HashiConf Europe speakers from Starbucks and Roblox share how they leverage HashiCorp Vault, Consul, and Boundary to create a zero trust security model.
As companies worldwide make the shift to the cloud, HashiConf Europe 2021 showcased several companies, including Roblox and Starbucks, that have embraced a new paradigm to meet the security challenges of dynamic infrastructure: Zero trust security. With an estimated $6 trillion in security-related losses in 2021, how are leading companies avoiding the risk of breach as they scale operations and push digital transformations? The message from HashiConf was clear: Trust nothing. Authenticate and authorize everything.
Here are five key takeaways from HashiConf Europe about zero trust security:
In the Security Keynote, leaders from HashiCorp’s Product and Engineering teams explained how today’s modern security workload requires an identity-driven security and networking approach. From machine authentication and authorization to human-to-machine access, speakers detailed the fundamentals of identity brokering and the key requirements needed to authenticate and access different clouds, systems, and endpoints using trusted identities.
A critical component to scaling zero trust security is to centrally store and protect secrets. Traditionally, companies often relied on a legacy, static perimeter-based security model (i.e., IP-based). In growing hybrid environments, the IP-based approach is brittle and leads to secrets sprawl that leaves companies vulnerable to a breach (both from outside and within the network).
With identity-based security (e.g., only these web servers can talk to these databases) companies can centralize secrets and access controls, and provide a consistent and scalable zero trust approach that aligns to the dynamic nature of cloud infrastructures. The result? Improved scalability that drastically reduces the risk of a breach. Watch the session to learn more about how HashiCorp is helping the world’s largest companies boost their security posture.
As companies make the transition to the cloud, they are facing several security challenges in dynamic multi-datacenter environments. Instead of static IP addresses that are typical in a static environment with clear network perimeters, the ephemeral and elastic nature of the cloud requires centralized management of secrets that integrate with trusted identity providers (e.g., cloud identity and access systems, AD, or Kubernetes).
In the Zero Trust Mindset session with Rob Barnes, senior developer advocate, Rob shares an example of centralized secrets management in the cloud that improves security posture and streamlines machine-to-machine authentication and authorization. In a modern example of a cloud-based app that needs to communicate with a PostgreSQL database, Rob breaks down how HashiCorp Vault efficiently manages secret lifecycles as an identity broker. Along with short-lived credentials, auditing, flexible APIs and integrations with leading identity providers, it’s clear how Vault reduces the risk of breach in modern, dynamic environments. Watch the session to learn how to architect centralized secrets management in a dynamic cloud environment.
For Starbucks, 24/7 global retail requires a new methodology for securing cloud-based edge computing: embracing identity-based security models instead of legacy perimeter-based methodologies. For Starbucks, meeting reliability needs across more than 100,000 edge devices (from refrigerator monitors to point-of-sale machines) in 16,000 stores in North America alone, the key priorities were to automate, secure, and ensure resilience across the infrastructure.
The solution relies on a large-scale platform redesign leveraging HashiCorp Terraform on Kubernetes. The key to reliability and security is due in large part to HashiCorp Vault, which provides a centralized secrets management platform to support identifying and authorizing hundreds of thousands of edge devices.
Andrew McCormick, lead systems engineer at Starbucks, said that the key benefits in this model are scalability and automation in the security model. Human involvement to bootstrap unique identities to so many unique edge devices would completely overload their workers. With Vault, Starbucks is able to establish patterns for security policies and automate authentication loads critical for improving productivity for developers around other mission-critical initiatives. Watch the session to learn more about how Starbucks takes advantage of an identity-based security framework.
Roblox is a 200-million-player gaming platform with a rapidly growing number of global vendors and users. The company is looking at new approaches to authenticating and authorizing user identities, so it’s looking at zero trust security with HashiCorp Boundary.
One of Roblox’s challenges is giving users across different countries access to private infrastructure. This includes their control planes for HashiCorp Nomad and Consul, Vault secrets, and various caches and databases, such as Redis. They need multiple access levels, depending on who is accessing what.
Today they primarily use VPNs, but they are difficult to automate, so they’re very excited about the possibilities Boundary will bring to improve those workflows and help manage the access lifecycle for ephemeral resources with secure, just-in-time access.
Watch the session to hear more from Roblox’s Charles Zaffery and HashiCorp’s Pete Pacent and see their demo on how Boundary authenticates to an external OpenID Connect (OIDC) provider, automates target discovery with Consul and Terraform, and granularly controls session routing with worker filters.
Ready to embrace the zero trust mindset but worried about developer productivity and satisfaction? HashiCorp’s senior developer advocate, Rob Barnes, breaks down how service mesh, identity-based access management, and secrets management help to implement zero trust without increasing development friction.
This session provides a great real-world overview of how to put zero trust into action (the example environment in this session uses a VPC on Amazon Web Services with two subnets, one public and one private), and how to architect zero trust for two critical user groups that need access to dev environments: product teams and developers. Rob’s real-life examples concretely show how to put the four pillars of a zero trust approach into practice. Watch the session to see more practical examples of the zero trust mindset.
Looking for more resources on zero trust security? Watch Armon Dadgar, co-founder and CTO of HashiCorp, explain the key ingredients in his zero trust whiteboard session. You can also visit our zero trust security solutions page, and view our FAQ on identity-based security.
The new Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.
HashiCorp Consul 1.11 adds important new features: multi-tenancy with administrative partitions and a new installation-and-management Consul Kubernetes CLI.
HashiCorp Vault now supports more than 100 integrations with 75 partners, including Cisco, Datadog, F5, MongoDB, Palo Alto Networks, Red Hat, ServiceNow, and Snowflake.