Conf42 Cloud Native 2022 - Online

Trust by verify - how to provide secure access to your team

Video size:

Abstract

Security is… well… complex. When it comes to accessing cloud resources, VPN’s have become a popular tool to solve that piece of the security puzzle. But how do traditional VPN’s hold up to today’s evolving threat landscape, and which alternatives should security-minded engineers consider?

Speaker bio: Nicholas currently works as a solutions engineer at Teleport, helping companies solve their access management questions for cloud infrastructure. Nicholas also has experience managing various network hardening and information security projects for the United States Army, where he continues to serve.

Summary

  • Nick Bergam is a solutions engineer at Teleport. Today's talk will focus on zero trust, particularly zero trust accessing and why we should consider implementation. At the end, he'll give some recommendations for implementation of zero trust access in your own infrastructure.
  • With the introduction of cloud native technologies, a new frontier is opening up before us. Government organizations such as NASA, NSA, and DoD are making this transition to zero trust frameworks a real priority. But this perimeter security model and the technologies associated pose a significant challenge for remote and cloud computing.
  • Teleport goes deep into the OSI model to provide you authentication, authorization and audit. I hope that this talk empowers you to take some of the practices we covered today and implement them in your own cloud environment. The benefits you'll see once you move over to a zero trust approach are truly worth it.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hi, I'm Nick Bergam, solutions engineer at Teleport. Today my talk is going to be on zero trust, particularly zero trust accessing and why we should consider implementation. You we'll also be taking a look at how traditional accessing solutions stack up against this framework. And at the end, I'll give some recommendations for implementation of zero trust access in your own infrastructure. So, intros aside, let's get started. If you've ever worked in information security or has some colleagues in the field, you'll understand pretty intimately that the field is constantly evolving in order to keep up with technology and modern threats. With the introduction of cloud native technologies, a new frontier is opening up before us, and the access threats to this environment are very real and very much a challenge for professionals. This challenge seems daunting. You're not alone. The United States Army's CIO Raj Eir attributed the inconsistent application of configurations and architecture for cloud security has one of the biggest concerns during an interview he gave back in October, this is why government organizations such as NASA, NSA, and DoD are making this transition to zero trust frameworks a real priority. So to paint a clear picture of what zero trust is, why we need to actually implement it, it's more important to see first where we came from, and that is perimeter security. For the past 30 years or so, this model has dominated security architecture design. Local area networks and wide area networks were created using partial trust philosophy or us versus them, and like investing heavily in strong walls and other fortifications to keep out intruders, the idea behind this was to create a moat that insulates your interior network from the dangers beyond your defenses. Vpns were forged during this era and were first developed by Microsoft back in the late 1990s using point to point tunneling protocols. While first used for tunneling information between one trusted network to another, the application and use of this technology has become much more broad in scope and has been really stretched by security organizations. This is due in part to the increased remote working environments as well as the rise of cloud infrastructure. But this perimeter security model and the technologies associated, such as VPN, pose a significant challenge for remote and cloud computing. For instance, how do we know that the person trying to gain access through our walls or defenses are who they say they are? And how do we know that once they make it past our castle walls or we admit them in, they're not going to run amok in our infrastructure? Well, that's precisely the question that Forrester Research group out of Cambridge, Massachusetts challenged when they submitted the zero trust security model to the public domain this framework was outlined in response to the NIST's request for feedback on a document called developing a framework to improve critical infrastructure cybersecurity. What Forrester said in this research paper is look, our whole approach to security is a misconception and our current trust models are broken. We trust first everything that is already on our network, and we need to be looking at security, assuming that the bears and other dangerous animals are already beyond our castle defenses and running around in our infrastructure. They united in their report that more than half the breaches they surveyed could, at least in part, be attributed to internal actors in the form of either theft or loss of corporate assets or the misuse of information by insiders and business partners, either maliciously or inadvertently. Here, a trust to verify approach does not compensate for these types of intrusions because the threat would come from what is already considered to be a trusted source. So the focus of the zero trust model is on strict