Removing the Complexity to Securely Access the Infrastructure

The New Stack · Intermediate ·🔧 Backend Engineering ·4y ago

Key Takeaways

The video discusses Teleport, a platform that securely accesses infrastructure, and its features such as short-lived credentials, principle of least privilege, and audit logs. Teleport reduces complexity in infrastructure access and management, and supports access to servers, Kubernetes clusters, and AWS management console.

Full Transcript

hey everyone welcome to the new stack makers i'm alex williams today we are discussing teleport 9 in particular teleport machine id and my guest today is ben errant who is a developer relations manager at teleport ben great to have you here thanks for having me so before we get started i always love to talk with the people who were interviewing about themselves and i saw that you uh have an interesting background but i was curious first of all about you know where did you grow up where what what really influenced you kind of in your younger years to be kind of where you are today can you think of anything in particular yeah well i grew up in the south of england currently in oakland and you know growing up big thing that influenced me was you know like early like internet you know i was probably the era of the 56k modem um yeah the uk was always a bit a little bit delayed um i actually remember going to like a career advisor at the time being like something kind of interesting with careers with computers and they're like you know that's not going to be a thing you know you could maybe be a professional programmer you know microsoft was like in the it world um but i think the whole concept of that initial web and we saw like web 2 and all the web 3 things it's that sort of new emergence of like youth coming up um and so basically just like the power and the ability to connect to people over the internet um locally was always an incredible thing that i think the internet really opened up and now everyone can experience it excellent and so you did go into industrial design as your focus of study as i saw on your linkedin why did you decide on industrial design and how did that lead to being at a place like teleport today i mean i love making things and taking things apart which is natural part of my curiosity um and i think a thing that's sort of interesting now we talk a lot about um the s-bomb and as i went through my industrial design process you you design something you mainly get it made in china you get it shipped but you have like a bit of materials and i think the thing that sort of really got me excited about our traditionally was like interaction design so it was like the interface between hardware and software and you know this is even like pre-ipad and so like people who made computers the industrial design is like kind of interesting but it's not as interesting as the software and i think it's working like hardware has disappeared making software is one way easier than having to do like an actual bit of materials in china like if you ship a million widgets that are wrong like you've got a million widgets but if you can like easily iterate with software and i think that's the exciting thing about the movement of you know sas and you can just always redeploy you can give people different variants of your product which is sort of hard to really do in like the physical world and i think that kind of really excited me about um you know the move into software and startups and i moved to the bay area a decade ago for a real estate startup okay and um you know we talk about like bootstrapping i stepped under my desk for the first six months until we had like ramen profitability it took me like a year or so to realize that like most startups don't necessarily are that scrappy and um the real estate startup didn't go anywhere and we got into the developer tool space and so i've worked on except exception trackers uh nosql databases as a provider and i always say to people in the bay area it's like the gold rush you know it's always better to sell pickaxes and jeans than it is to be looking for the next big hit yeah no kidding isn't that true so now you're at teleport and you must have learned a lot along the way about the complexity of those interactions in between the software and the hardware and really that delineation between hardware engineers and software engineers and the delineation between teams and developer teams and a lot of what i see from you all doing at teleport is trying to decrease that complexity so could you tell us a little bit about teleport itself what is the company what does it do and how does it help with that complexity that often comes when you're thinking about security integrating into that software bill of materials which uh you refer to as s-bomb yeah i think if you go back a bit historically you know if you wanted to have your infrastructure you would build out like a rack and you'll be in charge like the physical security you know if someone wanted to like reboot it they could physically go up to it i think the movement to cloud we kind of move to the shared responsibility model we assume that the physical access to the rack is secured up to a certain level and then you're responsible for everything above it so you know in amazon it's the vpcs it's the iam it's everything else all of this extra complexity and what teleport does is it helps teams provide uh easy secure access to all of this infrastructure and we started off in the world of um servers and ssh access but in the last couple of years we sort of covered the full gamut of things you would access everywhere from you know servers kubernetes clusters to even aws management console and