Infrastructure as Code

Security Automation Takes Center Stage at HashiConf 2022

HashiConf Global 2022 wrapped up the first week of October in sunny Los Angeles, CA. We were there in person to catch all of the latest news from HashiCorp, and to celebrate the arrival of Mondoo on stage with the HashiCorp team. Here’s our recap from that event.

Mondoo_graphics_HashiConf-updated-02 (1)

Here at Mondoo, we are not shy about our appreciation for HashiCorp and the suite of products that make up their cloud operating model. There isn’t a day that goes by when we are not automating the infrastructure that powers Mondoo Platform with Terraform, or working on a new integration with the HashiCorp suite like our recently certified Mondoo provisioner for Packer.

hashiconf banner

A number of us at Mondoo have been loyal users of HashiCorp products since HashiCorp was founded in 2012, and so it was exciting to travel to Los Angeles earlier this month for the return of HashiConf Global as an in-person event, the first since 2019.

Reflecting on ten years of HashiCorp

It is hard to believe that ten years have passed since HashiCorp was founded. Much has changed for the company launched by Mitchell Hashimoto and Armon Dagar back in 2012.   HashiCorp CEO, Dave McJannet, kicked off the keynote by taking a moment to reflect on all they have accomplished over the last 10 years.

Automation to power innovation

While HashiCorp have expanded their product portfolio from the early days of Vagrant, Packer, and Terraform, it is clear that they have always had a unified vision of building automation tools that help businesses deliver value to their customers faster.

The product portfolio has now expanded into security and networking with products like Vault, Consul, and Boundary, as well as application automation products like Nomad and Waypoint. As impressive as these newer products are, I couldn’t help but find myself in awe of the mass-adoption and proliferation of Terraform across the technology landscape.

Why businesses rely on Terraform

As they say, “the data don’t lie.” The data Mr. McJannet shared during his keynote showing that HashiCorp have seen over 250 million downloads over this last year alone tells a story of Hashi’s growing popularity. Yet downloads are just one side of the story; the other side is the incredible number of contributions back to HashiCorp in the form of partner integrations.

Anyone who spends time automating infrastructure with Terraform should be familiar with the Terraform registry. It is, of course, HashiCorp’s platform where Terraform providers, the plugins that allow users to manage an external API, are published, shared, and downloaded.

The most commonly used providers are still the major cloud providers maintained by HashiCorp for AWS, Azure, and Google Cloud. But it was interesting to see all of the providers for other technology platforms such as GitHub, MongoDB, Snowflake, and others. What this shows is the adoption of automation continues to expand into new territory, and is changing the definition of business-critical infrastructure.

Another interesting stat Mr. McJannet shared is that the Terraform provider for VMware vSphere has been downloaded 6 million times this past year alone. This indicates that platform engineering patterns used to automate public cloud are continuing to expand to on-prem, furthering the case for hybrid-cloud and multi-cloud environments.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Successful strategies for multi-cloud and hybrid cloud

HashiCorp has long believed that despite the growth of the public cloud, the world would be both hybrid and multi-cloud for the foreseeable future. When you look at it, this actually makes a ton of sense. Given that some of the most iconic companies in the world existed long before cloud, they have big investments in their own private data centers.

Additionally, the biggest businesses focus on mergers and acquisitions as a critical part of their growth strategy. With that expansion they accumulate technology platforms from the businesses they acquire, which naturally drives both hybrid and multi-cloud proliferation.

The businesses being acquired also must contend with using the internal technology platforms the acquiring business already own. Mixing engineers accustomed to automating cloud with “legacy platforms” can lead to frustration, especially when those legacy platforms were not designed with automation in mind. But such a mix also has driven a lot of innovation over the last decade. I definitely remember trying to automate VMware vSphere in the past, and I have the gray hairs to prove it. But things have come a long way since then.

Throughout the event, HashiCorp made it clear they are designing their products to address the unique challenges of hybrid and multi-cloud, for which there are many. Near and dear to our mission at Mondoo, one of the biggest challenges is addressing security in multi-cloud and hybrid-cloud environments.

