Secure remote access without the ‘portal tax’: Boundary vs other vendors
Source: HashiCorp Blog
Most VPN and privileged access management (PAM) tools are a huge burden because they force users — especially engineers — to change how they work.
The remote‑access landscape is cluttered with proprietary clients and web‑based proxies.
If a developer wants to SSH into a production server or access a database, they usually have to:
- Stop their actual work.
- Launch a VPN.
- Log in to a web portal.
- Search for a “safe”/target account (many incumbent PAM players require this).
- Check out a password, copy it to the clipboard, and paste it into their client or use credential injection where supported by the vendor.
Security is maintained, but productivity is sacrificed. This friction — the context‑switching required to navigate security tools before doing actual work — is what we call the “portal tax.” It’s a hidden cost built into much of the current security‑tooling landscape, a distraction that drives users to work‑arounds that risk credential exposure.
HashiCorp’s Vision
The best security is invisible — developers and the workforce at large shouldn’t feel it while they use it.
We want to make the secure path extremely easy, automated, and in the background. That’s what we deliver with HashiCorp Boundary, our modern product for secure remote access (sometimes called an identity‑aware proxy solution).
Key Differentiator: Transparent Sessions
- Removes the requirement for users to remember specific resource IDs or ephemeral ports.
- When combined with RDP + SSH credential‑injection passwordless capabilities, transparent sessions eliminate the portal tax entirely.
In this post we’ll compare Boundary’s native‑tool workflow to the portal‑first approach most vendors still ship.
Boundary vs. Typical PAM Vendors – Technical Differences
| Aspect | Typical PAM (Portal‑Centric) | HashiCorp Boundary (Native‑Tool) |
|---|---|---|
| Workflow | Users must go to a portal to get access. | Transparent sessions run passively in the background. |
| User Interaction | Open portal → locate account → check out password → copy/paste. | No portal interaction after initial authentication. |
| Tooling | Proprietary client or web UI for each session. | Uses the native tools you already love (VS Code, PuTTY, Windows RDP, terminal, etc.). |
How Transparent Sessions Work
- Install the Boundary Client Agent – it acts as a local DNS resolver for specific domains.
- When you type, e.g.,
ssh production‑web.corpin a terminal or opendb‑prod.corpin a browser, the client‑agent (running silently) does two things:- Intercepts the DNS request for that protected alias.
- Automatically routes the traffic through Boundary proxies.
The proxies provide access into the network and route traffic to the target, establishing the connection instantly, without forcing you to pause your workflow or interact with a separate portal or tool.
No context switching. Once authenticated to Boundary, there is no repeated “log in to a portal” or launching a proprietary tool for every new session.
True Passwordless – The Vault Synergy
Connectivity is only half the equation. The other half is how we manage the “keys to the kingdom” — the credentials to authenticate to the target resources. This is where the synergy between Boundary and HashiCorp Vault provides a competitive edge that standalone access tools struggle to replicate.
Traditional Workflow (Password Checkout)
- User “checks out” a password.
- Copies it to the clipboard and pastes it into the client.
- Risks: credential exposure via clipboard history, phishing, reuse, etc.
Boundary + Vault Workflow (Passwordless)
- Transparent session intercepts the DNS request via the Boundary Client Agent.
- Boundary checks user authentication and policy.
- Boundary requests a dynamic or static secret from Vault.
- Vault returns the secret to Boundary.
- Boundary injects the credential directly into the protocol stream.
This is fundamentally different from a “password vault” where users view secrets. In Boundary, the user never sees the password.
Compliance Benefits
- High‑entropy secrets.
- Frequently rotated secrets.
- “Single‑click” login.
Here’s a clip showing how fast the process is from the developer’s perspective: (embed video or GIF as needed)
Why This Beats the “Portal” Approach
Many tools in the secure remote‑access / PAM space are built around a “vault‑first” mentality: you enter a web vault to “check out” access. It feels like visiting a bank teller every time you need to buy a coffee.
Boundary is like tapping your credit card — the security checks happen, but in the easiest possible way.
Example Scenario: Old Way vs. Boundary Way
The Old Way
| Time | Action |
|---|---|
| 09:00 a.m. | Jane gets a ticket to debug a Linux server. |
| 09:05 a.m. | She logs into the VPN. |
| 09:07 a.m. | She logs into a web portal and searches/navigates to target account details. |
| 09:10 a.m. | She selects the target and retrieves/copies the credentials. |
| 09:15 a.m. | She opens her terminal/SSH client, pastes the IP, pastes the password. |
Risk: Password ends up in clipboard history; time taken adds productivity overhead.
The Boundary Way
| Time | Action |
|---|---|
| 09:00 a.m. | Jane gets a ticket to debug a Linux server. |
| 09:01 a.m. | She types ssh alias.target in her SSH tool of choice. |
| — | Result: She is in. Boundary authenticated her session in the background and injected the credentials. Zero friction. Zero clipboard risk. Easier zero‑trust workflow. |
Bottom Line
Some other PAM providers do offer credential injection, but Boundary’s transparent sessions are the key to avoiding the portal tax entirely, delivering a seamless, passwordless, zero‑trust remote‑access experience.
The Future of Access Is Invisible
Enterprises no longer have to choose between security and speed. With Boundary, organizations can make the secure path the fastest and easiest route for developers, mitigating one of IT’s most common breach causes: credential theft from the endpoint. When users don’t have to fight their tools to get work done, organic adoption of the secure path becomes the norm—and it won’t feel imposed.
See Boundary in Action
- Watch the Transparent session “Getting Started” video
- Watch the Transparent sessions demo video
Get Started
- Create a free HCP account and deploy HCP Boundary for your environment.
- View Transparent sessions setup details in our documentation.
- Check out our many tutorials on Boundary.
- Download the latest version of the Boundary installer to try it out yourself.
Note: Replace the placeholder links below with the actual URLs.