This page introduces the Boundary vision and how we plan to build toward it in the coming year.
Today digital organizations are experiencing a paradigm shift away from traditional, perimeter-focused access models. Organizations need security controls that can adapt to their ever-changing landscape of virtual and physical application infrastructure. Traditional access controls--private networks, firewalls, and static credentials--assume a world where credentials and IP addresses for resources don’t change frequently, making them tedious to manage at scale in dynamic environments.
Boundary’s vision is to enable an ephemeral access model that follows the principle of least privilege. To this end:
- Administrators can define granular, identity-based policies that manage and monitor how their infrastructure is accessed.
- Target hosts and services are discovered dynamically so that access policies are enforced even as infrastructure is provisioned just-in-time.
- Access is granted just-in-time at multiple levels - from ephemeral credentials minted by Vault or your preferred secrets management solution to just-in-time role elevations in Boundary that govern what access a user is given.
- Policies can be configured and automated as code.
For Boundary's upcoming releases, we have a few key product themes that will guide what we'll be delivering:
Automated Target Discovery: To manage dynamic infrastructure, users will need a way to discover and add newly provisioned hosts to targets while enforcing existing access policies on new instances. Administrators already have the ability to define dynamic host catalogs to discover new hosts based on predefined rules or tags for AWS and Azure. Upcoming releases will provide native integrations for Consul and Kubernetes. As Boundary is built to be plugin-friendly, administrators will also be able to write their own custom plugins for additional dynamic host catalogs.
Credential Management: Boundary’s SSH credential brokering integration with Vault enables users to access targets with just-in-time, ephemeral secrets. On the roadmap is support for SSH signed certificates, a more secure method of SSH authentication using certificates. With this feature, Vault acts as the Certificate Authority and issues the signed certificates, which Boundary will broker back to the user and to the target.
Observability: To measure the health of the internal states of a system by examining the outputs, Boundary will provide a secure method by which Boundary operators and administrators can consume the critical health metrics and export its observability data to Prometheus metrics.
This roadmap is built based on where we see needs based on feedback from our customers. If you have an unaddressed need in this roadmap then let us know! You can provide feedback on Boundary’s repo.