New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier

HashiCorp is focused on helping organizations integrate and automate security into developer workflows. At HashiConf, we are sharing recent and upcoming additions to our Security Lifecycle Management (SLM) products — HashiCorp Vault, Boundary, and Consul — that help make adopting a secure path fast and easy for development teams.

We are pleased to announce that HCP Vault Radar is now in public beta, Boundary now offers transparent sessions (in public beta), and Consul DNS views are now available.

»HCP central services add new access controls and observability

RBAC capabilities have been added to HCP products as part of HCP’s central services updates.

»HCP Packer bucket-level permissions

HCP Packer users can now define user access at the bucket level, enabling platform teams to grant application teams admin or contributor access to specific buckets while maintaining viewer status at the project level. The enhanced RBAC capabilities across HCP solutions help securely provide administrative boundaries for teams and apply least-privileged access principles for access to secrets.

»Stream audit logs to increase observability

HCP Packer, HCP Vault Dedicated, and HCP Boundary users can now leverage audit log streaming. Audit log streaming helps users retain their historical data in case it’s needed for an investigation or audit. The new feature streams information from observability partners including Datadog, Splunk, and Amazon Cloudwatch.

»HCP Vault Radar secret scanning available for free in public beta

HCP Vault Radar is HashiCorp’s secret scanning product that expands upon Vault’s secret-lifecycle management capabilities to include the discovery and prioritization of unmanaged secrets. HCP Vault Radar inspects an organization’s IT estate, looking for exposed secrets and offering tracking, labeling, and remediation for those secrets. Today, at HashiConf, we are announcing that HCP Vault Radar is entering public beta as well as new enterprise features.

»Discover unmanaged secrets with HCP Vault Radar for free

The public beta for HCP Vault Radar allows all organizations that have a current HCP organization to try HCP Vault Radar’s functionality for free so they can understand their current state of secret sprawl in their environment. With generous resource limits, the public beta program allows organizations to test out all critical functionality within the product, including scanning, contextual analysis, prioritization, auditing, false positive reduction, and remediation guidance.

»Implement HCP Vault Radar agent for self-managed and regulated environments

Because of regulatory compliance or internal policy, some organizations choose to run code repositories, collaboration tools, or their data storage in private environments. The HCP Vault Radar agent gives customers a way to scan secrets from their data sources (e.g. GitHub, Bitbucket, etc.) in self-managed, private infrastructure. The agent allows organizations to operate HCP Vault Radar from within their trusted, self-managed perimeter. Those results are then shared with HCP Vault Radar’s cloud portal without exchanging sensitive credentials. This process allows organizations to use HCP Vault Radar’s scheduling, contextual analysis, prioritization, auditing, and remediation, while remaining compliant with internal policy.

»Prevent leaks by integrating pre-receive scanning into existing developer workflows

One of the most significant challenges organizations face is how to prevent secrets from being exposed in the first place. The risk of operational costs and downtime associated with rotating secrets is eliminated when you avoid exposing those secrets. HCP Vault Radar works in conjunction with multiple developer Git workflows to monitor and alert on sensitive information. However, some Git workflows accept a developer’s submission prior to any checks for policy or code check violations. When the Git server accepts the code submission, it will log the code, along with any exposed secrets that may be in the pull request. To avoid this situation, we’ve added Git pre-receive hook scanning to HCP Vault Radar. Pre-receive hook scripts run on the Git server before the acceptance of a pull request or commit. This means code violations, including potentially exposed secrets, can be discovered and resolved before being committed to a code repository or being logged.

»Kickstart your remediation process with custom guidance

When an exposed secret is discovered, it needs to be rotated to eliminate opportunities for unauthorized access, breach of sensitive information, or lateral application-to-application movement by threat actors. However, remediation can be complex.

For instance, was the secret found in multiple locations and applications? If so, the remediation must be carefully controlled to ensure there will be no downtime. However, if a secret has been found in an unsecured location and it is actively being used, the situation is critical and the secret must be rotated immediately. In these potentially serious cases, engineering teams would benefit from guidance.

HCP Vault Radar provides remediation best practices and contextual guidance based on the type of secret that was discovered. Contextual guidance is provided for:

• Active secrets
• Inactive secrets
• Secrets leaked from Google Cloud or AWS

Additionally, SecOps teams can customize HCP Vault Radar remediation configurations to direct engineering teams to internal or proprietary documentation that takes into account internal processes and relevant best practices.

If you already have an HCP account, you can sign-in and try HCP Vault Radar for free. Otherwise, you can also sign up for HCP for free.