Security takes center stage at HashiConf Global

Securing hybrid and multi-cloud environments is no small task. As if understanding the shared responsibility model were not enough, businesses who operate hybrid and multi-cloud environments need to deal with both East/West and North/South traffic passing through different network domains, and be able to keep track of all of the applications, machines, and users that need access.

HashiCorp Co-Founder and CTO, Armon Dagar, talked in his keynote about how the old paradigms of securing the perimeter fall short when addressing the challenges of hybrid and multi-cloud. We can no longer rely on setting up static rules for environments, especially when applications are increasingly ephemeral in nature. For HashiCorp, the solutions are doubling down on automation and moving towards what he described as “zero trust” for security.

What is zero trust and why does it matter?

Mr. Dagar went on to describe zero trust as the concept in which we do not inherently trust users, applications, and machines. Instead we have to explicitly authenticate each for every transaction that takes place, wherever communication takes place. HashiCorp believe that in order to implement zero trust successfully, businesses must solve what they call the “four pillars” of zero trust identity, focusing on:

  • Applications
  • Networks
  • User access
  • User identity

The focus on zero trust has now coalesced around three main products that include:

  • HashiCorp Vault to address user and application identity
  • HashiCorp Consul for network identity
  • HashiCorp Boundary for user access

As part of this commitment to make zero trust more readily available to their customers, HashiCorp announced the release of HashiCorp Vault on Microsoft Azure.

Policy as code continues to gain momentum

I have previously written about our belief that security and compliance need to be integrated into the entire software delivery lifecycle, and the way to do that is by adopting policy as code. HashiCorp believe this to be true as well, and furthered their commitment to the adoption of policy as code with the release of new Sentinel policies available on the Terraform Registry, as well as the ability to integrate policy as code into Terraform Cloud using Terraform Run Tasks.

Using policy as code with Terraform Run Tasks is particularly exciting for our mission at Mondoo and we already have some great new developments coming for using Mondoo with Terraform Cloud. Stay tuned!

Security continues to be a focal point for HashiCorp products, which brings me to my highlight for the conference: Mondoo got a shoutout from the Packer team on stage during their product roadmap session!

Mondoo on stage at HashiConf Global

mondoo on stage hashiconf

This article starts with stating our appreciation for HashiCorp and their products, so it should come as no surprise that we were beaming after getting a shoutout from Sr. Product Manager for HashiCorp Packer, Jordan Glasner, as he delivered the product roadmap.

Mr. Glasner spoke about the importance of building secure machine images, regardless of where you are provisioning virtual machines. This isn’t just about infrastructure as a service, but also applies to teams who have adopted, or are in the process of adopting, Kubernetes.

Getting security right for Kubernetes environments comes with its own challenges, and it is critical that you address the full stack that makes up a Kubernetes environment. One of the critical layers of a Kubernetes stack is securing the Kubernetes nodes and their underlying operating systems. Kubernetes nodes need to be patched and hardened continuously, and Packer and Mondoo are teaming up to make that fast and easy for businesses!

So much to celebrate, so much more to come

All and all it was a jam-packed few days at HashiConf, but I was inspired by the continued growth of automation across the technology landscape.

Getting a shoutout from the Packer team might seem like a blip on the radar amongst all the news from HashiConf, but for me it marked what I believe is just the first of many such mentions for Mondoo. We are so excited to continue our partnership with HashiCorp, and look forward to many more announcements and many more HashiConfs in the future.

Stay tuned!

Scott Ford

Scott Ford is a DevOps practitioner. In his current role as Principal Architect at Mondoo, he is focused on helping businesses automate security without adding friction to innovation. Prior to joining Mondoo, Scott held positions as Principal Architect of Lacework, and Distinguished Architect at Chef Software helping companies around the world transform the way they build their products through collaboration and automation.

You might also like

Mondoo June 2024 Release Highlights
Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights