How to Implement a Zero-Trust Lab with HashiCorp in an Hour

Trust nothing. Authenticate and authorize everything.

Image Source: Greg Thomas

The Advanced Technology Academic Research Center (ATARC) is a non-profit organization that provides a collaborative forum for the federal government, academia, and industry to identify, discuss, and resolve emerging technology challenges like the implementation of zero trust architectures.

Recently HashiCorp presented and demoed a zero trust architecture on ATARC’s YouTube channel. Here is the video:

This article will outline the solutions presented by ATARC along with resources and general architectural concepts. This is not a detailed how-to guide but for examples, follow along in the video above.

Image Source: Dan Fedick
Image Source: HashiCorp Terraform

General Challenges & Solutions

  • If one Cloud Service Provider (CSP) suffers from an outage, show what you can do
  • Demonstrated how Terraform can provision multi-cloud workloads across CSPs
  • Demonstrated how Terraform can be provisioned on-premises or air-gapped without an internet connection
  • All HashiCorp Enterprise products come with Sentinel, a policy as code governance framework. Terraform can also integrate existing application security solutions such as Snyk, Bridgecrew, or others into the Terraform workflow.
  • Federal agencies often use security solutions to help achieve their Authority to Operate (ATO)

We provisioned the demo in its entirety with Terraform, which provided us with versioning through codification. We leveraged Terraform modules and provided resources.

ATARC Lab on Amazon Web Services (AWS)

Image Source: Dan Fedick
Image Source: HashiCorp Consul

General Challenges & Solutions

  • An analyst needs to access fingerprint data from an agency across a multi-cloud or on-premises environment
  • Allowed analyst permission based on application-aware/source session
  • Revoked analyst permission based on application-aware/source session
  • Provided operators the ability to monitor and revoke any service within the graphical user interface (GUI) or programmatically
  • Empowered the developers to program/automate authorized intentions versus manually submitting a ticket for a firewall exemption
  • Only allowed operator “a” can see fingerprint service “a”; and operator “b” can only see fingerprint service “b” once authenticated and authorized
  • Provided observability — (Monitoring) to security and operations
  • Discussed network infrastructure automation for your existing network equipment like Cisco, F5, Palo Alto, and others

Consul with Elastic Container Service (ECS) provides you with a fully-managed service mesh ecosystem. Empowering your AWS ECS tasks with Consul service mesh connectivity enables you to take advantage of features such as Zero Trust Security, intentions, observability, traffic policy, and more. You can build this on your own using our Learn Guide.

Image Source: HashiCorp

The figures below show the intentions configuration and the associated allow and deny functions between services “a” and “b”.

Image Source: Greg Thomas
Image Source: Greg Thomas

Service Intentions deny “service a” to “service b”

Image Source: Greg Thomas

Service Intentions allow “service a” to “service b”

Image Source: HashiCorp Vault

General Challenges & Solutions

  • Provide an Identity-based authentication and authorization system to the analysts with centralized secrets management
  • Demonstrated using your existing identity providers like AWS IAM, Azure, Google Cloud, JWT/OIDC, Kubernetes, LDAP, Okta, and many others
  • Demonstrated Vault encryption as a service with the Transit Secrets Engine
  • Secured a Root CA for transport layer security (TLS) with Vault Authentication
  • Secured the gossip encryption key for consul machine-to-machine communication with Vault
  • Stopped secret sprawl with database administrator for the fingerprint server with identity-based authentication and authorization
Image Source: Dan Fedick
Image Source: HashiCorp Boundary

General Challenges & Solutions

  • Provide Identity based authentication and authorization to remote users (analysts) working remotely
  • Demonstrated secure remote access leveraging HashiCorp Boundary to enable secure session management for internal and external human operators
  • Demonstrated Boundary’s scalable Controller / Worker model allows for a highly available centralized control plane (the controllers) while supporting a distributed route-optimized session/data plane via its workers
  • In our demo, we showed how we can connect to any internal network resources without having to push holes in the firewall or leverage a VPN
Image Source: Dan Fedick

HashiCorp Boundary secures access to applications and critical systems with fine-grained authorizations without managing credentials or exposing networks. Boundary allows you to eliminate the risk of using SSH keys, VPN credentials, and bastion hosts for remote access.

Thank you for reading and learning more about HashiCorp’s zerp trust solution. For use in a production environment please contact HashiCorp or find us on GitHub. I would like to thank Dan Fedick and Tim Silk for the contributions to the article.

Please take a moment to check out our zero trust white paper and YouTube video below.

Multi-cloud security in a “Zero Trust” world — YouTube

Public Terraform Modules:

Credits and Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store