Feodora - stock.adobe.com
HashiCorp cozies up to Azure AD for zero-trust security
HashiCorp's Boundary access control utility will sync automatically with Microsoft Azure's Active Directory identity management service, the vendors said this week.
HashiCorp and Microsoft will expand their collaboration on zero-trust security cloud services with deeper integrations, according to an announcement this week.
HashiCorp Boundary coordinates access management and user authorization within distributed systems. It was designed to do so in accordance with zero trust security principles, in which legacy data center perimeters are replaced with finer-grained user identity-based access to individual IT resources. The practice is now not only more popular but also mandated under a recent Presidential Executive Order intended to bring U.S. cybersecurity up to speed with cloud-native applications and services.
HashiCorp's Boundary access control utility and Microsoft's Azure Active Directory (AD) identity management service have had basic integration since HashiCorp first launched the tool a year ago, along with other identity management tools such as Okta and LDAP. Under the expanded partnership announced this week, HashiCorp and Microsoft plan to add further tie-ins, including automatic synchronization between Boundary and Azure AD identities, permissions and groups when new users are added.
"Microsoft shares the same philosophy as HashiCorp, that the old security paradigm that relies on firewalls and VPNs no longer applies," said Sue Bohn, vice president of Microsoft's Identity and Network Access Division, in a keynote presentation during the HashiConf Global virtual event this week. "Zero trust ... means that all touch points in a system -- identities, devices and services -- are verified before they're considered trustworthy, and it means that user access is limited only to the data systems and applications required for that role."
Under the expanded partnership, Azure AD will handle user identity management, including working groups, while HashiCorp Boundary handles access to cloud resources for those identities, also using credentials stored in HashiCorp's Vault. Vault-based user access to Azure AD will also be added in the future, Bohn said.
Boundary and Vault integration was added after the product's initial launch over the last year, said Armon Dadgar, CTO at HashiCorp, during the same keynote presentation.
"All the credentials can live centrally within Vault, and Boundary can broker access to it as needed," he said. "It might be a static credential that we're just brokering access to, or it might be a dynamic credential that Boundary is creating just in time for that individual session."
Dynamic credentials, also described as "Just-in-time access," are recommended by experts as part of zero-trust security practices, since repositories of longer-lived credential data are more easily accessed by attackers. With dynamic credentials, even if attackers gain access to authentication data, it doesn't remain viable for access to systems once used by an authorized person.
This week's partnership expansion news was well-timed for one HashiCorp user who is also going through a migration to Microsoft Azure services, including Azure AD.
"Boundary has come a long way since launch -- the Vault integration is really slick," said Phil Fenstermacher, systems engineer at William & Mary, a university in Williamsburg, Va.
Fenstermacher's organization hasn't yet started using dynamic credentials, but he said he expects Boundary and its Azure AD integration to ease that transition.
Phil FenstermacherSystems engineer, College of William & Mary
"For our users not to have to worry about juggling credentials and being able to do on-demand [access] ... will make it easier to get people to use dynamic credentials."
HashiCorp Waypoint supports Kubernetes configuration management
Another product update that stood out to HashiConf Global attendees was last week's release of version 0.6 of HashiCorp's Waypoint continuous delivery tool. That product was also launched last year to standardize a workflow for the build, deploy and release phases of continuous delivery pipelines, which otherwise require developers to use a combination of multiple tools such as Dockerfiles, makefiles and other CI/CD utilities. Waypoint replaces all of them with a single file under a versionable URL.
Since launch, HashiCorp added features to Waypoint including dynamic templating for Dockerfiles and input parameters that make Waypoint files easier for different members of DevOps teams to reuse. With Waypoint 0.6, the tool added support Kubernetes-specific build and deployment files, including the YAML-based Helm and Kustomize files frequently used in configuration management for the container orchestration platform.
Such files are a common challenge among IT teams that have adopted the GitOps approach to application and infrastructure management in Kubernetes environments, but HashiCorp has not yet formally integrated Waypoint with popular GitOps tools such as Flux and Argo CD, according to a company spokesperson.
It's still an early-stage product, but for HashiCorp customers that also use Kubernetes extensively, this latest update made Waypoint of greater interest for possible future evaluation.
"The more we move toward cloud, the more we want application teams to own their full stack, including networks and infrastructure," said Mick Miller, senior DevOps architect at KeyBank, a financial services institution based in Cleveland. "We're always looking for things that will make it easier to do that consistently across all our teams."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.