Jan 14
How to Implement a Zero-Trust Lab with HashiCorp in an Hour
Trust nothing. Authenticate and authorize everything.
The Advanced Technology Academic Research Center (ATARC) is a non-profit organization that provides a collaborative forum for the federal government, academia, and industry to identify, discuss, and resolve emerging technology challenges like the implementation of zero trust architectures.
Recently HashiCorp presented and demoed a zero trust architecture on ATARC’s YouTube channel. Here is the video:
This article will outline the solutions presented by ATARC along with resources and general architectural concepts. This is not a detailed how-to guide but for examples, follow along in the video above.
General Challenges & Solutions
- If one Cloud Service Provider (CSP) suffers from an outage, show what you can do
- Demonstrated how Terraform can provision multi-cloud workloads across CSPs
- Demonstrated how Terraform can be provisioned on-premises or air-gapped without an internet connection
- All HashiCorp Enterprise products come with Sentinel, a policy as code governance framework. Terraform can also integrate existing application security solutions such as Snyk, Bridgecrew, or others into the Terraform workflow.
- Federal agencies often use security solutions to help achieve their Authority to Operate (ATO)
We provisioned the demo in its entirety with Terraform, which provided us with versioning through codification. We leveraged Terraform modules and provided resources.
ATARC Lab on Amazon Web Services (AWS)
General Challenges & Solutions
- An analyst needs to access fingerprint data from an agency across a multi-cloud or on-premises environment
- Allowed analyst permission based on application-aware/source session
- Revoked analyst permission based on application-aware/source session
- Provided operators the ability to monitor and revoke any service within the graphical user interface (GUI) or programmatically
- Empowered the developers to program/automate authorized intentions versus manually submitting a ticket for a firewall exemption
- Only allowed operator “a” can see fingerprint service “a”; and operator “b” can only see fingerprint service “b” once authenticated and authorized
- Provided observability — (Monitoring) to security and operations
- Discussed network infrastructure automation for your existing network equipment like Cisco, F5, Palo Alto, and others
Consul with Elastic Container Service (ECS) provides you with a fully-managed service mesh ecosystem. Empowering your AWS ECS tasks with Consul service mesh connectivity enables you to take advantage of features such as Zero Trust Security, intentions, observability, traffic policy, and more. You can build this on your own using our Learn Guide.
The figures below show the intentions configuration and the associated allow and deny functions between services “a” and “b”.
Service Intentions deny “service a” to “service b”
Service Intentions allow “service a” to “service b”
General Challenges & Solutions
- Provide an Identity-based authentication and authorization system to the analysts with centralized secrets management
- Demonstrated using your existing identity providers like AWS IAM, Azure, Google Cloud, JWT/OIDC, Kubernetes, LDAP, Okta, and many others
- Demonstrated Vault encryption as a service with the Transit Secrets Engine
- Secured a Root CA for transport layer security (TLS) with Vault Authentication
- Secured the gossip encryption key for consul machine-to-machine communication with Vault
- Stopped secret sprawl with database administrator for the fingerprint server with identity-based authentication and authorization
General Challenges & Solutions
- Provide Identity based authentication and authorization to remote users (analysts) working remotely
- Demonstrated secure remote access leveraging HashiCorp Boundary to enable secure session management for internal and external human operators
- Demonstrated Boundary’s scalable Controller / Worker model allows for a highly available centralized control plane (the controllers) while supporting a distributed route-optimized session/data plane via its workers
- In our demo, we showed how we can connect to any internal network resources without having to push holes in the firewall or leverage a VPN
HashiCorp Boundary secures access to applications and critical systems with fine-grained authorizations without managing credentials or exposing networks. Boundary allows you to eliminate the risk of using SSH keys, VPN credentials, and bastion hosts for remote access.
Thank you for reading and learning more about HashiCorp’s zerp trust solution. For use in a production environment please contact HashiCorp or find us on GitHub. I would like to thank Dan Fedick and Tim Silk for the contributions to the article.
Please take a moment to check out our zero trust white paper and YouTube video below.
