HashiCorp Takes Security Up A Level With Consul Connect
Cloud infrastructure automation company HashiCorp has released a new security-focused feature as part of its Consul product, called Consul Connect.
The new feature is aimed at solving the problem of security at scale in a world increasingly dominated by microservices connecting to each other across and between clouds.
The issue centers on the traditional network-based approach to security: machines with IP addresses connecting to each other, making the IP address the locus of control over security. HashiCorp wants to move this unit of management to the logical service instead. With traditional, long-lived application services, the IP address and port of a service would remain the same for long periods of time, but with modern container-based approaches, services are constantly being rebuilt and redeployed. There are no guarantees that the IP address of a service now will be the same in an hour, let alone weeks or months.
“We shouldn't be saying IP one can talk to IP two,” says Armon Dadgar, Co-Founder and CTO of HashiCorp, “We should be saying the webserver is allowed to talk to the database.”
“When people try to solve this network segmentation problem at the network, they're getting into these insanely complicated network topologies that are completely unmanageable,” says Dadgar. As more organizations move to micro-services, the scale of the problem is only going to increase.
The big difference with the Consul Connect approach is its use of service proxies as the standard for inter-service communication. The method is a core part of the service mesh approach common to container-based environments. Every service in the mesh connects to every other service via a proxy, which handles the networking function on behalf of the application. This modular component approach provides a lot of flexibility in the fast-moving cloud-native world.
HashiCorp has chosen to use the Secure Production Identity Framework for Everyone (SPIFFE) for service identity, which enables Consul Connect services to inter-operate with other SPIFFE-compliant systems. “There's a bunch of interesting functionality in products like NGINX or Envoy or HAProxy that people want to leverage,” says Dadgar, “so our view is to let those pieces be used wherever you want in the data plane and let Consul provide a consistent control plane to define and enforce policy.”
This modular approach can also make heritage non-cloud-native systems look cloud-native to other services in the service mesh. A service proxy becomes a kind of cloud-native mask worn by heritage services that makes them look like any other cloud-native service. Working with higher-level abstractions provides a lot of flexibility about what happens under the covers. So long as the interface remains the same, you could swap out VMware for Azure, or swap a monolith for Kubernetes pods, and Consol Connect will continue to manage security in the same way.
“The people who feel this pain acutely are those who are in a mixed-mode environment,” says Dadgar. “They have some mix of legacy VM-based workloads, or even bare metal, plus they're trying to embrace more agile development practices.” Large organizations know that they will spend many years in this mixed-mode as they gradually replace older systems with new ones; change on this scale doesn't happen quickly.
“There's this intense friction where firewall teams are saying ‘File a ticket and I'll get to it in six months' and other teams are saying ‘Well my container's only going to live for 30 minutes,'” he says.
“So, we have a bit of a problem,” he adds, wryly.
HashiCorp believes it has found a solution, and with some five million deployments of Consul out there in the world already, it should shortly find out how good its solution really is.
This article first appeared in Forbes.com here.