Secure remote access without the ‘portal tax’: Boundary vs other vendors

Secure remote access today is tedious. Most VPN and privileged access management (PAM) tools are a huge burden because they force users — especially engineers — to change how they work.

The remote access landscape is cluttered with proprietary clients and web-based proxies. If a developer wants to SSH into a production server or access a database, they usually have to:

1. Stop their actual work
2. Launch a VPN
3. Log in to a web portal
4. Search for a "safe"/target account (with many of the incumbent PAM players, end-users have to jump through these hoops today)
5. Check out a password, copy it to their clipboard and then paste it into their client or go with credential injection where supported by vendor

Security is maintained, but productivity is sacrificed. This friction — the context switching required to navigate security tools before doing actual work — is what we call the "portal tax". This is the hidden cost built into much of the current security tooling landscape. It’s a distraction. And frankly, it’s why users find workarounds that risk credential exposure.

At HashiCorp, we believe the best security is invisible — developers and the workforce at large shouldn’t feel it while they use it. We want to make the secure path extremely easy, automated, and in the background. This is what we deliver with HashiCorp Boundary: our modern product for secure remote access (sometimes called an “identity-aware proxy” solution).

Boundary’s distinguishing feature is transparent sessions. It removes the requirement for users to remember specific resource IDs or ephemeral ports to connect to targets, so when developers start using Boundary, they don’t have to change their workflow. When combined with RDP+SSH credential injection passwordless capabilities, transparent sessions eliminate the portal tax entirely.

In this post, we’ll compare Boundary’s native-tool workflow to the portal-first approach most vendors still ship.

»Boundary vs a typical PAM vendor: Technical differences

Most vendors in the PAM space — whether legacy incumbents or modern challengers — rely on a portal-centric workflow. You go to the tool to get access.

Boundary, by contrast, uses a native-tool workflow. Instead of forcing you to go to Boundary, Boundary transparent sessions run passively in the background.

Here is the technical difference: When a developer or admin installs the Boundary Client Agent, it acts as a local DNS resolver for specific domains. When you type ssh production-web.corp in a terminal after authentication or open db-prod.corp in your browser, the client-agent running silently in the background does two things:

1. It intercepts the DNS request for that protected alias
2. It automatically routes the traffic through Boundary proxies

The proxies provide access into the network and route traffic to the target, establishing the connection. This process happens instantly, without forcing you to pause your workflow or interact with a separate portal or tool.

No context switching. Once authenticated to Boundary, there is no repeated "logging in to a portal" or launching a proprietary tool for every new session. You use the native tools you love — VS Code, PuTTY, Windows RDP, or your terminal of choice.

»True passwordless: The Vault synergy

Connectivity is only half the equation. The other half is how we manage the “keys to the kingdom” — the credentials to authenticate to the target resources. This is where the synergy between Boundary and HashiCorp Vault provides a competitive edge that standalone access tools struggle to replicate.

In traditional workflows, even if access is granted, the user often "checks out" a password. They copy it to their clipboard and paste it into their client. This poses a credential exposure risk. If a user knows a password (or has it in their clipboard history), that credential can be phished, written down, or reused.

Boundary leverages its deep integration with HashiCorp Vault to make access truly passwordless via credential injection.

Supporting both SSH and RDP credential injection, Boundary acts as a secure broker. When a user initiates a connection:

1. Transparent sessions intercepts the DNS request via the Boundary Client Agent.
2. Boundary checks for user authentication and policy.
3. Boundary requests a dynamic or static secret from Vault.
4. Vault returns the secret to Boundary.
5. Boundary injects the credential directly into the protocol stream.

This is fundamentally different from a "password vault" where users view secrets. In Boundary, the user does not need to see the password. You get the compliance benefits of:

• High-entropy
• Frequently rotated secrets
• "Single-click" login

Here’s a clip showing how fast the process is from the developer’s perspective:

»Why this beats the "portal" approach

Many tools in the secure remote access / PAM space are built around a "vault-first" mentality. You enter a web vault to "check out" access. It feels like visiting a bank teller every time you need to buy a coffee. Boundary is like tapping your credit card; the security checks happen, but in the easiest possible way.

»An example scenario: The old way vs. the Boundary way

The old way:

• 09:00 a.m. Jane gets a ticket to debug a Linux server.
• 09:05 a.m. She logs into the VPN.
• 09:07 a.m. She logs into a web portal and searches or navigates to target account details.
• 09:10 a.m. She selects the target and retrieves/copies the credentials.
• 09:15 a.m. She opens her terminal/SSH client, pastes the IP, pastes the password.
• Risk: The password is now in her clipboard history and the time taken adds to productivity overhead.

The Boundary way:

• 09:00 a.m. Jane gets a ticket to debug a Linux server.
• 09:01 a.m. She types ssh alias.target in her SSH tool of choice
• Result: She is in. Boundary authenticated her session in the background and injected the credentials. Zero friction. Zero clipboard risk. Easier zero trust workflow.

Some other PAM providers do offer credential injection, but Boundary’s transparent sessions are the key to avoiding the portal tax and allowing teams to use a native-tool workflow.

»The future of access is invisible

Enterprises don’t need to choose between security and speed. With Boundary, organizations can make the secure path the fastest and easiest path available to developers, mitigating one of IT’s most common breach causes: credential theft from the endpoint. When users don't have to fight their tools to get work done, organic adoption of the secure path will become the norm, and it won’t feel imposed.

»See Boundary in action

• Watch the Transparent session getting started video.
• Watch the transparent sessions demo video.
• Create a free HCP account and deploy HCP Boundary for your environment.
• View transparent sessions setup details in our documentation.
• Check out our many tutorials on Boundary.
• Download the latest version of Boundary installer to try it out yourself.