Whether databases, Kubernetes clusters, or storage, exposing them to the public internet can pose significant risks. One of the ways to mitigate vulnerability is with Hashicorp’s Boundary, a secure virtual gateway that connects developers and cloud resources, ensuring access to sensitive assets remains private.
Boundary vs VPNs
Traditionally, VPNs – which cloak online data traffic, shielding it from external interception – have been the go-to solution for secure access. But they often come with a hefty price tag. This is why companies have been turning towards Boundary, an open-source tool by HashiCorp, designed to provide secure access to cloud resources at a lesser price.
Boundary from Hashicorp offers a cloud-centric approach to user access management, ensuring scalability. It simplifies access workflows, employs trusted identity providers, secures end-user access, and manages credentials centrally. It provides session visibility, reduces attack surfaces, and supports automation, advanced credential management, audit logs, and hybrid cloud connectivity for enhanced security.
Akin to a VPN, Boundary safeguards resources spread across AWS, Azure, and GCP. Given the need to maintain the security of these resources, it becomes essential to confine them within a private network.
But there are some differences in how they work. For example, while VPNs authenticate users and establish secure tunnels to private networks, enabling remote access to organizational services, Boundary proposes a refined remote access model, granting granular access to specific services rather than the entire network. For many organizations, Boundary represents a security enhancement over traditional VPN solutions, offering more granular controls. But in some cases, the two are integrated. Boundary can complement existing corporate VPNs, providing additional security layers for accessing privileged networks such as data centers and cloud VPCs.
Boundary vs Bastion Host
Setting up a Bastion Host (or a jump server) is one way to ensure secure access to your cloud resources, but this approach also has a few shortcomings. First, security is implemented based on network location with a Bastion Host, while Boundary enables a true zero-trust approach to security. A Bastion Host also requires cumbersome manual configuration of access rules, as compared to Boundary where access control is automated based on user identity and policies.
Here’s how you can deploy Boundary to safeguard your cloud infrastructure while granting developers secure access to the resources they need.
1. Set up a Boundary on your Server
Begin by downloading and installing Boundary onto your designated server. You can find detailed installation instructions on the HashiCorp website. Once installed, Boundary can be configured to integrate with cloud providers such as AWS, Azure, and GCP by providing the necessary credentials and permissions. This step ensures that Boundary can authenticate and authorize access to cloud resources.
Users typically require credentials for authentication when connecting to remote machines and may need additional credentials to access services or other machines within the network.
Boundary supports various credential types such as username/password, SSH private key, SSH certificate, JSON, token, certificate, JSON blob, and unstructured secrets stored in Vault.
Credential management in Boundary involves two paradigms: credential brokering and credential injection. Credential brokering fetches credentials from a store and returns them to the user during session establishment, while credential injection fetches credentials from a store and authenticates the user to the target without exposing the credentials to the user (this is a passwordless experience). Both processes ensure secure access to targets while abstracting the authentication process, enhancing security and usability in boundary environments.
2. Deploy Boundary Client on User Devices
Once the Boundary Server is running, one can equip developers with Boundary Client on their computers or other devices so they have the required permissions to connect to the Boundary Server.
Boundary operates primarily through its API, with HashiCorp providing various clients including a Go SDK and a Desktop client, aside from the web user interface. The Boundary client daemon locally caches session and target information to expedite searches, helping to manage large lists of resources. Users can manually start the daemon and customize its behavior according to their preferences, including setting refresh intervals and managing authentication tokens. The client cache ensures efficient interaction with Boundary instances while providing flexibility and control over caching and authentication mechanisms.
3. Define Access Policies
Defining access policies that govern who can access which resources and under what conditions is important in the installation process.
Boundary’s Identity and Access Management (IAM) system comprises six main components:
- Scopes: act as containers for resources and permissions
- Auth methods: Authenticate users and are contained by global or org scopes, supporting options like username/password
- Accounts: represent authenticated users from identity providers
- Users: individual entities for access control and can have multiple accounts from various auth methods
- Groups: collect users and can be managed or synced with identity providers
- Roles: contain permissions granted to users or groups and can be applied at any scope level
To configure users with password auth, select the scope and auth method, create an account, and attach it to the user. It is recommended to manage permissions via groups for easier management and scalability.
In today’s threat landscape, proactive measures like Boundary are essential to safeguarding valuable assets from potential breaches. At CloudNow, we’re constantly looking for ways to enhance security while delivering advanced technology solutions fast – and Boundary is one of the tools that helps us achieve this.