SD - Y'ALL Flashcards
Simple, Secure Access for Engineers
Our founding engineering team at Teleport is former Rackspace, Google, NSA alumni, and within the past few years we’ve been growing quickly, we actually just raised our Series B from Kleiner Perkins, and partner with some of the world’s largest organizations, like Nasdaq and IBM, today. The main reason we’re gaining traction is because the compute and infrastructure landscape has changed drastically, and with that has come some serious difficulties.
Security vs Agility
The core challenge for teams today is the tension between the agility of their engineers and security/compliance requirements that come with simply growing as a business. We see this tension manifest in a number of key areas:
- Hurdles involved for engineers to simply access resources, especially in a remote world
- Managing static SSH keys in dynamic environments introduces both additional risk and complexity
- Meeting increasingly strict compliance and security requirements
Many teams are left with making tradeoffs, or engineers build workarounds to bypass access hurdles. Having experienced this problem in their past careers, our team built Teleport to solve this problem.
Access Plane
Teleport was created to provide an access plane that gives engineers the freedom to do computing anywhere, anytime with total trust. Whether its databases, servers, kubernetes clusters or applications, we strive to make access to compute resources as simple as possible while ensuring your team is staying compliant and secure.
Now we’ll talk more about how we do this.
Identity Certificates
A lot of the feedback we’ve gotten about software security solutions from talking to engineers, SRE’s, DevOps, is that they’re disruptive to their workflow, and a lot of times they may feel the need to create things around the solution like backdoors to get their jobs done.
We wanted to create a solution for secure developer access that doesn’t get in the way, and our answer to that is making it easy to use short lived configurable certificates as opposed to shared credentials( like SSH keys) out of the box. Assuming you’re using an SSO today (anything that speaks OIDC or SAML) we found a way to pull the identity from that SSO provider, and encode it into a short lived certificate so you can provide role based access. We bring native support for identity-based access for all resources, by enforcing automatic and painless certificate-based authentication and authorization.
Role Based Access
Since there’s meta data in those identity certificates, you’re able to use this to provide rules such as developers should never have access to production data or contractor should only have access to xyz GCP project, whereas if you’re using something static credentials, it’s pretty binary, you either have access, or you don’t.
The next question is, ok now you have role based access, how do you give security teams visibility and control into what’s happening over these connections?
Our answer is the audit layer we’ve built on top of the solution.
Complete Session View
To the right what you can see if you have engineers using SSH or some other protocol like KubeCTL, you’ll be able to give your audit or security team full visibility into what’s happening with complete session recordings, and detailed audit logs that show who logged in at what point, and what they did during that session. All of these audit logs can be saved in JSON format to do further analysis in tools like elastic and splunk.
One organization we partner with today is DoorDash. They have an extremely ephemeral infrastructure, and were previously using a mix of homegrown/legacy solutions. They decided to start using teleport for consolidation of access to their entire infrastructure while ensuring they’re staying PCI compliant and secure.
These audit logs and session recordings are certainly a big part of this equation.
Access Request
The final piece to touch on is the idea of fitting within your existing workflow and working with everything you have today. In addition to embracing identity-based access, organizations must be moving away from having privileged accounts. No one should ever “have root” access. The industry best practice is to adopt just-in-time privilege elevation tied to a specific task and our answer to this is our customizable Access Request APIs via popular tools like JIRA.
Another partner of ours today, Cohesity, utilizes our JIRA integration for customers to grant temporary access to their infrastructure for support purposes.
Interesting use case there that helps show the flexibility of Teleport.
Open Source
Teleport is open source, and this speaks to our DNA. If you compare us with legacy solutions, you’ll notice one key similarity: They tackled this by creating cumbersome enterprise solutions that catered towards checking the boxes for security or compliance, and didn’t necessarily prioritize the end user.
At Teleport, we’ve created a solution from the ground up, with engineering/DevOps and SREs in mind. Our founding engineers came from this world, and experienced these problems first hand. This is what truly makes us different, and why being open source is so important to us.
Teleport Enterprise
Although we are open source, we do have some enterprise features Available that our customers have appreciated. This is an opencore model, similar to MongoDB, Elastic, and those features are: (Talk through features) SSO integration, (more granular access with Advanced access requests),
Today we have the ability for you to run Teleport on Prem, and will soon have a cloud offering as well
Teleport Enterprise includes:
Although we are open source, we do have some enterprise features Available that our customers have appreciated. This is an opencore model, similar to MongoDB, Elastic, and those features are: Enterprise SSO integrations, workflow API Plug-ins and support.
And depending on your needs, Teleport can be deployed on your own infrastructure or hosted by us.
Trusted by Leading Organizations
Final slide here to give you a peak at some of the organizations we work with today. As you can see, we have a plethora of organizations in different industries, but the thing that they all have in common is they wanted to make sure their engineers weren’t bogged down with multiple solutions, and enabled to do the right thing by default, by staying compliant and secure.
To reiterate, in the past with moreso legacy solutions, the feedback we’ve gotten from the market is that engineers don’t love using these tools. They tend to be heavyweight, and make them do things that don’t feel natural within their workflow. So we listened to the market, and built an open source dev friendly solution. It’s easy to spin up, it’s a single binary, that’s purpose built for the ability to consolidate, and give engineers the freedom to do computing anywhere, in any environment and with total trust.
