Traditional secret-based credentials can't scale to meet the complexity and size of cloud and on-premises infrastructure. Today's applications are spread across a diverse range of clouds and colocation facilities, as well as on-prem data centers. Each layer of this modern stack has its own attack vectors and protocols to consider.
How can you secure access to diverse infrastructure components, from bare metal to ephemeral containers, consistently and simply? In this practical book, authors Ev Kontsevoy, Sakshyam Shah, and Peter Conrad break this topic down into manageable pieces. You'll discover how different parts of the approach fit together in a way that enables engineering teams to build more secure applications without slowing down productivity.
With this book, you'll learn:
- The four pillars of access: connectivity, authentication, authorization, and audit
- Why every attack follows the same pattern, and how to make this threat impossible
- How to implement identity-based access across your entire infrastructure with digital certificates
- Why it's time for secret-based credentials to go away
- How to securely connect to remote resources including servers, databases, K8s Pods, and internal applications such as Jenkins and GitLab
- Authentication and authorization methods for gaining access to and permission for using protected resources
Author(s): Ev Kontsevoy, Sakshyam Shah, Peter Conrad
Edition: 1
Publisher: O'Reilly Media
Year: 2023
Language: English
Commentary: Publisher PDF | Published: September 2023 | Revision History: 2023-09-12: First Release
Pages: 154
City: Sebastopol, CA
Cover
Copyright
Table of Contents
Preface
Who Should Read This Book
Goals of the Book
Navigating This Book
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction: The Pillars of Access
Most Attacks Are the Same
Access
Secure Connectivity
Authentication
Authorization
Audit
Security Versus Convenience
Scaling Hardware, Software, and Peopleware
Identity-Native Infrastructure Access
Chapter 2. Identity
Identity and Access Management
Identity and Credentials
Traditional Approaches to Access
Identity-Based Credentials
Establishing Trust in Identity
Identities in Infrastructure
Long-Lived Identities
Ephemeral Identities
Identity-Native Access
Identity Storage
Identity Attestation
Reducing the Number of Secrets to One
A Path to Identity-Native Infrastructure Access
Eliminate Access Silos
Move to Certificates for Identity Proofing
Extend Identity-Native Access to Service Accounts
Chapter 3. Secure Connectivity
Cryptography
One-Way Functions and Hashing
Symmetric Encryption
Asymmetric Encryption
Certificates as Public Keys
The Untrusted Network
Encrypted and Authenticated Connectivity
Moving Up in the Networking Stack
Perimeterless Networking for North-South Traffic
Microsegmentation for East-West Traffic
Unifying the Infrastructure Connectivity Layer
Secure Connectivity and Zero Trust
Chapter 4. Authentication
Evaluating Authentication Methods
Robustness
Ubiquity
Scalability
Secret-Based Authentication
Public Key Authentication
Certificate-Based Authentication
Multifactor Authentication
Single Sign-On
How SSO Works
Beyond Traditional SSO
Identity-Native Authentication
Identity Proofing
Device Attestation
WebAuthn
Authenticating Machines
Preserving Identity Postauthentication
Chapter 5. Authorization
Infrastructure Protects Data
Types of Authorization
Discretionary Access Control
Mandatory Access Control
The Bell–LaPadula Model
Multics
Mandatory Access Control in Linux
Nondiscretionary Access Control
Privilege Management
Principle of Least Privilege
Zero Standing Privilege
Just-in-Time Access
Dual Authorization
Challenges in Authorization
Access Silos
Privilege Classification
Authorization for Machines
Complexity and Granularity
Identity and Zero Trust
Identity First
Single Source of Policy Truth
Context-Driven Access
Identity-Aware Proxy
Chapter 6. Auditing
Types of Logs
Audit Logs
Session Recordings
Logging at Different Layers
Host Logging
Network Monitoring
Log Aggregation
Security Information and Event Management (SIEM)
Log Schemas
Storage Trade-Offs and Techniques
Evolution of the Cloud Data Warehouse
Log Analysis Techniques
Log Analysis Example: Modern Ransomware Attack
Auditing and Logging in an Identity-Native System
Chapter 7. Scaling Access: An Example Using Teleport
Access at Scale
Identity-Native Access Checklist
Necessary Components
The Teleport Infrastructure Access Platform
The Cluster
How Teleport Works
Managing Users
Managing Client Devices
Managing Permissions
Managing Audit
Zero Trust Configuration
Living the Principles of Identity-Native Access
Chapter 8. A Call to Action
Security and Convenience at Scale
The Future of Trust
Infrastructure as One Big Machine
The Future of Security Threats
Closing Words
Index
About the Authors
Colophon
