HashiCorp cloud security evolves via Boundary, Consul, Vault
With the debut of Boundary on HashiCorp Cloud Platform, along with updates for Vault and Consul, the vendor lays the foundation for a long-term product strategy.
LOS ANGELES -- HashiCorp cloud security updates this week set the stage for the IT automation vendor's long-term roadmap as it anticipates an eventual enterprise shift to SaaS.
The HashiCorp Cloud Platform (HCP) is a relatively recent venture for the company, which still does most of its business with large enterprises that use self-managed software on premises or with cloud IaaS platforms. For now, HCP is a secondary growth strategy for HashiCorp for at least the next few years.
But four or five years from now, that picture will change, HashiCorp CEO David McJannet said in a press and analyst briefing during HashiConf Global this week.
"We don't sell [HCP] to enterprises yet because they're not ready to consume cloud, by and large. ... They don't trust anybody [in cloud services] other than Amazon and Azure," McJannet said. "The thing that's bringing them back full circle is a skills challenge -- now we have customers that have been running, say, Vault as a shared service for two years, coming back to us and saying, 'These platform teams we have are so valuable, they keep getting poached.'"
Enterprises that do retain platform teams still encounter issues that could be addressed with a managed service, McJannet said, and some smaller business units within larger companies have begun to look to SaaS.
"It's very obvious to me that the right way to run this stuff is as a managed service, no doubt," he said. "The reason I know that is because I see all the severity 1 escalations we get every day, and 99 times out of 100, the answer is, 'You ran that machine out of memory.' They don't have the skill set. They don't treat these things like the tier zero apps that they are."
As a result, HCP revenue has grown steadily the last two fiscal years, reaching $10.6 million in HashiCorp's second quarter of fiscal 2023. That's modest in comparison to HashiCorp's overall revenue for that quarter of $113.9 million, but a rapid rise from the previous year's second quarter HCP revenue of $3.7 million.
HCP Consul, Vault updates sweeten SaaS deal for enterprises
HashiCorp previewed a multi-cloud management plane for the SaaS version of the Consul service discovery and service mesh product this week called Consul Cloud Manager, which will include a global service catalog and a unified view of all Consul clusters deployed on premises or in cloud provider infrastructures, as well as a hosted user interface.
A beta feature for Consul called Dataplanes, which combines Consul's service mesh proxy with the open source Envoy sidecar, will make it easier to connect HCP Consul to more cloud regions and on-premises environments, according to HashiConf officials who briefed media here this week.
Martin EggenbergerChief architect, Monster.com
HCP Vault also extended its multi-cloud support with the beta release of HCP Vault on Azure, along with support for multifactor authentication and multi-cloud replication, including recovery time objective and recovery point objective settings, as well as automated failover.
For one large HashiCorp customer, other recent updates to HCP Vault -- such as data encryption and masking that better support multinational data privacy and residency requirements -- make a move to SaaS much more likely in the short term.
"Our goal is to get off running things on premises," said Martin Eggenberger, chief architect at Worldwide Monster Inc., owner of hiring and recruiting website Monster.com. "We're investing much more in the platform-as-a-service concept or SaaS, which can be embedded quickly into our existing workflows."
Eggenberger said McJannet's description of a skills challenge prompting a move to SaaS is accurate in his company's case.
"We don't have the time to patch it, to upgrade it, to secure and maintain it," he said of any new tools his company considers. "So [McJannet's statement] is right on the money."
Both HashiCorp and enterprise customers will have a challenge ahead of them in managing both the expansion to cloud-native applications within self-managed environments and that SaaS transition, Eggenberger said.
"It's going to be an interesting challenge for them from a customer growth perspective," he said.
HCP services such as Consul Cloud Manager and a new Consul multi-cloud API gateway introduced this week could also open HashiCorp to new competitive challenges, according to Eggenberger.
"It's a distributed API gateway for your east-west communication, but most organizations already have massive API gateway investments, so they're competing in a spot that is already somewhat saturated," he said. "Some folks are not happy about their API gateway's price, etc. But to penetrate that market, it's going to be tricky."
HashiCorp Boundary reaches general availability on HCP
HashiCorp's Boundary access management product, in preview and beta for the last two years, reached general availability this week, starting in the cloud first, although a Boundary Enterprise self-managed product is planned. Boundary is also available in an open source version, but HCP Boundary added advanced features for cloud customers only this week as well.
HCP Boundary acts as a front door to customers' identity providers, such as Okta, Active Directory and AWS Identity and Access Management, and the managed version also integrates Terraform and Vault on the back end to offer automated provisioning of cloud services and passwordless authentication.
Passwordless authentication means HCP Boundary users never see or manage access credentials -- instead, Boundary brokers short-lived credentials behind the scenes through Vault. HCP Boundary also represents a foray for HashiCorp into more advanced privileged access management (PAM) features, such as audit logs and the ability to view and cancel sessions.
These features are part of HCP Boundary Standard Edition released this week, but further editions will follow that add more PAM features, according to a HashiCorp spokesperson.
As with Consul's API gateway, this also puts HashiCorp into new competition with PAM specialists such as CyberArk, ManageEngine, BeyondTrust, Centrify and Broadcom.
Boundary integrates with identity management specialists such as Okta and Active Directory for now, but it wouldn't be too huge a leap for HashiCorp to move further into that space if it wanted to, said Jim Mercer, analyst at IDC.
"Boundary is now essentially in the PAM market as a new, innovative way to do privileged access management in the cloud," he said.
Similarly, in the identity management space, "it can also work with Active Directory, or Okta, or it can work without it," Mercer said. "[For existing applications,] that means [customers] would have to start abandoning things they've already invested time and energy into, but maybe for something new and cloud-native, they can do it directly with Boundary."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.