Zero Trust Security
Trust nothing. Authenticate and authorize everything.
Your challenge
As organizations move to the cloud, traditional approaches to managing user access to applications and systems become cumbersome and can expose the private network. Access was generally determined by either client network location or usage of (often shared) administrative accounts. This creates many challenges:
- Reduced productivity from manual workflows and multiple tools. Using different tools for authentication and managing credentials is cumbersome resulting in increased difficulty to detect and respond to potential network attacks.
- Cloud infrastructure is highly ephemeral and operates across multiple clouds, user types, networks, and systems. This makes manually configuring access policies too time-consuming and complex to be managed at scale.
- Provisioning access based on network location or access to shared administrative accounts is a) insecure, and b) limits how precisely privileges can be defined on a per-identity basis. Stolen or exposed credentials continue to be the top way unauthorized actors access and infiltrate cloud systems.
This is where HashiCorp Boundary and HashiCorp Vault come in, enabling security administrators to define identity-based policies as code with short-lived credentials to manage access to modern, dynamic systems.
Identity-based access for zero trust security
Meeting new security requirements to support the dynamic cloud era requires a modern privileged access management (PAM) approach that is identity driven and built for the cloud. Boundary and Vault provide a secure way to access hosts and critical systems without having to manage credentials or expose your network.
HashiCorp Products used
- Boundary
- Vault
Outcomes
- 1
On-demand, identity-based access
Increase developer velocity and reduce time spent using manual workflows and multiple tools to manage access to systems and resources. - 2
Reduce network exposure risk
Improve security posture using trusted identities and just-in-time credentials to control access. - 3
Access management at scale
Scale access management across multiple clouds by defining access controls around logical services instead of IP-based access policies.
Manage secure user access across any environment
Identity-based access:
Enables privileged sessions for users and applications based on user identity and role.
- Streamline just-in-time access to privileged sessions (e.g. TCP, SSH, RDP) for users and applications.
- Tightly control access permissions with extensible role-based access controls to manage access and actions performed against systems.
- Automated controls to facilitate onboarding of services via HashiCorp Terraform for pre-configured security policies or using dynamic host catalogs to automate the onboarding process for new or changed infrastructure resources and their connection information.
Seamless single sign-on (SSO) integration:
Use OpenID Connect (OIDC) and LDAP-trusted producers and logical identities to enable single sign-on access.
- Integrate with service of choice, including Azure Active Directory, Okta, Ping, and many others that support OIDC or LDAP).
- Platform-agnostic Boundary allows for easy integration of multiple systems and cloud.
Time-bound, least-privileged access:
Secure access to hosts and critical systems without having to manage credentials or expose your network.
- Combine Boundary credential injection with Vault secrets engines to offer a consolidated workflow for automated credential management. User sessions are secured with single-use, just-in-time credentials that are injected into sessions resulting in passwordless access.
- Boundary provides time-limited network access through proxies that connect directly to private endpoints, avoiding the need to expose your network to users.
- Use role-based permissions. Boundary-managed groups let user permission workflows be assigned dynamically for just-in-time permissions based on identity provider MFA checks, group memberships, or other IDP-level contexts.
Session recording and audit logs:
Track user and application actions when accessing critical systems. Record every session and play back detailed commands and actions executed by each user. Maintain auditable record of all activities to enhance compliance, and log user access to infrastructure resources and Boundary components.
- Boundary provides audit logs for its underlying controller and worker components, allowing for fine-grained visibility into user activity and audit events.
- Use one system of record to track session usage beyond just audit logs, including granular details of actions performed and commands that were executed in each session. Access tools to meet compliance regulations and reporting requirements, and investigate and remediate potential cyberattacks.
Why is modern privileged access management (PAM) important?
Take the next step
Learn how HashiCorp products can help you with all aspects of secure access across all of your cloud and network enviornments.
Explore our resources
Enable modern privileged access management with HashiCorp Boundary
Learn how HashiCorp Boundary does more than provide privileged access management — it helps you adopt a zero trust security strategy without exposing your network to users
View
- HashiCorp enters Gartner PAM MQ
- Secure Remote Access with HCP Boundary
- Secure Remote Access With Boundary and Azure AD
- How to Auto-Configure HashiCorp Boundary and Vault with CTS
- How HashiCorp Boundary Splices Identity into Your Infrastructure DNA
- Boundary (with Vault) at the Crypto ATM Bank of Canada
- Boundary vs. privileged access management