the thing that makes sort of teleport unique is one of the core ideas is short-lived credentials so everything is sort of based upon certificates in the background you don't really see it as a user but if you were to each day you log in you get a certificate for that day which is defined as some sort of role and you can go about your day's access once those eight hours have passed your credentials are invalid and you need to go back through uh sso flow to log in again and this sort of fixes many problems that um you traditionally had with you know just infrastructure in general like team members get onboarded they come and go you might have to add like public keys to servers your ansible run and it just the complexity just increases increases as you have more stuff in your applications and so you know as we've added database support we've added more users sort of accessing different services in a sort of a secure manner so one of the things i was recognizing when i was reading about you know the background on on these different capabilities you have you started with you know uh you know with uh ssh nodes for instance you cover kubernetes clusters and there's a lot of discussions on there's a lot of things in there about configurations themselves that's one of the concerns that a lot of people have about kubernetes is it you know is the multiple users might be asking accessing a yaml file or you might have a multiple personas um you know uh do you know working on a configuration right yeah so like common cases if you you know create a fresh kubernetes cluster you might add everyone to a like system masters role which is sort of the default sort of god mode and what happens is teams might pass around like a cube like a long-lived cube config to the whole team and so one problem is like there's any visibility into which users are using that um sort of cube config what are they doing when they sort of access the kubernetes api and two like if that person leaves like are you really rotating that cube config which the most likely answer is probably not right right right so so how are you kind of building on that reduced complexity in in teleport uh nine and i'm you know and you're making a big deal of the teleport machine id preview so i'm curious on what that is but first of all just kind of that that that complexity issue that you're trying to work on all the time well i think it's starting with the principle of least privilege um which is you know a common term of you only give people the permissions that they need and then if they need more you sort of give them on demand and this generally reduces sort of the attack factor so if someone wants to get someone's credentials there's not going to be a like a wider privilege escalation into something else and i think this is a problem with both like aws management console and kubernetes clusters if you have the systems masters rule it's pretty much easy to get access to any pod and once you get access to any pod you can likely get like pop environmental credentials for databases and then you pop the database then you get all that information and you know like bad things can happen in teleport 9 we've taken the same concept for user access but applied it to sort of computers and services to access those clusters i think a classic example for us is both ci cd servers and sort of ansible runs you you can think of them almost in the same way so like let's say jenkins is you know he's like a funny waiter this is like mascot but what you do is the ops team will set up jenkins they'll give you know jenkins like a very long certificate probably a public private key once that's configured you know you may rotate it once a year you may not but jenkins just goes about his business and um there's many sort of problems here and we're seeing this a lot more with um you know both solarwinds attack which was uh compromise of the build infrastructure and so people know that these like build infrastructures they'd not only run your like tests but often if they're doing continuous deployments they might have specific credentials that get access to your aws account and then if you have a privileged credential in aws account it's pretty easy to then like escalate something else and what machine id does is it provides the same access of short-lived certificates but for these machine-to-machine communication hmm so let's go through teleport 9.0 and how it reflects about you know teleport itself and its mission and how you're trying to help users with these issues that you're talking about what is teleport machine id pre and what is the preview so the preview is our first release of um machine id and so this lets teammates listen this lets teleport customers enroll robots into their clusters so instead of using sort of you know the jenkins example public private keys you set up tbots which is another service that you run and sort of two bots once it's issued it will automatically retrieve new certificates every 20 minutes this is also customizable and what this does is by issuing these short-lived credentials for access if there is a compromise on your machine you can easily lock those credentials and the other benefit is there's a full audit log of what's happening during those runs so if you notice that it was um like ansible the way in which ansible runs for example it like scps a file into the host and then it runs that file we get all this information in teleport to know oh what are these machines doing um and how are they accessing it okay so it gives you more of a window into in into that doesn't it yeah if like one it reduces like the human error so um often you might have like a person which would run the like public