Infosec and systems engineers can secure SSH access to their infrastructure, meet compliance requirements, reduce operational overhead, and have complete visibility into access and behavior.
Teleport Privileged access management for elastic infrastructure that doesn’t get in the way April, 2018
What is Teleport? Teleport provides privileged access management for elastic infrastructure that doesn’t get in the way. Infosec and systems engineers can secure SSH access to their infrastructure, meet compliance requirements, reduce operational overhead, and have complete visibility into access and behavior. You get security best practices out-of-the-box in a people-friendly solution that employees will actually enjoy using.
Isolate access to critical infrastructure: Proxies (aka, bastions) are used as unified access points to control and monitor activity across the system. Time based access: Identity aware, short-lived certificates are used for authorization. Role Based Access Controls: Auth servers integrate with existing identty systems and permissions for RBAC. Security best practices out-of-the-box Pass Compliance Requirements
Sessions recorded: Complete session logging and recording, including metadata and user identities, across entire clusters. Activity logged: All operational activity across the system is logged and shipped to secure logging servers. Share knowledge: Sessions can be joined by multiple people, everything is recorded and available for playback for root cause analysis. Everything is recorded and auditable Visibility into Access and Behavior
Access control across region: Server clusters can be linked together in order to traverse across infrastructure types and regions. Access follows workloads: Role based access and permissions can follow dynamic workloads / services. Works with existing tools: Fully compatible with OpenSSH and existing SSH-based automation tools like configuration management systems. Designed for multi-region clusters ! ! ! !! Built For Modern Infrastructure
Reduces Operational Overhead Simple to configure. Just install a lightweight Go daemon and a command- line tool. Short-lived certs for authorization. No keys, VPNs, firewalls, jump boxes, or IPs to manage. Complete session logging and recording, including metadata and user identities, across entire clusters. Less Setup And Maintenance Doesn’t Get In The Way Integrates with existing identity management solutions: SAML, Okta, 0Auth, OpenID Connect, Auth2, Active Directory, etc. Choose between a simple command-line tool or a web client. Works on all major Operating Systems. Use with existing OpenSSH server fleets; no need to lift and replace. All SSH commands are supported to fit existing end-user and automation workflows.
Trusted in Production The Teleport open source edition is widely adopted by teams around the world. Security audits have been conducted by leading security consulting firms. Teleport Enterprise is trusted by some of the largest enterprises in software, finance, healthcare, manufacturing, IT, security, telecom, government, and other industries.
Appendix: Teleport Architecture For more details visit the Teleport documentation: https://gravitational.com/teleport/docs/architecture/
Appendix: Why not DIY? Infosec Requirement OpenSSH Teleport Integration with corporate identity (SAML / LDAP) and SSO Two factor authentication Role based access control (RBAC) Permissions that follow dynamic workloads Dynamic configuration at runtime Audit logging and session recording
Appendix: Teleport Use Cases Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). Source: HIPAA §164.312 Technical Safeguards (https://www.law.cornell.edu/cfr/text/45/164.312) Achieve regulatory compliance with proper access control policies. HIPAA Strong Access Control Measures. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. PCI Privacy by Design. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. GDPR Source: PCI Quick Reference Guide (https://www.pcisecuritystandards.org/pdfs/ pci_ssc_quick_guide.pdf) Source: GDPR Key Changes (https://www.eugdpr.org/key-changes.html)
Appendix: Teleport Use Cases Is the production network segmented into different zones based on security levels? Do you require multi-factor authentication (MFA) for employee user authentication to access your network (local or remote)? Which groups of staff (individual contractors and full-time) have access to personal and sensitive data handed to you? Satisfy security requirements from enterprise customers. Which audit trails and logs are kept for systems and applications with access to customer data? Are all security events (authentication events, SSH session commands, privilege elevations) in production logged? How are cryptographic keys(key management system, etc) managed within your system? Source: Vendor Security Alliance questionnaire (https://www.vendorsecurityalliance.org/questions)