This page compares HashiCorp Boundary to Pomerium. Boundary is “an identity-aware proxy aimed at simplifying and securing least-privileged access to cloud infrastructure. It provides secure access to hosts and critical systems without distributing and managing credentials, configuring firewalls, or exposing the organization's private network.”
Boundary’s advantage:
Session recording for HCP Plus and Enterprise Plus
Natural integration with HashiCorp Vault for credential management and credential injection
More options for host discovery with dynamic resource catalogs through integrating with Terraform
Pomerium’s advantage:
Stronger zero trust security with continuous verification
Layer 7 HTTP-based proxy for context-aware access
Clientless access for usability
We can only recommend HashiCorp Boundary to organizations that are already fully invested in the HashiCorp ecosystem and do not care for a full zero trust architecture.
Boundary’s native integrations with HashiCorp Vault and Terraform are useful for resource discovery and credential management, but Boundary is lacking when it comes to critical security features like continuous verification and context-aware access.
For security conscious organizations looking to reduce their attack vectors, we still recommend Pomerium. Our reverse proxy enables zero trust access control where trust flows from identity, context, and device, continuously checked on each action and request.
Single-sign on (SSO) — Boundary integrates with identity providers and Vault for credential management to dynamically inject credentials into access flows, enabling dynamic access without needing to log in multiple times.
VPN replacement — Boundary can be used to extend or replace VPNs as an access solution. When fully self-hosted, it removes the need for a third-party server or provider to be involved.
Automated host discovery — Boundary supports target and host discovery with three primary workflows: manual configuration, discovery via configuration as code with Terraform, and runtime host discovery via dynamic host catalogs.
First-class HashiCorp product — Boundary has first-class integration with HashiCorp products, making it attractive for organizations that are already fully invested in the HashiCorp ecosystem.
Multi-cloud access — like Pomerium, Boundary enables standardizing simple access workflows for organizations with various infrastructure and identity providers by creating a centralized layer of identity-based authentication and authorization, regardless of the environment.
Camcorder on session recording — while both Boundary and Pomerium are capable of session monitoring, Boundary can do session recording for a target. Admins can view recordings using a session player. (This often sounds better in theory than it is in practice — see “Evaluators should know” section below).
No continuous verification — Once a user session is established, Boundary can no longer enforce authentication and authorization on that connection to mitigate the damage done by stolen credentials or malicious insiders.
No context-aware access — Boundary correctly identifies context-based access as important, but limits it to IDP-level context. This is a far weaker form of Pomerium’s context-aware access which integrates any form of external data source as context.
Client-based access — Boundary requires a client installed on user devices to work.
Layer 4 proxy — Boundary works on the TCP layer, making it a weaker option for securing Layer 7 HTTP-based applications and services like Kubernetes.
High cost of ownership — Due to being designed for resiliency, Boundary’s system of Controllers and Workers is difficult to scale effectively. The management and upkeep cost increases exponentially the larger your infrastructure.
We base our comparison on a strict four-pillar criteria when evaluating access control solutions:
Usability: Boundary provides some value here when it comes to resource discovery and providing users a dynamic resource catalog. Unfortunately, Boundary also uses client-based access for users to login and establish user sessions, which does not score well on our usability criterion.
Speed: Boundary can be deployed at edge in VMs and containers close to the target resource. When architected correctly, Boundary should be comparable to Pomerium in speed and latency. This may not be true when using Boundary’s multi-hopping feature.
Security: Boundary brings identity-aware access and integrated credential management via Vault, but only does authorization and authentication checks on session start. It does not have continuous verification. As a result, Boundary is unable to mitigate the problems of compromised credentials or malicious insiders.
Context-Aware: Boundary can only accomplish IDP-level context. It cannot leverage external data sources into its access control decision-making process the same way Pomerium does.
Additionally, here are some additional considerations specific to Boundary that any decisionmaker would want to know.
