hoopdev here. Zero trust for SSH is just table stakes these days. Real challenge is getting devs to actually adopt better practices without the tooling getting in their way.
Found in practice that certs > keys but you need to think beyond just SSH. Most teams have a mix of SSH, K8s, DBs etc. Using separate tools for each just creates more headache.
Haven't tried Boundary but Teleport/hoop/Tailscale all handle the mixed protocol issue decently. Main difference is hoop focuses more on protocol-level DLP and automated reviews vs pure network access. Horses for courses though, they're all valid approaches.
Key is picking something devs will actually use vs work around. Nothing worse than a "secure" solution that drives people to create workarounds.
Fair point about StrongDM and Teleport pricing. Actually, even their enterprise features are free in Hoop. We took a different approach - core PAM stuff is all free and open source.
We monetize on a new layer - packet manipulation, like AI data masking. So you get enterprise PAM features without the enterprise price tag.
Might be worth a look as given the strategy these features should remain free. Could save you some serious cash. Repo's public if you wanna kick the tires: https://github.com/hoophq/hoop
Consider Hoop (https://hoop.dev) as an open source alternative. It's designed to be lightweight and developer-friendly.
Key features that are free/open source:
1. SSH, K8s, database access
2. RBAC and just-in-time access
3. Session recording
4. IdP integration
We monetize on advanced layer 7 features like AI data masking and firewall rules. But the core access management stuff stays free. Repo is public if you want to check it out:https://github.com/hoophq/hoop
Good luck finding a solution that fits your needs.
We had this problem at my last job - ended up building our own system cause nothing really fit.
Some tips from what we learned:
1. don't use shared spreadsheets or docs, way too easy to mess up
2. need granular access controls + audit logs
3. automate onboarding/offboarding as much as possible
4. rotate creds regularly, especially for sensitive stuff
5. use SSO where you can to minimize password sprawl
There are some decent enterprise password managers out there, but they get pricey fast as you scale. We ended up using a combo of 1password for team passwords + a custom system built on top of vault by hashicorp for machine creds/api keys etc.
One thing that worked well was having "password owners" for each system who were responsible for rotations, access reviews etc. helps distribute the work.
If you want something more turnkey, you might want to check out hoop.dev - does a lot of this stuff out of the box, including automated access reviews, just-in-time access etc.
Whatever you do, just please don't use a shared google doc :)
Appreciate the feedback, would love to get your takes on this description, what are we still missing?
Hoop.dev keeps sensitive data safe and checks important changes to make sure they're done right. It hides sensitive data in databases automatically and turns repeated tasks into easy, automatic ones. It also helps teams fix problems quickly by connecting with chat tools like Slack and MS Teams.
Take it out of the abstract and give me one crystal clear example.
For context, I'm CTO of a gaming startup that uses a Kubernetes cluster to host online multiplayer videogames, and when I read your github and product landing page, I still have no idea who or what this is for. Seems like its targetted for enterprise cloud architects or something. Someone who works on clusters more advanced than ours. Thats fine, but my feedback is simply that I'm no beginner and your landing page basically goes right over my head.
Also, to make people _switch_ from one solution to another, you have to be more than a little bit better, you have to be WAY better. Especially for enterprise clients. To make a enterprise client change their cloud architecture is probably a hard sell, because of the risk involved. Why should anyone attach their professional credibility to your project? I think basically what I'm saying is, you gotta do more to sell this thing.
It sounds technically advanced, but I think you gotta take off your engineer hat and put on your sales hat and make me want it. Or if not me, than make _someone_ want it.
Thanks for the feedback and kind words! You bring up a valid concern. Let me clarify how it works:
The obfuscation is designed to be intelligent and context-aware. When you have write access and make changes, hoopdev ensures that only the intended modifications are written back, not the obfuscated data. We've implemented safeguards to prevent accidental overwrites with "cleaned" or "hidden" data.
Let me know if you have any specific scenarios or tools you'd like to test with.
This is great feedback, I'll strongly consider updating the description to help people make this decision faster.
Would love to get your feedback on this description, is it clear? what is missing:
Hoop.dev keeps sensitive data safe and checks important changes to make sure they're done right. It hides sensitive data in databases automatically and turns repeated tasks into easy, automatic ones. It also helps teams fix problems quickly by connecting with chat tools like Slack and MS Teams.
I agree. I see two use cases here: 1) an audience of the people that havent' touched SQL in a while (like me) or less (even non) technical folks. You can get quite complex queries without help from someone that knows SQL. 2) I asked for a P99 query that used some Postgres built-in functions I never heard of. I would take me some googling to find out even if I were used to SQL. Or I would take more time to come up with a more complex solution.
Here's my prompt and the query:
-- distribution of byte sizes of sessions without review with avg, median, p90, p95, and p99
-- ERROR: column "blob_stream" does not exist```
SELECT
percentile_cont(0.5) WITHIN GROUP (ORDER BY octet_length(blob_stream_id::text)) AS median,
percentile_cont(0.9) WITHIN GROUP (ORDER BY octet_length(blob_stream_id::text)) AS p90,
percentile_cont(0.95) WITHIN GROUP (ORDER BY octet_length(blob_stream_id::text)) AS p95,
percentile_cont(0.99) WITHIN GROUP (ORDER BY octet_length(blob_stream_id::text)) AS p99,
avg(octet_length(blob_stream_id::text)) AS avg
FROM
public.sessions s
LEFT JOIN public.reviews r ON s.id = r.session_id
WHERE
r.session_id IS NULL AND s.blob_stream_id IS NOT NULL;
Super cool! I've been planning integrating https://runops.io/ to VSCode for a while and most of the delay is related to having to write Javascript. I like your wrapping of the VSCode js API. I'll use as inspiration for creating the Runops extension using cljs in the near future. Super exciting that I can do something like this for VS code now: https://andrios.co/articles/spacemacs-cheatsheet/#elisp-func...
Found in practice that certs > keys but you need to think beyond just SSH. Most teams have a mix of SSH, K8s, DBs etc. Using separate tools for each just creates more headache.
Haven't tried Boundary but Teleport/hoop/Tailscale all handle the mixed protocol issue decently. Main difference is hoop focuses more on protocol-level DLP and automated reviews vs pure network access. Horses for courses though, they're all valid approaches.
Key is picking something devs will actually use vs work around. Nothing worse than a "secure" solution that drives people to create workarounds.