Reading through the docs. I feel like a lot of people are missing the value here. This could be a diamond in the rough if it actually delivers on its docs.
What enterprises want is to move away from perimeter based security models towards the promise that Google überProxy/BeyondCorp popularized many years ago. Which has been lost in the buzzword soup. It’s very simple.
1. A clean separation between Prod, Corp, and the public internet. And the UX to hop between them as an employee is as transparent as possible. (Often times network segmentation comes with additional painful friction for engineerings.)
2. One pipe to observe, and clearly attenuate permissions as traffic/messages flows between these boundaries.
3. Strong proofing of identity for every client, as an inherit requirement.
The problem is everyone outside Google has incredibly diverse protocol ecosystems. It makes those three promises incredibly difficult to deliver on as a vendor. (I’ve evaluated many)
To build a proxy that is protocol aware, only solves half the problem. It gets you some coarse grain decision making and a good logging story.
To build a proxy that is also able to perform type-inference at the request layer, allows for a much richer authZ story. One where businesses can build an authorization layer at the proxy better than their in-house apps could even do natively. (As it turns out, having all the predicates of the request available to a policy engine is super useful).
The docs are a little verbose, the marketing maybe isn’t amazing. But this is inherently a complex problem. No one has fully solved.
Teleport was first to the market to OSS and commercialize a lot of these ideas.
StrongDM also is doing really interesting work in this space.
I wish Hashicorp had invested more in this space.
Disclaimer: my opinions are my own.