private keys on some machine you know accessing and securely rotating those credentials can be difficult or it might be on disk somewhere it reduces that problem once the t-bot service is joined it's only a one-time token even if you try to get those certificates we have certain mechanisms in place to secure those tokens and um the second thing is if they are compromised because it's such a short window of access it means that you know they're sort of useless in that sort of short time period i'm currently reducing privileged escalation one of the questions i have is about the database features that you're adding to teleport nine and you offer lots of capabilities with databases now and there's multiple databases that you now support and you know there's a lot of things that i think i'm hearing from what you're talking about in previous discussions that apply here to databases what can you say about you know the changes that you that people will see in teleport nine yeah database is an interesting addition to teleport you know it's sort of many of the crown jewels of your applications are in databases you know you might pop a server you guys have you know like some service or program but there's not much sensitive information in here database is likely to have like pii and so if you're in a hipaa or you have like pci or you're going through stock 2 you want to make sure that people are you know who's accessing your databases and what are they doing and so teleport 9 just extends our features that we have in place for um mariby db redis and microsoft sql server both uh aws hosted rds editions and then also self-hosted versions um you know my favorite one is redis i used to run a redis as a service product and our product would we would provide people with long passwords or username and passwords for accessing their cluster and all the time people would check them into github and so they wouldn't put them in an env file or they check their amv file maybe not anything that bad will happen if you access a reddit server but you'll be surprised with um what can get infiltrated into these servers and two you don't want people accessing your machines and even if they did access you wouldn't necessarily have the visibility into knowing exactly what people did once they connected to that database so even if someone does get teleport credentials the teleport proxies have been placed that keeps a full order log of the activity and actions of that user um during that session and so with that new database access what is it what are some of the problems that you're seeing out there that this helps resolve it's the same problem of you know as team members come and go you provide access to the database so likely you'll have like a shared user so they say the data science team might all use one shared login and they might have one dedicated password um you know the best practice in aws is you set up like a bastion host you need to configure that to you know get into your vbc because you don't want your database in like a public subnet that's all extra work that you need to do and teleport sort of solves that for you sort of out of the box um to provide that sort of bastion access to your database and then if you're you know your data science team is all using one shared login teleport will be able to identify which person in the data science team was accessing which database um and so you can sort of know like what's happening at the database level so you know where the access is you know what what the access is the database yeah cool um the last thing i want to ask about were these moderated sessions for servers and kubernetes access can you talk to that yeah this is um you know interesting addition that we've had through talking to our customers and um you know i started off with the two party rule and this is sort of a concept that you see in um both accounting and in a more extreme version is like the american nuclear missile silos you know you require actually have the four-party system and this is a system in which you need an observer to witness the actions that are taking place to sort of either approve that someone can start a session and this is both for ssh and kubernetes and also the option to provide them the ability to terminate their session for example and moderated sessions is highly configurable you know you could add as many people as you like but an example you might want to request like three people another developer and maybe someone from the compliance team to make sure whatever's happening during that session on a kubernetes cluster on a server is fully observable um and it also provides all of the other controls so if the audit didn't like what was happening they have the ability to terminate the session of the individual hoodstuff excellent any concluding thoughts about teleport 9 that you'd like to talk about i think the last one is we've really finished up our support for windows desktop access this was added in teleport 8 but in teleport 9 we have clipboard supports and we have the ability to record the sessions so we have full session playback which i can add in the demo they'll be on youtube great yes and we're gonna do a demo now so we'll go over to that for anyone who is listening to this podcast the demo is available on the news the new stack youtube channel so we'll uh we'll we'll start that right now but ben i thanks for your time here and we'll we'll carry on with the demo if you like this video please give us a thumbs up and if you'd like to see more videos like this you can always subscribe to our youtube channel we're on all the major social media platforms you can always find us at the newstac.io we hope to see you soon [Music]

