This page introduces the Boundary vision and how we plan to build toward it in the coming year.
Today digital organizations are experiencing a paradigm shift away from traditional, perimeter-focused access models. Organizations need security controls that can adapt to their ever-changing landscape of virtual and physical application infrastructure. Traditional access controls--private networks, firewalls, and static credentials--assume a world where credentials and IP addresses for resources don’t change frequently, making them tedious to manage at scale in dynamic environments.
Boundary’s vision is to enable an ephemeral access model that follows the principle of least privilege. To this end:
- Administrators can define granular, identity-based policies that manage and monitor how their infrastructure is accessed.
- Target hosts and services are discovered dynamically so that access policies are enforced even as infrastructure is provisioned just-in-time.
- Access is granted just-in-time at multiple levels - from ephemeral credentials minted by Vault or your preferred secrets management solution to just-in-time role elevations in Boundary that govern what access a user is given.
- Policies can be configured and automated as code.
For Boundary's upcoming releases, we have 3 key product themes we’re focused on delivering:
Bring your own identity. We feel strongly that Boundary’s identity-based controls should use the same identity that users have for their other applications. To do so, we’ll progressively add support for new auth methods for Boundary. Our first step will be in delivering an OpenID Connect (OIDC) auth method.
Just-in-time access. A just-in-time access posture will be enforced at multiple levels within Boundary. Upcoming releases will offer integration with Vault or your preferred secret management solution of choice to generate ephemeral credentials for Boundary sessions.
Target discovery. To manage dynamic infrastructure users will need a way to discover and add newly provisioned hosts to targets while enforcing existing access policies on new instances. With Boundary 0.1, you can provision these targets and access policies dynamically with the Boundary Terraform provider. In the releases following launch we'll give administrators the ability to define dynamic host catalogs to discover new hosts based on predefined rules or tags for Consul, each of the major cloud platforms, and Kubernetes.
This roadmap is built based on where we see needs based on feedback from our customers. If you have an unaddressed need in this roadmap then let us know! You can provide feedback on Boundary’s repo.