Boundary adds to maintenance and upkeep costs
Your DevOps and SRE teams will be wrangling with Boundary’s three main components:
Control plane - (Authentication happens here) - This is where Boundary’s resources and permissions are, and are made up of Controllers. Users use their client to authenticate to controllers, which in turn communicate with external components such as the database, KMS, Vault, identity providers, and plugins.
Data plane - (Connection brokering happens here) - This is the network proxy, made up of Workers. Instead of exposing a private network to the public, or allowing users to have access to entire private networks, workers create a direct network tunnel between users and targets.
Client - (Logging in happens here) - These are the clients expected for any client-based access, installed on the user's device.
Example reference architecture pulled from Boundary:
And here’s a standard access flow with Boundary:
User logs in to Client.
Client passes on credentials to Controller. Controller authenticates with IdP, checks authorization and permissions of the user.
After Controller verifies User, User selects from a host catalog for the resource they want to access.
Controller pings a Worker in charge of the Resource. Worker receives the session request, then opens up a tunnel from resource straight to User Client.
User has started a session with access to resource.
Zero trust grants access based on continuously verified identity, device, and context
As a tunneling solution, Boundary only checks on session-start with limited context-awareness
HashiCorp Boundary is very much a tunneling solution under the hood. They made specific architecture decisions to avoid the Perimeter Problem. Unfortunately, their design choices actively result in the aforementioned higher cost of ownership as well as reduced security because tunnels cannot enforce continuous verification.
We can understand how they arrived at this architecture. The traditional VPN setup involves creating network perimeters around sensitive corporate networks, then providing users a tunnel past the perimeter defenses. Once inside, the user has access to the network — and this caused lateral movement. No doubt HashiCorp saw this and asked themselves the same question Twingate was trying to solve: “What if we could only give users a tunnel straight to a target resource itself, thus reducing the possibility of lateral movement?” As a result, they designed their Controllers and Workers architecture to ensure that users only get access to the target resource and not the network itself.
While this largely solves the lateral movement issue, there’s a reason why it isn’t zero trust: tunnel solutions can’t enforce continuous verification on each action. Boundary’s architecture makes the organization susceptible to compromised credentials and malicious insiders.
This is because Boundary only enforces authentication and authorization checks before connecting a tunnel from resource to client and establishing a user session. Once a user session has begun, Boundary no longer inspects that user’s actions. This presupposes that:
the credentials supplied for logging in were used by the intended user, not stolen
the user has not been compromised or turned malicious, and their actions are fully sanctioned
Compromised credentials happen to be one of the most common vectors of attack and malicious or negligent insiders are prevalent. Boundary’s ability to provide a dynamic resource catalog is a double-edged sword; if a hacker gains access to an account with high privileges, the hacker is served with a catalog of all resources Boundary has access to instead of needing to do a search for these resources themselves. You’ve limited lateral movement on a technical basis, but made it significantly easier for a hacker to gain realistic access.
Recorded sessions are great in theory and terrible to sift through in practice.
We meant it literally when we said "camcorder on" for session recording. Boundary can record a session’s screen for internal auditing by admins, and here’s HashiCorp’s own demo of SSH session recording.
Now imagine scaling that for multiple servers over hundreds of users as administrators hunt down a problem.
Session recording is useful in limited situations — specifically, you should know:
Which session you should be looking at
When during the session the act(s) occurred
What you are looking for
Otherwise, auditing session recordings are an expensive time-sink of watching recordings in the hope of finding what you may or may not be looking for. It does not scale efficiently and is a poor of use admin time. Boundary attempts to address this with audit events, but is not on a per-request basis.
Pomerium’s audit logs fix this problem by logging the details of every request including why an action was approved or denied, resulting in faster time to identify or fix security protocols. Save your admins time watching session recordings by giving them searchable audit logs.
HashiCorp Boundary falls short compared to what we want in an access control solution.
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without requiring a corporate VPN. The result is:
Easier with clientless access.
Faster by being tunnel-free and deployed where your apps and services are.
Safer because every single action is verified before allowed to execute.
Tailored to your organization’s needs by integrating all data for context-aware access.
Give Pomerium a try today!
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.