HCP Vault Secrets centrally manages secrets and retrieves them during the HCP Terraform provisioning process to authenticate with your cloud provider — eliminating the need for static or hard-coded credentials. This strengthens security by reducing the time a client has access to a cloud resource. It also enhances visibility by tracking generated secrets through the comprehensive audit logging functionalities offered by HCP.
» Manage permissions with app-level access controls
HCP Vault Secrets’ role-based access control (RBAC) feature now offers fine-grained service roles, which can be applied to projects and apps. These roles, App Manager and App Secret Reader, enable more precise access control and ensure that users only have permission to access apps they need to perform their tasks effectively. The HCP identity and access model provides roles and permissions to manage what actions clients can perform within HCP Vault Secrets. These roles and permissions can be granted broadly to access all resources within an HCP organization or project, or they can be scoped down to individual resources such as apps.
See HCP RBAC in action.
To learn more about recent HCP Vault Secrets updates, check out our recent blog covering all of our updates in one year of general availability.
» HCP central services add new access controls and observability
RBAC capabilities similar to those in HCP Vault Secrets have been added to other HCP products as part of HCP’s central services updates.
» HCP Packer bucket-level permissions
HCP Packer users can now define user access at the bucket level, enabling platform teams to grant application teams admin or contributor access to specific buckets while maintaining viewer status at the project level. The enhanced RBAC capabilities across HCP solutions help securely provide administrative boundaries for teams and apply least-privileged access principles for access to secrets.
» Stream audit logs to increase observability
HCP Vault Secrets, HCP Packer, HCP Vault Dedicated, and HCP Boundary users can now leverage audit log streaming. In HCP Vault Secrets, administrators can use audit log streaming to trace all incoming viewing requests for secrets stored in your applications. Audit log streaming helps users retain their historical data in case it’s needed for an investigation or audit. The new feature streams information from observability partners including Datadog, Splunk, and Amazon Cloudwatch.
See audit log streaming in action.
» HCP Vault Radar secret scanning available for free in public beta
HCP Vault Radar is HashiCorp’s secret scanning product that expands upon Vault’s secret-lifecycle management capabilities to include the discovery and prioritization of unmanaged secrets. HCP Vault Radar inspects an organization’s IT estate, looking for exposed secrets and offering tracking, labeling, and remediation for those secrets. Today, at HashiConf, we are announcing that HCP Vault Radar is entering public beta as well as new enterprise features.
» Discover unmanaged secrets with HCP Vault Radar for free
The public beta for HCP Vault Radar allows all organizations that have a current HCP organization to try HCP Vault Radar’s functionality for free so they can understand their current state of secret sprawl in their environment. With generous resource limits, the public beta program allows organizations to test out all critical functionality within the product, including scanning, contextual analysis, prioritization, auditing, false positive reduction, and remediation guidance.
» Implement HCP Vault Radar agent for self-managed and regulated environments
Because of regulatory compliance or internal policy, some organizations choose to run code repositories, collaboration tools, or their data storage in private environments. The HCP Vault Radar agent gives customers a way to scan secrets from their data sources (e.g. GitHub, Bitbucket, etc.) in self-managed, private infrastructure. The agent allows organizations to operate HCP Vault Radar from within their trusted, self-managed perimeter. Those results are then shared with HCP Vault Radar’s cloud portal without exchanging sensitive credentials. This process allows organizations to use HCP Vault Radar’s scheduling, contextual analysis, prioritization, auditing, and remediation, while remaining compliant with internal policy.
See HCP Vault Radar agent in action.
» Prevent leaks by integrating pre-receive scanning into existing developer workflows
One of the most significant challenges organizations face is how to prevent secrets from being exposed in the first place. The risk of operational costs and downtime associated with rotating secrets is eliminated when you avoid exposing those secrets. HCP Vault Radar works in conjunction with multiple developer Git workflows to monitor and alert on sensitive information. However, some Git workflows accept a developer’s submission prior to any checks for policy or code check violations. When the Git server accepts the code submission, it will log the code, along with any exposed secrets that may be in the pull request. To avoid this situation, we’ve added Git pre-receive hook scanning to HCP Vault Radar. Pre-receive hook scripts run on the Git server before the acceptance of a pull request or commit. This means code violations, including potentially exposed secrets, can be discovered and resolved before being committed to a code repository or being logged.
See pre-receive scanning in action.
» Kickstart your remediation process with custom guidance
When an exposed secret is discovered, it needs to be rotated to eliminate opportunities for unauthorized access, breach of sensitive information, or lateral application-to-application movement by threat actors. However, remediation can be complex.
For instance, was the secret found in multiple locations and applications? If so, the remediation must be carefully controlled to ensure there will be no downtime. However, if a secret has been found in an unsecured location and it is actively being used, the situation is critical and the secret must be rotated immediately. In these potentially serious cases, engineering teams would benefit from guidance.
