HashiConf highlights security opportunities to support scale

Supporting workloads across hybrid and multi-cloud environments

HashiConf celebrated its 10th anniversary, uniting its community of users of HashiCorp tools and products. In his keynote, HashiCorp cofounder and CTO Armon Dadgar described the company's history of enabling cloud adoption and driving standardization, including secure practices and policy management, to help enterprises deliver and manage software applications at scale. "Our view has always been that the world is going to be hybrid infrastructure," he said, explaining how HashiCorp is focused on automation and intelligence to support the multi-cloud reality and "operationalize it efficiently."

This mindset is important for enterprise security teams to embrace. Recent Omdia research, "The State of DevSecOps and Cloud Security Platforms," showed that most organizations use hybrid cloud environments, with public and private clouds from multiple cloud service providers. Organizations need to find ways to successfully secure workloads across these multiple environments, incorporating security into development processes and workflows in ways that can scale in standardized ways across teams.

HashiCorp is known for creating widely used freemium products, including Vagrant for portable development environments; Packer, a tool for building VMs, Terraform for infrastructure-as-code (IaC) templates; and Vault for secrets protection. Its HashiCorp Cloud Platform (HCP) provides a unified platform for enterprises to use these tools across teams to scale.

HashiCorp offerings have played a vital role in DevOps by making it easier for IT, operations and platform engineering teams to set up development environments and cloud infrastructure. While HashiCorp products, especially HCP, can be valuable for security success, security teams might not be involved in selecting or using them.

Our DevSecOps research found that when security is incorporated early in the development process, cybersecurity teams are responsible 48% of the time, whereas other teams, including application development, infrastructure engineers, DevOps engineers, site reliability engineers or a combination of roles, are more often responsible when security is not incorporated early. It also showed that 29% of organizations do not involve their security teams out of fear of being slowed down. When looking at cybersecurity incidents on cloud-native applications, the highest percentages were caused by access issues, unmanaged secrets and misconfigurations -- areas where security teams need to improve.

HashiCorp's focus on automation and operational efficiency can play a key role in helping security teams collaborate with other groups to efficiently incorporate security into development. This will also help security support increasing scale from AI adoption.

HashiCorp was acquired by IBM earlier this year for its software automation capabilities to support multi-cloud operations and AI adoption, so I am eager to see how its plans will contribute to the IBM portfolio.

Security news from HashiConf

Here is a quick rundown of the updates announced last week at HashiConf that can help security teams.

HCP Infrastructure Lifecycle Management (ILM) updates

With cloud-native application development, developers use cloud services to provision their own infrastructure to build and deploy applications. Instead waiting for another team to provision hardware or servers, they use declarative IaC templates, such as Terraform, AWS CloudFormation, Azure Resource Manager, Kubernetes YAML and Helm Charts. Terraform is widely used to provision the resources required to run cloud applications, including networks, compute resources and storage. HCP ILM helps organizations use Terraform at scale to optimize operational efficiency across the full software development lifecycle, which is increasingly complex with sophisticated applications in dynamic cloud environments.

The following HCP ILM enhancements -- which help security by scaling provisioning of secure cloud infrastructure -- were announced at the conference:

• HCP Terraform Stacks (GA). Helps teams organize and deploy Terraform configurations across multiple infrastructure components and environments as a single management unit.
• HCP Terraform search (beta). Accelerates IaC onboarding by enabling users to quickly search to discover and import resources in bulk, minimizing manual and error-prone processes.
• HCP Terraform actions (beta). Automates and streamlines "Day 2" infrastructure operations by codifying them directly alongside the IaC, which helps address operational costs. This enables integration between Terraform and Red Hat Ansible.
• HCP Terraform hold your own key (GA). Provides customers with greater data control by using a self-managed key to encrypt sensitive data, helping with data governance and security.
• HCP Terraform MCP server (beta). Manages infrastructure by using natural language to interact with private and public Terraform registries, trigger workspace runs and gain validated, context-aware insights directly from AI clients or integrated development environments (IDEs).
• HCP Packer package visibility (beta) and SBOM storage (GA). Track image provenance and store software bills of materials (SBOMs) to prioritize supply chain security and audit readiness.

HCP Security Lifecycle Management updates

Hashicorp announced a number of enhancements to improve secrets detection, simplify secure access and support policy governance for modern enterprises. These include the following:

• HCP Boundary RDP credential injection (beta). Simplifies secured remote access by injecting credentials directly into Windows Remote Desktop Protocol sessions.
• HCP Vault Radar Jira SaaS scanning (GA) and IDE plugin enhancement (beta). Detect exposed secrets earlier in the development process within developer IDEs and in tickets created in Jira.
• HCP Vault Radar MCP server (beta). Interfaces directly with HCP Vault Radar using natural language and integrates with other security agents using the model context protocol.
• HCP Vault Dedicated - secrets inventory reporting (beta). Drives security posture improvements by gaining visibility into secret usage, stale secrets and adoption trends.
• Vault Enterprise 1.21 -- expected October 2025. Automates cryptographic workflows, enables post-quantum readiness and enforces zero-trust controls with new APIs and capabilities.
• Vault MCP server (beta). Manages secrets and sensitive data by using natural language to perform Vault queries and operations, including creating, listing and deleting key-value mounts and their secrets.

Providing a unified control plane with Project infragraph

With its capabilities to incorporate and scale security in IaC and its identity security capabilities, HashiCorp also announced its plans with IBM to deliver a unified control plane, Project infragraph. The project, which is planned to be delivered as a capability within HCP, aims to provide a real-time infrastructure graph that connects infrastructure, applications, services and ownership. This can help security teams gain greater visibility and control to mitigate risk with secure development and improve workload protection.

Future plans include connecting HCP and infragraph with IBM's broader software portfolio -- including Red Hat Ansible and OpenShift and IBM watsonx Orchestrate, Concert, Turbonomic and Cloudability -- to provide a unified data source and policy model. Security teams should collaborate with IT and operations teams to evaluate how their modernization efforts with these tools can contribute to more efficient ways to manage risk and protect workloads.

Melinda Marks is a practice director at Omdia, where she covers cloud and application security.

Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.