Original Description

As the tech stack grows, the list of technologies that must be configured in cloud computing environments has grown exponentially and increased the complexity in the IT infrastructure. While every layer of the stack comes with its own implementation of encrypted connectivity, client authentication, authorization and audit, the challenge for developers and DevOps teams to properly set up secure access to hardware, software throughout the organization will continue to grow, making IT environments increasingly vulnerable. In this episode of The New Stack Makers podcast, Ben Arent, Developer Relations Manager, Teleport discusses how to address the hardware, software and peopleware complexity that comes from the cloud by using tools like Teleport 9.0 and the company’s first release of Teleport Machine ID.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The New Stack · The New Stack · 0 of 60

← Previous Next →
1 What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
What's Next for the Cloud Foundry Foundation in 2017 with Executive Director Abby Kearns
The New Stack
2 How Unikernels Can Better Defend against DDoS Attacks
How Unikernels Can Better Defend against DDoS Attacks
The New Stack
3 Weaveworks is Bringing Horizontal Scaling to Prometheus
Weaveworks is Bringing Horizontal Scaling to Prometheus
The New Stack
4 TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
TNS Analysts Thanksgiving Special: The Evolution of Kubernetes and the Container Ecosystem
The New Stack
5 How Rancher Labs is Seeing Kubernetes Put to Work in Production
How Rancher Labs is Seeing Kubernetes Put to Work in Production
The New Stack
6 SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
SAP Tests Kubernetes for Cloud-Native Enterprise Software Deployments
The New Stack
7 Event Marketing for Today's Developer Evangelists and Community Managers
Event Marketing for Today's Developer Evangelists and Community Managers
The New Stack
8 NodeSource Introduces Certified Modules to Improve Node.js Security
NodeSource Introduces Certified Modules to Improve Node.js Security
The New Stack
9 How Lightstep is Illuminating the Case for Distributed Tracing
How Lightstep is Illuminating the Case for Distributed Tracing
The New Stack
10 How OpenStack Aims to be More Inclusive without being Exclusive
How OpenStack Aims to be More Inclusive without being Exclusive
The New Stack
11 How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
How Shuttlecloud Saves Time and Money by Monitoring with Prometheus
The New Stack
12 Creating Analytics-Driven Solutions for Operational Visibility
Creating Analytics-Driven Solutions for Operational Visibility
The New Stack
13 Understanding the Application Pattern for Effective Monitoring
Understanding the Application Pattern for Effective Monitoring
The New Stack
14 Building On Docker's Native Monitoring Functionality
Building On Docker's Native Monitoring Functionality
The New Stack
15 The Importance of Having Visibility Into Containers
The Importance of Having Visibility Into Containers
The New Stack
16 How Getting Your Project in the CNCF Just Got Easier
How Getting Your Project in the CNCF Just Got Easier
The New Stack
17 Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
Tectonic Summit Pancake Breakfast: How to Sell Kubernetes to the Hypervisor-Minded
The New Stack
18 The Buzz at Tectonic Summit 2016 in New York City
The Buzz at Tectonic Summit 2016 in New York City
The New Stack
19 Bringing Clarity to the Future of Node.js Modules
Bringing Clarity to the Future of Node.js Modules
The New Stack
20 How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
How FluentD Can Help Monitor Microservice Architectures Through Unified Logging
The New Stack
21 Reshaping Front End Development with Warehouse.ai
Reshaping Front End Development with Warehouse.ai
The New Stack
22 2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
2016 Year End Wrap-Up: Discussing Docker, OpenStack, and Open Source
The New Stack
23 Here's Why You Should Build a Robot Using Node.JS: Because You Can
Here's Why You Should Build a Robot Using Node.JS: Because You Can
The New Stack
24 How the Node.js Foundation is Utilizing Participatory Governance Models
How the Node.js Foundation is Utilizing Participatory Governance Models
The New Stack
25 Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
Set Up an MongoDB Replica Set in Less Than an Hour Using Bitnami Packages
The New Stack
26 Determining Who Bears the Burden of Ensuring NPM Module Security
Determining Who Bears the Burden of Ensuring NPM Module Security
The New Stack
27 How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
How Intel Snap uses Telemetry and Kubernetes to Drive Enterprise Efficiency
The New Stack
28 How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
How the NFL Scored a Touchdown with its Open Source React Framework Wildcat
The New Stack