identity verification for each person, bot, service or device trying to access resources on the private network, regardless of where they're sitting, either inside or outside of those defenses on your perimeter. By imposing these strict authentication requirements, we are able to better enforce the principle of least privilege. Another comes pillar of zero trust. This framework also calls for the inspection and logging of all network traffic. Each of these fundamental requirements must be applied to every level of the OSI model as well to limit lateral movement across your infrastructure as much has possible. So legacy access technologies such as traditional vpns were never designed, or they're definitely not equipped to take on these responsibilities. While encrypted tunnels and access through encrypted tunnels used to be synonymous with security, this is no longer the case. So the first challenge that zerotrust takes on is this over reliance on the security perimeter and the technologies associated, such as vpns. Vpns were never designed, first off, for continuous use. With the massive shift happening to a remote or hybrid workforce, existing VPN structures were forced to support a continuous workload that it wasn't intended for, and this creates an environment where the VPN servers are subject to excessive loads that often negatively impact performance and user experience. Today, we've all come to expect high levels of availability and quality, especially when it comes to interruptions that can kill efficiency. Inconsistency or latency at peak hours can be especially frustrating as a result, and it makes little sense to direct all your network traffic onto your corporate infrastructure via VPN, only to transfer it from there onto the cloud. Further, VPN's most glaring fault is their authentication and authorization and audit are nonexistent. When coupled with other security tools, you do have these requirements of zero trust fulfilled, but you end up spending more resources on more software, adding more overhead, and ultimately adding more to your configuration burden. Finally, the criminal organizations that are targeting remote workers are doing so more frequently, and new security challenges present themselves that traditional work accessing solutions weren't designed to solve. The common vulnerabilities and exposure system lists all the known vulnerabilities and exposures, obviously, but at the time of this recording, there are over 560 that could be attributed to VPN vulnerabilities in the technology itself. VPNs are totally blind also to content level attacks, so it doesn't know if it's being used to upload ransomware into a corporate environment or a cloud infrastructure. It also doesn't know if it's being used to siphon information out of these resources. So a better approach is to have strong authentication, authorization, and audit within your network defenses. Continuous authentication is perhaps the most important piece of this zero trust puzzle, and it's no secret by now that a single sign on is critical to today's cloud infrastructure. But also having a strong IDP and MFA is imperative to ensuring that you do have identity controls in place when authenticating access. This is arguably the most important piece of zero trust because authorization and audit are reliant on this control being solved and constantly applied at the lowest level of the OSI model. Principle of least privilege is at the heart of authorization, and being able to further divide access by roles or attributes is needed in today's cloud native environment. For obvious reasons, the practice of provisioning access by roles is widely implemented in some form already, and it's important to prevent users from amassing too broader privileges. Now I love me some ancient history, so one of my favorite stories is that of Cincinnati's who, as you might have guessed, is the namesake of Cincinnati, Ohio, among other things. So the story comes that when the Roman Empire was being threatened, Cincinnatius was approached by the Senate and granted powers of a dictator in order to guide the empire through the crisis. Once he successfully did so, he ceded those powers back to the Senate and returned to the farm where he came from. So just in time access is the fundamental security practice where the privilege granted to access applications or systems is limited to a predetermined period of time, and also on a per need basis. This helps to minimize the risk of scanning privileges that attackers or malicious insiders can readily exploit. Zero trust relies heavily on the ability to see what's happening within your environments at all times so alerting mechanisms such as Sim tools directly enable this has long as there are strong identities that cloud be used to attribute entities to each action. For example, knowing who sshed into a server as the root user when executing a command, or knowing who deleted or altered a table within a database has the admin user provide that transparency needed for a healthy cloud infrastructure. The next challenge that zero trust takes on is that of shared secrets, primarily secret keys and passwords. So one of the keys to securing your infrastructure is well eliminating keys. Shared secrets have become the natural progression to cope with requirements for complicated passwords, tokens and secret keys. Besides the obvious threat of brute force attacks, hackers can intercept and steal passwords well become any breach is detected. If a malicious actor previously exploited a vulnerability to collect legitimate credentials, those