<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

We're blowing the whistle on Legacy PAM 🏀 Join us for an Access Madness Webinar on March 28

Search
Close icon
Search bar icon

Alternatives to HashiCorp Boundary

HashiCorp Boundary Competitors
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

HashiCorp Boundary is an open-source identity access management (IAM) tool that facilitates secure user access to dynamic hosts and critical infrastructure across environments. However, if you need a simple and secure way to manage access to databases, Kubernetes clusters, cloud CLIs, switches, routers, or internal web applications, there are other services to consider. In this blog post, we’ll take a look at a few HashiCorp Boundary alternatives and discuss the strengths and weaknesses of each. 

HashiCorp Boundary Overview

Brief product summary

HashiCorp released Boundary in 2020 as an answer to Vault users’ need for a session management (as opposed to credential management) solution. The project aims to simplify onboarding and create a dynamic workflow for system access, especially in high-automation environments, by granting authenticated and authorized users access to sensitive systems. It uses the principle of least privilege, allowing developers and operators just enough access to perform the required job. This limits access to larger networks, reducing the risk of compromise. Boundary also monitors and logs session metadata.

Use cases

  • HashiCorp Boundary is open-source and free identity-based security.
  • Role-based and logical service authorization.
  • Uses SSO to manage, onboard, and offboard users.
  • Integrate with existing tools and APIs.

Pluses

  • Dynamic resource catalogs.
  • Planned integration with Terraform, AWS/GCP/Azure, Kubernetes for live updating of catalogs based on tags in v0.2.
  • Dynamic credentials.
  • Integration with Vault and others for end-to-end dynamic credentials.
  • Authenticate with identity provider already in use.

Minuses

  • The Identity Provider integration is not a SCIM integration and lacks functionality.
  • Doesn't do auditing; can only monitor and log session metadata.
  • Tools are confusing.
  • Complex setup with lots of "moving parts". Users have trouble figuring out what to run together and how to integrate.
  • Requires a third tool, Consul, to manage services and machine-to-machine access.

1. StrongDM

strongdm-new-homepage-screenshot

Brief product summary

StrongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. Their zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, StrongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, etc...) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because StrongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.

Use cases

Pluses

  • Easy deployment - self-healing mesh network of proxies.
  • No change to workflow- use any SQL client, CLI, or desktop BI tool.
  • Standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Graphical client for Windows and macOS.
  • See and replay all activity with session recordings.
  • Manage via a user-friendly web browser interface.
  • Simple, straightforward pricing.

Minuses

  • Requires continual access to StrongDM API for access to managed resources.

StrongDM’s G2 Reviews

  • 51 reviews (at the time of writing)
  • 4.8 / 5 stars

Read all of StrongDM’s G2 reviews here.

g2-review-screenshot

Pricing Information

StrongDM offers simple per-user pricing, starting at $70/license, including support for all resource types.

Users have the option to sign up for a free 14-day trial.

strongdm-new-pricing

2. Teleport (Community Edition or Enterprise)

Brief product summary

Teleport provides privileged access management (PAM) for cloud-native infrastructure. Teleport is an access and authentication proxy for SSH and Kubernetes API access. It's meant as a replacement for sshd and it works with existing OpenSSH clients and servers as-is. It allows administrators to set up access for users and groups to groups of servers, called clusters, and implements role-based access control (RBAC) to allow different levels of access to different clusters. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.

The open-source Community Edition of Teleport is the same as the Enterprise edition, with the following exceptions:

  • No RBAC.
  • No SSO integration.
  • No paid support available.

Use cases

  • Role-based access controls.
  • Use existing identity management tools.
  • Record all session activity into auditable logs.

Pluses

  • Open-sourced and free.
  • Gives users secure access to resources.

Minuses

  • No contracted support available on the free product.
  • Teleport software must be running on every server to be managed by Teleport access.
  • Complex setup.
  • User credentials are assigned across a full cluster rather than server-by-server.
  • Backend configuration required to store audit logs (AWS S3 / DynamoDB, required by teleport to store session logs).
  • Teleport agent audit logs are only accessible through the UI or backend storage.
  • Complex pricing model for Enterprise.

3. Bastion Host

Brief product summary

A bastion host is simply a Linux/UNIX server that mediates access to sensitive servers/database access by requiring the user to first log into the bastion host then ‘jump’ to additional resources in the network controlled by the bastion. The bastion host normally performs only security functions and is updated and audited often to ensure network security.

Organizations need to set up an additional server that is both accessible from external sources and is able to connect to internal resources.

Use cases

  • Mediate access to protected resources on a restricted network segment.
  • Database clients and similar tools can work through a bastion host by using port forwarding over the SSH connection.
  • The latest security is updated and the computer typically includes intrusion detection software.

Pluses

  • Very affordable option - the price of a dedicated computer.
  • Provides resource access to users through SSH.

Minuses

  • Because all access to protected resources requires first logging in via command line to the bastion host, the user must have an account on the bastion and a certain level of technical acumen, especially if employing port forwarding for database access.
  • The bastion host represents a single point of failure; if it is unavailable all resources behind it are inaccessible. Setting up multiple bastion hosts to mitigate against this possibility means another set of credentials to manage.
  • In the case of problems, support is limited to whatever support may be available for the underlying OS running on the bastion host.
  • Session logs and database/other protocol activity are not captured.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

StrongDM vs. CyberArk: Side-by-Side Comparison
StrongDM vs. CyberArk: Side-by-Side Comparison
Both StrongDM and CyberArk are privileged access management solutions to provide secure access to backend infrastructure. While there are many similarities between the two solutions, there are also some key differences.
StrongDM vs. Teleport: Which One Is Better
StrongDM vs. Teleport: Side-by-Side Comparison
Both StrongDM and Teleport are access control solutions designed to provide secure access to databases, servers, clusters, and web apps. While there are some similarities between the two solutions, there are also some key differences.
AWS Secrets Manager Alternatives & Competitors
Alternatives to AWS Secrets Manager
AWS Secrets Manager is a popular and highly intuitive secrets management tool that lets organizations automate secrets rotation processes and securely store, manage, and audit IT credentials. However, certain AWS Secrets Manager alternatives are available if you are looking to avoid getting tied down exclusively to AWS products or prioritize efficient user onboarding. In this product comparison guide, we evaluate AWS Secrets Manager competitors that can fill in some of its product gaps.
Azure Key Vault Alternatives & Competitors
Alternatives to Azure Key Vault
Microsoft Azure Key Vault is a cryptographic and secrets management solution for storing encryption keys, certificates, and passwords. While known for its interface simplicity and robust security, users should look to Azure Key Vault alternatives if they prioritize employee onboarding automation or need quick and easy implementation. This article evaluates Azure Key Vault competitors regarding security features, pricing, and usability to identify the best alternative options.
Google Cloud Secret Manager Alternatives & Competitors
Alternatives to Google Cloud Secret Manager
Google Cloud Secret Manager is an intuitive platform for managing API keys, user passwords, digital certificates, and other sensitive data and administering access control policies for business resources. While cost-friendly and reliable for securing Google Cloud applications, you should look to other Google Cloud Secret Manager competitors if you manage complex infrastructure and need multiple integrations.