How To Implement a Zero-Trust Lab with HashiCorp in an Hour - HashiCorp Solutions Engineering Blog - Medium
HashiCorp Solutions Engineering Blog - MediumHow to Implement a Zero-Trust Lab with HashiCorp in anHour
Trust nothing. Authenticate and authorize everything.
The Advanced Technology Academic Research Center (ATARC) is a non-profit organization that provides a collaborative forum for the federal government, academia, and industry to identify, discuss, and resolve emerging technology challenges like the implementation of zero trust architectures.
Recently HashiCorp presented and demoed a zero trust architecture on ATARC’s YouTube channel. Here is thevideo:
This article will outline the solutions presented by ATARC along with resources and general architectural concepts. This is not a detailed how-to guide but for examples, follow along in the videoabove.
General Challenges & Solutions
- If one Cloud Service Provider (CSP) suffers from an outage, show what you cando
- Demonstrated how Terraform can provision multi-cloud workloads acrossCSPs
- Demonstrated how Terraform can be provisioned on-premises or air-gapped without an internet connection
- All HashiCorp Enterprise products come with Sentinel, a policy as code governance framework. Terraform can also integrate existing application security solutions such as Snyk, Bridgecrew, or others into the Terraform workflow.
- Federal agencies often use security solutions to help achieve their Authority to Operate(ATO)
We provisioned the demo in its entirety with Terraform, which provided us with versioning through codification. We leveraged Terraform modules and provided resources.
ATARC Lab on Amazon Web Services(AWS)
General Challenges & Solutions
- An analyst needs to access fingerprint data from an agency across a multi-cloud or on-premises environment
- Allowed analyst permission based on application-aware/source session
- Revoked analyst permission based on application-aware/source session
- Provided operators the ability to monitor and revoke any service within the graphical user interface (GUI) or programmatically
- Empowered the developers to program/automate authorized intentions versus manually submitting a ticket for a firewall exemption
- Only allowed operator “a” can see fingerprint service “a”; and operator “b” can only see fingerprint service “b” once authenticated and authorized
- Provided observability—(Monitoring) to security and operations
- Discussed network infrastructure automation for your existing network equipment like Cisco, F5, Palo Alto, andothers
Consul with Elastic Container Service (ECS) provides you with a fully-managed service mesh ecosystem. Empowering your AWS ECS tasks with Consul service mesh connectivity enables you to take advantage of features such as Zero Trust Security, intentions, observability, traffic policy, and more. You can build this on your own using our LearnGuide.
The figures below show the intentions configuration and the associated allow and deny functions between services “a” and“b”.
Service Intentions deny “service a” to “serviceb”
Service Intentions allow “service a” to “serviceb”
General Challenges & Solutions
- Provide an Identity-based authentication and authorization system to the analysts with centralized secrets management
- Demonstrated using your existing identity providers like AWS IAM, Azure, Google Cloud, JWT/OIDC, Kubernetes, LDAP, Okta, and manyothers
- Demonstrated Vault encryption as a service with the Transit SecretsEngine
- Secured a Root CA for transport layer security (TLS) with Vault Authentication
- Secured the gossip encryption key for consul machine-to-machine communication withVault
- Stopped secret sprawl with database administrator for the fingerprint server with identity-based authentication and authorization
General Challenges & Solutions
- Provide Identity based authentication and authorization to remote users (analysts) workingremotely
- Demonstrated secure remote access leveraging HashiCorp Boundary to enable secure session management for internal and external human operators
- Demonstrated Boundary’s scalable Controller / Worker model allows for a highly available centralized control plane (the controllers) while supporting a distributed route-optimized session/data plane via itsworkers
- In our demo, we showed how we can connect to any internal network resources without having to push holes in the firewall or leverage aVPN
HashiCorp Boundary secures access to applications and critical systems with fine-grained authorizations without managing credentials or exposing networks. Boundary allows you to eliminate the risk of using SSH keys, VPN credentials, and bastion hosts for remoteaccess.
Thank you for reading and learning more about HashiCorp’s zerp trust solution. For use in a production environment please contact HashiCorp or find us on GitHub. I would like to thank Dan Fedick and Tim Silk for the contributions to thearticle.
Please take a moment to check out our zero trust white paper and YouTube videobelow.
Public Terraform Modules:
Credits and Resources
- Boundary on AWS reference architecture
- HashiCorp Vault LearnArticle
- ECS Repository for the Terraform Module
- Consul ECSMain
- Vault DemoRepo
How To Implement a Zero-Trust Lab with HashiCorp in an Hour was originally published in HashiCorp Solutions Engineering Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
本文章由 flowerss 抓取自RSS,版权归源站点所有。