HCP Vault Radar provides remediation best practices and contextual guidance based on the type of secret that was discovered. Contextual guidance is provided for:
- Active secrets
- Inactive secrets
- Secrets leaked from Google Cloud or AWS
Additionally, SecOps teams can customize HCP Vault Radar remediation configurations to direct engineering teams to internal or proprietary documentation that takes into account internal processes and relevant best practices.
If you already have an HCP account, you can sign-in and try HCP Vault Radar for free. Otherwise, you can also sign up for HCP for free.
» Vault Enterprise increases reliability, scalability, and industry support
Vault 1.18 improves reliability and adds protocol support for telecom and federal agencies.
» Improve high availability with adaptive overload protection
Requests to the Vault API frequently result in the need to perform storage updates. These updates must be processed sequentially, causing high latency that could result in an outage during periods of high traffic. Adaptive overload protection allows Vault to gracefully manage requests by maintaining write replicas, which mitigate the risk of downtime. Adaptive overload protection will be enabled by default for Vault’s integrated storage backend.
» Achieve 3GPP compliance with certificate management protocol (CMPv2)
Vault Enterprise 1.18 further advances its certificate lifecycle management capabilities by extending PKI with the CMPv2 protocol. CMPv2 supports a variety of certificate formats including RSA, DSA, and ECDSA, as well as X.509 templates. The protocol is widely used by the mobile telecommunications and networking industries to support 5G and achieve third-generation partnership project (3GPP) compliance. CMPv2 includes:
- Initialization registration
- Certificate update
- Key-pair update
In order to provide 5G services, mobile telecommunication providers are required to adhere to 3GPP standards. 3GPP requires that the network devices must be authenticated using x509 certificates and that the enrollment process must leverage the CMPv2 protocol. With support for PKI’s CMPv2 protocol, Vault Enterprise facilitates the automation of network device certificate enrollment, helping organizations be 3GPP compliant for 5G services.
Additional important updates in Vault 1.18 include auto-rotation for static database credentials and IPv6 accreditation. For more information, please review our release blog and notes.
» Boundary transparent sessions provide enhanced workflows for intuitive access
HashiCorp Boundary provides secure human-to-machine access for sensitive applications. This includes:
- Identity-based authorization to ensure only the right roles gain access to the right services
- Automated workflows for both end users and administrators with passwordless access
- Reduced risk exposure with dynamic secrets using Vault
To further deliver on that promise we’re pleased to introduce Boundary transparent sessions in public beta — a core improvement to Boundary workflows that lets authorized remote users securely and transparently connect to privileged resources. With transparent sessions, end users can connect to privileged or highly sensitive systems passively, without any direct user interaction with Boundary’s CLI or Desktop clients. Boundary transparent sessions run in the background and intercept DNS calls to route traffic through Boundary to the intended systems when a user is authorized.
Prior to Boundary 0.16, establishing a new connection in the Boundary CLI involved copying and pasting a scope-id or target-id. After the addition of aliases in Boundary 0.16, users could use a more human-readable custom resource alias to connect to a target instead of IDs that were hard to memorize. Transparent sessions eliminate the copy and paste workflow entirely by automatically populating the necessary IDs to establish a session.
Transparent sessions are available today for users on HCP Boundary Standard, HCP Boundary Plus, and Boundary Enterprise. Visit our transparent sessions documentation to learn more. New Boundary users can sign up for a free HCP Boundary account or request a Boundary Enterprise trial through HashiCorp sales.
See transparent sessions in action.
» Simplify and secure multi-tenant service discovery with Consul DNS views
HashiCorp Consul on Kubernetes v1.20 introduces Consul DNS views, which improves the usability of service discovery in multi-tenant environments and also tightens security by letting organizations limit discovery between tenants. Prior to Consul DNS views, Kubernetes application services deployed in multi-tenant configurations with Consul admin partitions needed to be updated to reference partition information if they were using Consul DNS. Requiring developers to update their Kubernetes application services added new burdens and hindered the adoption of admin partitions.
Consul DNS views, now available in version 1.20, removes this friction by no longer requiring developers to update Kubernetes applications for DNS queries made between services that reside in the same partition. In addition, Consul DNS views can limit services from discovering other services in different partitions, tightening security between different tenants. With Consul DNS views, organizations can more easily adopt service discovery across different teams throughout the organization while ensuring clear security separation between tenants.
» Get started with Security Lifecycle Management
As organizations move from static to dynamic cloud environments, they need to transition from network-based to identity-based security. With more focus and scrutiny on the materiality of cybersecurity risk, organizations are also forced to enhance security efforts without sacrificing developer productivity. With these new announcements, HashiCorp continues to strengthen its Security Lifecycle Management offerings. Together, HashiCorp Vault, Boundary, and Consul prioritize making it easy for developers to adopt more secure workflows.
To see these products in action or to learn more, sign up for a free trial of the HashiCorp Cloud Platform. If you'd like to see a deep dive webinar recap of these announcements, sign up for our SLM HashiConf recap
Sign up for the latest HashiCorp news
More blog posts like this one
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
Secure remote access to private HTTPS targets with HashiCorp Boundary
Learn how Boundary can act as a true VPN replacement by securing remote access to private HTTPS endpoints with transparent sessions.