29 Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
Aporeto CEO Dimitri Stiliadis: When it Comes to Security, Context is King
The New Stack
30 The Buzz at Node.JS Interactive
The Buzz at Node.JS Interactive
The New Stack
31 Why Going Serverless Doesn't Mean 'No Ops'
Why Going Serverless Doesn't Mean 'No Ops'
The New Stack
32 How Node.js is Transforming Today's Enterprises
How Node.js is Transforming Today's Enterprises
The New Stack
33 JJ Asghar Interview
JJ Asghar Interview
The New Stack
34 How Capital One is Using APIs to Streamline Auto Financing
How Capital One is Using APIs to Streamline Auto Financing
The New Stack
35 SXSW 2017: How Machine Learning Differs From Regular Programming
SXSW 2017: How Machine Learning Differs From Regular Programming
The New Stack
36 SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
SXSW 2017: Data-Driven Applications with Capital One DevExchange's Hydrograph
The New Stack
37 SXSW 2017: How Good Engineers Make Bad Business Decisions
SXSW 2017: How Good Engineers Make Bad Business Decisions
The New Stack
38 CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
CloudNativeCon & KubeCon EU Pancake Breakfast 2017: Kubernetes and the Multi-Cloud
The New Stack
39 CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
CNCF Executive Director Dan Kohn: What's Next for CNCF in 2017
The New Stack
40 Exploring the Latest Container Runtime Projects in the CNCF
Exploring the Latest Container Runtime Projects in the CNCF
The New Stack
41 Exploring the Future of the Kubernetes Ecosystem
Exploring the Future of the Kubernetes Ecosystem
The New Stack
42 Kubernetes and Continuous Deployment
Kubernetes and Continuous Deployment
The New Stack
43 Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
Kris Nova of Deis at CouldNativecon/Kubecon in Berlin
The New Stack
44 Docker's Quest for Simplicity with the Evolution of Containerd
Docker's Quest for Simplicity with the Evolution of Containerd
The New Stack
45 Developers First: The Cloud Foundry Service Broker API and Kubernetes
Developers First: The Cloud Foundry Service Broker API and Kubernetes
The New Stack
46 Mapping the Future of CoreOS's rkt in the CNCF
Mapping the Future of CoreOS's rkt in the CNCF
The New Stack
47 Red Hat and Dell EMC: Two Perspectives from DockerCon
Red Hat and Dell EMC: Two Perspectives from DockerCon
The New Stack
48 Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
Capital One Opened its APIs to Third-Party Developers — Here’s What They Learned
The New Stack
49 SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
SUSE Joins the CNCF, Brings Kubernetes to OpenStack Cloud 7
The New Stack
50 How Capital One Brings Open Source To The  Banking Industry
How Capital One Brings Open Source To The Banking Industry
The New Stack
51 OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
OSCON Is Coming Back To Portland, A Show Wrapup With Co-Chair Kelsey Hightower
The New Stack
52 Dev Or Ops Doesn’t Matter, You Need Observability
Dev Or Ops Doesn’t Matter, You Need Observability
The New Stack
53 Taking The Next Steps In Developing An Open Source Culture
Taking The Next Steps In Developing An Open Source Culture
The New Stack
54 SXSW 2017: How Capital One Became Technology-First With Open Source
SXSW 2017: How Capital One Became Technology-First With Open Source
The New Stack
55 Apcera   Old Apps Spanning New Clouds
Apcera Old Apps Spanning New Clouds
The New Stack
56 Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
Provenance: The Peace of Mind Chef Habitat Seeks to Deliver
The New Stack
57 InSpec: Human Readable, Automated Compliance
InSpec: Human Readable, Automated Compliance
The New Stack
58 The Evolution of SAP HANA Express
The Evolution of SAP HANA Express
The New Stack
59 Women Engineers Who Inspire And Never Give Up
Women Engineers Who Inspire And Never Give Up
The New Stack
60 Three Perspectives on the Evolution of Container Security
Three Perspectives on the Evolution of Container Security
The New Stack

The video teaches how to securely access infrastructure using Teleport, reducing complexity and implementing zero trust security. It covers features such as short-lived credentials, principle of least privilege, and audit logs.

Key Takeaways
  1. Implement the principle of least privilege
  2. Use short-lived certificates for machine-to-machine communication
  3. Enroll robots into clusters using Teleport Machine ID
  4. Issue new certificates every 20 minutes
  5. Lock credentials if a machine is compromised
  6. Configure Teleport for database access
  7. Use moderated sessions for servers and Kubernetes access
💡 Teleport reduces complexity in infrastructure access and management by implementing the principle of least privilege and using short-lived credentials, providing a secure and scalable solution for teams.

Related Reads

Up next
Beginners Guide to GPT4 API & ChatGPT 3.5 Turbo API Tutorial
Adrian Twarog
Watch →