Teleport Launches Identity Governance and Security
Read More
Learn > Other > Compare

Hashicorp Boundary vs Teleport

Posted 22nd Mar 2023 by Michael Ferranti

What is Hashicorp Boundary?

HashiCorp Boundary is a remote access solution that enables secure access to infrastructure and applications across various cloud and on-premise environments. It allows organizations to manage user access to critical resources, while managing compliance with security policies.

Hashicorp Boundary has deep integration with Hashicorp Vault. Boundary leverages Vault's secrets management capabilities to generate temporary credentials that grant access to specific resources. Boundary can provide access to infrastructure resources such as servers, databases, and Kubernetes clusters.

What is Teleport?

Teleport is an open-source, infrastructure access platform for engineers and machines. By replacing insecure secrets like passwords, keys and tokens with true identity based on biometrics and security modules, Teleport delivers phishing-proof zero trust for every engineer and service connected to your global infrastructure.

The open-source Teleport Access Platform consolidates connectivity, authentication, authorization, and audit trail into a single source of truth for access policy across your entire infrastructure while delivering a frictionless developer experience. Teleport replaces VPNs, shared credentials, secrets vaults and legacy privileged access management (PAM) solutions, improving security and engineering productivity.

When comparing Teleport to Hashicorp, it is worth highlighting several key Teleport features:

1. Teleport is secretless

Secrets like passwords and keys are the number one cause of breach. Boundary requires the use of Hashicorp Vault for managing secrets. Keeping secrets and passwords in a secrets manager like Vault is better than not using a Vault, but they are still a breach waiting to happen. Teleport replaces secrets like passwords and keys with secure, short-lived certificates based on human and machine identity for all infrastructure resources, not just SSH. Fundamentally, we believe that using secrets to access something as critical as infrastructure is a design flaw.

2. Teleport is a full Zero Trust solution

Teleport combines an identity-aware access proxy with sophisticated authorization, audit and device attestation to provide a complete Zero Trust solution. Read about how Teleport fully implements a BeyondCorp and Federal Zero Trust Architecture Strategy and how we ensure that only trusted devices are used to access infrastructure.

3. Teleport provides advanced security & compliance capabilities

Teleport is used by organizations with sophisticated access control requirements needed to achieve FedRAMP, SOC2, ISO 27001 and other compliance standards. Below is a partial list of these capabilities.

  • Session recordings: Teleport provides the ability to record interactive sessions which can then be replayed later via a Youtube-like web interface with features like pause, rewind, etc.
  • Strict session recordings: Administrators can optionally elect to terminate ssh sessions if there is a problem with a recording, such as a full disk error.
  • Session Locking: System administrators can disable a compromised user or node — or prevent access during cluster maintenance — by placing a lock on a session, user or host identity using Teleport’s API.
  • Session Moderation: Requires one or more other users to be present in a session. Depending on the requirements, these users can observe the session in real-time, participate in the session and terminate the session at will.
  • Kernel-level logging: By using eBPF, Teleport enhanced session recording doesn’t just record what happens in the terminal, which can be obfuscated, but what happens down the kernel level.
  • Dual Authorization: Requires the approval of multiple team members to perform some critical actions.
  • Device verification: Teleport Device Trust requires that only registered devices can be used to access infrastructure resources.
  • Per-session MFA: Teleport supports requiring additional multi-factor authentication checks when starting a new session to protect users against compromises of their on-disk Teleport certificates. One of many extra options as part of Teleport role-based access control system, along with Device Trust and IP Pinning.
  • Full Identity-provider: Teleport can be used as a complete replacement for existing identity management tools. As an SSO SAML identity provider, Teleport can be used by teams as an identity provider to access apps.

3. Teleport supports a wider range of clients and protocols with passwordless authentication, auto-discovery and IAM integration.

  • Full support for cloud Databases via IAM. Teleport supports a wide range of cloud databases with AWS, GCP and Azure IAM integration and auto-discovery.
  • Passwordless Windows Desktop Access with session recordings.
  • Offers integration via Machine ID to issue short-lived credentials for services running on Github Actions, Gitlab and other CI systems.

Teleport vs Boundary

To conclude, both Teleport and Boundary can be used to access your infrastructure. One of the best ways to evaluate both products is with a 14-day trial offered by both Teleport and Boundary with their SaaS offerings.

If you’re looking for a longer-term trial and want to host yourself, the Teleport Community edition is a perfect open-source version that can secure everything from your business to your home lab.