»Vault Enterprise increases reliability, scalability, and industry support

Vault 1.18 improves reliability and adds protocol support for telecom and federal agencies.

»Improve high availability with adaptive overload protection

Requests to the Vault API frequently result in the need to perform storage updates. These updates must be processed sequentially, causing high latency that could result in an outage during periods of high traffic. Adaptive overload protection allows Vault to gracefully manage requests by maintaining write replicas, which mitigate the risk of downtime. Adaptive overload protection will be enabled by default for Vault’s integrated storage backend.

»Achieve 3GPP compliance with certificate management protocol (CMPv2)

Vault Enterprise 1.18 further advances its certificate lifecycle management capabilities by extending PKI with the CMPv2 protocol. CMPv2 supports a variety of certificate formats including RSA, DSA, and ECDSA, as well as X.509 templates. The protocol is widely used by the mobile telecommunications and networking industries to support 5G and achieve third-generation partnership project (3GPP) compliance. CMPv2 includes:

• Initialization registration
• Certificate update
• Key-pair update

In order to provide 5G services, mobile telecommunication providers are required to adhere to 3GPP standards. 3GPP requires that the network devices must be authenticated using x509 certificates and that the enrollment process must leverage the CMPv2 protocol. With support for PKI’s CMPv2 protocol, Vault Enterprise facilitates the automation of network device certificate enrollment, helping organizations be 3GPP compliant for 5G services.

Additional important updates in Vault 1.18 include auto-rotation for static database credentials and IPv6 accreditation. For more information, please review our release blog and notes.

»Boundary transparent sessions provide enhanced workflows for intuitive access

HashiCorp Boundary provides secure human-to-machine access for sensitive applications. This includes:

• Identity-based authorization to ensure only the right roles gain access to the right services
• Automated workflows for both end users and administrators with passwordless access
• Reduced risk exposure with dynamic secrets using Vault

To further deliver on that promise we’re pleased to introduce Boundary transparent sessions in public beta — a core improvement to Boundary workflows that lets authorized remote users securely and transparently connect to privileged resources. With transparent sessions, end users can connect to privileged or highly sensitive systems passively, without any direct user interaction with Boundary’s CLI or Desktop clients. Boundary transparent sessions run in the background and intercept DNS calls to route traffic through Boundary to the intended systems when a user is authorized.

Prior to Boundary 0.16, establishing a new connection in the Boundary CLI involved copying and pasting a scope-id or target-id. After the addition of aliases in Boundary 0.16, users could use a more human-readable custom resource alias to connect to a target instead of IDs that were hard to memorize. Transparent sessions eliminate the copy and paste workflow entirely by automatically populating the necessary IDs to establish a session.

Transparent sessions are available today for users on HCP Boundary Standard, HCP Boundary Plus, and Boundary Enterprise. Visit our transparent sessions documentation to learn more. New Boundary users can sign up for a free HCP Boundary account or request a Boundary Enterprise trial through HashiCorp sales.

»Simplify and secure multi-tenant service discovery with Consul DNS views

HashiCorp Consul on Kubernetes v1.20 introduces Consul DNS views, which improves the usability of service discovery in multi-tenant environments and also tightens security by letting organizations limit discovery between tenants. Prior to Consul DNS views, Kubernetes application services deployed in multi-tenant configurations with Consul admin partitions needed to be updated to reference partition information if they were using Consul DNS. Requiring developers to update their Kubernetes application services added new burdens and hindered the adoption of admin partitions.

Consul DNS views, now available in version 1.20, removes this friction by no longer requiring developers to update Kubernetes applications for DNS queries made between services that reside in the same partition. In addition, Consul DNS views can limit services from discovering other services in different partitions, tightening security between different tenants. With Consul DNS views, organizations can more easily adopt service discovery across different teams throughout the organization while ensuring clear security separation between tenants.

»Get started with Security Lifecycle Management

As organizations move from static to dynamic cloud environments, they need to transition from network-based to identity-based security. With more focus and scrutiny on the materiality of cybersecurity risk, organizations are also forced to enhance security efforts without sacrificing developer productivity. With these new announcements, HashiCorp continues to strengthen its Security Lifecycle Management offerings. Together, HashiCorp Vault, Boundary, and Consul prioritize making it easy for developers to adopt more secure workflows.

To see these products in action or to learn more, sign up for a free trial of the HashiCorp Cloud Platform. If you'd like to see a deep dive webinar recap of these announcements, sign up for our SLM HashiConf recap