credentials could still be valid months, possibly after patching. Many organizations also keep a repository of some sort, which are landmines if discovered by the wrong individuals. Additionally, the temptation to circumvent proper security controls can be strong at times of urgency and occur all too often. One example would be sharing credentials with a team or business partners who need access into urgent environments or sharing them via slack or teams. It cloud also happen via unencrypted mediums in the worst case scenario, such as emails. If the use of these repositories that I mentioned earlier sounds familiar, it's because it does rely on the same premise as perimeter security, that a hardened wall in the form of an encrypted vault can protect the soft interior of your environment. And if you recall what over reliance on walls for security leads to. Well, as you can imagine, if you're a fan of Lord of the Rings, bad things can happen. So for the use case for short lived certificates is very strong. In this example, when used in tandem with a strong identity control, they not only eliminate both the overhead associated with shared secrets, but also much of the security concerns associated with exposure. For example, damage is limited by the hard time to live restrictions on each certificate, and the ability to escalate or laterally shift using a certificate is greatly hindered by these devices and service accounts that may be compromised. They also provide the foundation for security verification each time an access request is made within your segmented network. The final challenge that zerotrust takes on is the challenge of too many restrictions. So as you start to evolve as a security, you start to see maybe there's a use case for risk avoidance. So odds are you could secure your infrastructure by removing certain access types altogether, a practice known as risk avoidance. But while removing access types such as SSH sounds great to a security professional. You'll rarely meet an engineers who agrees in the value added in that position. The value of having a unified access plane in this example allows you to pipe all your access to your various cloud compute resources such as databases, servers, kubernetes or applications through a single choke point using a proxy or gateway. Now this proxy is a great place to attach any restrictions or requests modifications to your SSO identities to provide accountability for those who are performing actions in your cloud environment. It also ensures that you only allow SSo users who are authenticated to pass through and onto your resources, while at the same time associating their identity to each of their requests. Each time you are using generic logins such as admin or root, you could tie this activity to the users and groups that you created within your resources. Ideally, it would integrate with your current infrastructure and improve your user experience while allowing you to provide detailed monitoring activity. There are a couple solutions that, when used on their own or in tandem with existing tools, make up a very strong zero trust defense system. And one of them, and probably the most well known implementations of Zero Trust was Google's Beyond Corp initiative, which has released back in 2014. So Google's goal was to allow employees to work efficiently on any network without the use of vpns when they created this. And today, Google also offers the identity aware proxy solution, which is similar to the access plane. It allows for continuous authorization checks against an identity aware proxy and is relatively straightforward to set up and use when integrating with an all GCP cloud stack. Now, there are some cloud agnostic and open resources tools designed to tackle this problem as well, such as teleport. So yes, we made it this far in the talk. It's time to talk a little bit about teleport. Teleport goes deep into the OSI model to provide you authentication, authorization and audit, and it provides that amongst all your cloud resources at the networking layer, teleport also uses short lived certificates and best of all, it's open source. So if you are interested in exploring some more about how teleport can provision across your infrastructure, I encourage you to have a look at our open source community and GitHub, and we also have some resources available on our website, teleport.com. I hope that this talk empowers you to take some of the practices we covered today and implement them in your own cloud environment. The transition to zero trust framework is undeniably a challenge that is rarely a one size fits all, but I promise you that the investment is always going to be worth the trouble. Legacy technologies like vpns and other perimeter access tools are quickly being replaced with increasingly agile tools to fit the cloud native environment. The benefits you'll see once you move over to a zero trust approach are truly worth it, and being able to reduce your attack surface from the inside threats is something that every company grapples with. Secure access planes that enforce strong identity requirements for access are a win win here, because not only do they improve your infrastructure and update it from legacy equipment, but also by doing so, you'll find an increase in user experience and efficiency. That's all I have today. Thanks again for tuning in, and I hope that you cloud apply some of these lessons to your organization.
...

Nick Bergam

Solutions Engineer @ Teleport

Nick Bergam's LinkedIn account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)