Getty Images/iStockphoto

HashiCorp Vault trims SaaS; Boundary hooks up Enterprise

HashiCorp Vault's appeal to a broader field of users gets a boost from a new entry-level cloud service, while a new Boundary Enterprise targets the high end of the market.

HashiCorp Vault will be easier to deploy in entry-level environments with the release of a stripped-down SaaS service and an open source operator this week, while a self-managed option for Boundary privileged access management seeks to boost enterprise interest.

The HashiCorp Cloud Platform (HCP) Vault Secrets service, which launched in beta this week, gives users not steeped in infrastructure management an entry point into its most widely used cloud security feature. The release of the HashiCorp Vault Secrets Operator means users can deploy the secrets management software on container clusters without having to manage Vault Agents as sidecar containers on each cluster host.

HCP Vault Secrets, a multi-tenant SaaS, consists solely of an interface for configuring secrets such as passwords and other security credentials for services, and leaves out the rest of the management knobs. Users without infrastructure management expertise won't have to provision or configure Vault server clusters before they can start injecting secrets into applications. HCP Vault Secrets also integrates with other secrets management services, starting with AWS and GitHub, with plans to support more third-party password management and identity management tools.

Pricing for HCP Vault Secrets isn't available while the service is in beta. Depending on its cost, however, it could also be appealing to larger shops that want to make Vault available for developers or experiment with the cloud.

Martin Eggenberger, chief architect, Monster WorldwideMartin Eggenberger

"We use Vault Enterprise -- are we going to downgrade [some of] this to Vault Secrets at some point? That may be in the cards so long as it performs well [with HCP Vault Secrets]," said Martin Eggenberger, chief architect at Monster Worldwide, owner of hiring and recruiting website "It's a great offering for entry-level people that want to manage secrets in a centralized fashion ... For [enterprise] customers, it'll be really neat to have an easy gateway to put on the cloud [and] test out synchronizing back to their main area."

The HashiCorp Secrets Operator consists of a set of Kubernetes custom resource definitions. It can take the place of the existing Vault Agent, which must be deployed on each Kubernetes pod as a sidecar container. The Operator significantly simplifies deployments compared with the Agent sidecar, according to one user who has tested it.

The sidecar method requires an extra container to run as part of each pod -- one operator can handle a namespace, cluster or whatever division makes the most sense for the environment.
Phil FenstermacherManager of systems design and architecture, William & Mary

"The sidecar method requires an extra container to run as part of each pod -- one operator can handle a namespace, cluster or whatever division makes the most sense for the environment," said Phil Fenstermacher, manager of systems design and architecture at William & Mary, a university in Williamsburg, Va. "The single operator can watch multiple secrets from Vault and write them into Kubernetes objects."

This could make Vault more accessible to users of serverless container hosting options such as AWS Fargate, where users don't have access to the underlying Kubernetes pods, Eggenberger added.

Eggenberger's team deploys Vault using a service mesh, but that's not an option for everyone, he said.

"It's kind of been one of those gaps in their offerings," he said. "I think that there is a huge market out there for folks that aren't as sophisticated at managing their own clusters."

Equitable Bank bets on HashiCorp Boundary Enterprise

The HashiCorp cloud security portfolio also expanded this week to include an Enterprise version of its Boundary privileged access management (PAM) product, which previously had been available only on HCP. Boundary Enterprise and HCP Boundary also now offer a user session recording feature for forensic investigation purposes -- both had previously offered user session monitoring, where users could view and cancel sessions.

For one financial services company in Toronto, Boundary Enterprise will add production-level support for the open source community edition with which it had been experimenting.

"We had a password manager solution [previously] that was used by our privileged users to store static passwords in it, [but] we did not have anything that handled the sessions between the privileged users and the servers," said Andrew Vezina, chief information security officer at Equitable Bank in Toronto. "And we did not have anything like dynamic secrets or dynamic changing passwords."

Andrew Vezina, chief information security officer, Equitable BankAndrew Vezina

Vezina and his company's lead architect had previously used other PAM products from CyberArk. Boundary's connection to just-in-time secrets with Vault and the fact that it's a newer product intrigued him, he said.

"CyberArk really dominates this market, and they bought Conjur, which is similar to HashiCorp Vault," Vezina said. "But then CyberArk is still a classic on-prem data center solution. They obviously have cloud versions now, but you worry about companies that came from that on-prem architecture and how quickly can they evolve."

CyberArk and other PAM competitors such as ManageEngine, BeyondTrust, Centrify and Broadcom have long offered the user session management features HashiCorp has just added to Boundary. There will be some customers similar to Equitable Bank that will be swayed by HashiCorp's cloud-native approach, though, said Jim Mercer, an analyst at IDC.

"Boundary is kind of growing up a little bit," Mercer said. "They can say, 'Even though our approach is maybe different from the typical PAM tool, there are certain blocking and tackling things that we're adding to the platform that feature-for-feature will line up with any PAM solution you have."

Session protection features that target specific behaviors should be next on that feature list for Boundary, Mercer said.

"It'd be nice to put some kind of guardrails up on sessions, so if users want to view etc [Linux configuration] passwords or kernel files and so forth, being able to catch that stuff as it's happening and block it," he said.

Terraform Enterprise auto-generates code without AI ... for now

These updates were among a raft of incremental additions to all of HashiCorp's major products this week, which also included ease-of-use enhancements for Terraform Enterprise such as auto-generated code for imported assets.

In the past, Terraform Enterprise users importing resources into the infrastructure-as-code tool could automatically bring them into Terraform state files, but had to write their own code to fully integrate them into Terraform runs. An ill-timed Terraform-apply command in a shared environment could also interrupt and deconstruct this code before it was finished. A new configuration-driven import feature will automatically generate code to map the new resource instead.

That code generation isn't AI-driven, and HashiCorp hasn't taken an official stance on whether it will integrate with generative AI tools such as ChatGPT in the future for infrastructure as code -- but it hasn't ruled it out either, said Chris Van Wesep, senior director of product marketing at HashiCorp.

"[Generative AI] can do some interesting things. There's also a number of situations where those toolchains don't get everything exactly right," he said. "We're still not ready to commit to something like that quite yet, but we're certainly looking at it and seeing what might be a possibility."

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center