Identity-Native Infrastructure Access Management: Preventing Breaches by Eliminating Secrets and Adopting Zero Trust

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Traditional secret-based credentials can't scale to meet the complexity and size of cloud and on-premises infrastructure. Today's applications are spread across a diverse range of clouds and colocation facilities, as well as on-prem data centers. Each layer of this modern stack has its own attack vectors and protocols to consider.

How can you secure access to diverse infrastructure components, from bare metal to ephemeral containers, consistently and simply? In this practical book, authors Ev Kontsevoy, Sakshyam Shah, and Peter Conrad break this topic down into manageable pieces. You'll discover how different parts of the approach fit together in a way that enables engineering teams to build more secure applications without slowing down productivity.

With this book, you'll learn:

  • The four pillars of access: connectivity, authentication, authorization, and audit
  • Why every attack follows the same pattern, and how to make this threat...
  • Author(s): Ev Kontsevoy
    Publisher: O'Reilly Media
    Year: 2023

    Language: English
    Pages: 154

    Preface
    Who Should Read This Book
    Goals of the Book
    Navigating This Book
    Conventions Used in This Book
    O’Reilly Online Learning
    How to Contact Us
    Acknowledgments
    1. Introduction: The Pillars of Access
    Most Attacks Are the Same
    Access
    Secure Connectivity
    Authentication
    Authorization
    Audit
    Security Versus Convenience
    Scaling Hardware, Software, and Peopleware
    Identity-Native Infrastructure Access
    2. Identity
    Identity and Access Management
    Identity and Credentials
    Traditional Approaches to Access
    Why secrets are bad
    Why shared secrets are worse
    Secrets are a vector for human error
    Identity-Based Credentials
    Establishing Trust in Identity
    Identities in Infrastructure
    Long-Lived Identities
    Ephemeral Identities
    Identity-Native Access
    Identity Storage
    Identity Attestation
    Credentials at scale
    How digital certificates work as credentials
    How certificates are created
    Reducing the Number of Secrets to One
    A Path to Identity-Native Infrastructure Access
    Eliminate Access Silos
    Move to Certificates for Identity Proofing
    Extend Identity-Native Access to Service Accounts
    3. Secure Connectivity
    Cryptography
    One-Way Functions and Hashing
    Symmetric Encryption
    Stream cipher
    Block cipher
    Authenticated encryption with associated data (AEAD)
    Asymmetric Encryption
    Public-private key pairs
    Key exchange
    Digital signatures and document signing
    Certificates as Public Keys
    The Untrusted Network
    Encrypted and Authenticated Connectivity
    Moving Up in the Networking Stack
    Perimeterless Networking for North-South Traffic
    Microsegmentation for East-West Traffic
    Unifying the Infrastructure Connectivity Layer
    Secure Connectivity and Zero Trust
    4. Authentication
    Evaluating Authentication Methods
    Robustness
    Ubiquity
    Scalability
    Secret-Based Authentication
    Secrets: Robustness
    Secrets: Ubiquity
    Secrets: Scalability
    Public Key Authentication
    Public key authentication: Robustness
    Public key authentication: Ubiquity
    Public key authentication: Scalability
    Certificate-Based Authentication
    Certificates: Robustness
    Certificates: Ubiquity
    Certificates: Scalability
    Multifactor Authentication
    Single Sign-On
    How SSO Works
    SSO with domain credentials
    SSO with credential injection
    SSO with federated authentication
    Beyond Traditional SSO
    Identity-Native Authentication
    Identity Proofing
    Device Attestation
    WebAuthn
    Authenticating Machines
    Preserving Identity Postauthentication
    5. Authorization
    Infrastructure Protects Data
    Types of Authorization
    Discretionary Access Control
    Mandatory Access Control
    The Bell–LaPadula Model
    Simple Security (SS) Property
    * (Star) Security Property
    The Discretionary Security (DS) Property
    Multics
    Files and segments
    Access control in Multics
    Multics ACLs
    Multics protection ring mechanism
    Access Isolation Mechanism (AIM)
    Multics security in sum
    Mandatory Access Control in Linux
    Nondiscretionary Access Control
    Role-based access control
    Attribute-based access control
    Task-based access control
    Privilege Management
    Principle of Least Privilege
    Zero Standing Privilege
    Just-in-Time Access
    Dual Authorization
    Challenges in Authorization
    Access Silos
    Privilege Classification
    Authorization for Machines
    Complexity and Granularity
    Identity and Zero Trust
    Identity First
    Single Source of Policy Truth
    Context-Driven Access
    Identity-Aware Proxy
    6. Auditing
    Types of Logs
    Audit Logs
    Session Recordings
    Logging at Different Layers
    Host Logging
    Syslog
    Advanced system monitoring
    Network Monitoring
    Log Aggregation
    Security Information and Event Management (SIEM)
    Log Schemas
    Storage Trade-Offs and Techniques
    Evolution of the Cloud Data Warehouse
    Log Analysis Techniques
    Log Analysis Example: Modern Ransomware Attack
    Reconnaissance
    Weaponization
    Delivery
    Exploitation
    Installation
    Command and control
    Actions on objective
    Attack postmortem
    Auditing and Logging in an Identity-Native System
    7. Scaling Access: An Example Using Teleport
    Access at Scale
    Identity-Native Access Checklist
    Necessary Components
    The Teleport Infrastructure Access Platform
    The Cluster
    Auth Service
    Proxy Service
    Access services
    How Teleport Works
    Managing Users
    Managing Client Devices
    Managing Permissions
    Managing Audit
    Zero Trust Configuration
    Living the Principles of Identity-Native Access
    8. A Call to Action
    Security and Convenience at Scale
    The Future of Trust
    Infrastructure as One Big Machine
    The Future of Security Threats
    Closing Words
    Index