goteleport.com
Open in
urlscan Pro
2606:4700::6812:717
Public Scan
Submitted URL: https://em.goteleport.com/ODE5LVdIVC00ODMAAAGOkZ3gV7xhts14w8ZMweS5EmSGs_BMGXYZTpGzxXVotSo4P7TWbs6oLbMnkCetrdbbmZ7UdMk=
Effective URL: https://goteleport.com/resources/books/identity-native-infrastructure-access-management/?mkt_tok=ODE5LVdIVC00ODMAAAGOkZ...
Submission: On October 03 via api from IL — Scanned from DE
Effective URL: https://goteleport.com/resources/books/identity-native-infrastructure-access-management/?mkt_tok=ODE5LVdIVC00ODMAAAGOkZ...
Submission: On October 03 via api from IL — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_1483" class="teleport-gtuuot mktoForm mktoHasWidth mktoLayoutAbove" __bizdiag="196355680" __biza="W___" novalidate="novalidate" data-styles-ready="true">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<fieldset class="mktoFormCol">
<legend>Name</legend>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>First Name
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="FirstName" name="FirstName" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired"
aria-required="true"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>Last Name
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="LastName" name="LastName" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired"
aria-required="true"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
</fieldset>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>Email
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"><span
id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="eg">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="email,email">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="oreilly-preview?utm_campaign=k8s,grace">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_ref__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="gaid__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="gclid__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
<div>
<script type="text/javascript">
var formId = 1483;
var captchaCallback = function(a) {
var b = document.getElementsByClassName("grecaptcha-badge");
if (b.length > 0)
for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
if (a) {
var d = this.MktoForms2.getForm(formId);
d && d.setCaptchaValue(a)
}
};
</script>
</div>
<div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LcV294bAAAAACt2Y7w1E6mqKeCfR2PPWPEEjOoS" data-size="invisible">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden; visibility: visible;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-6x15hjs7o6ts" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcV294bAAAAACt2Y7w1E6mqKeCfR2PPWPEEjOoS&co=aHR0cHM6Ly9nb3RlbGVwb3J0LmNvbTo0NDM.&hl=de&v=pxZcVU8Dk73FyvFvdCgp2MSG&size=invisible&cb=br2m5yw5i8ch"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton">Download</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1483"><input type="hidden"
name="munchkinId" class="mktoField mktoFieldDescriptor" value="819-WHT-483">
</form><form class="teleport-gtuuot mktoForm mktoHasWidth mktoLayoutAbove" __bizdiag="-1461287091" __biza="W___" novalidate="novalidate"
style="font-family: Lato; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Teleport Connect 2023
Oct 25
San Francisco, CA
Register
Platform
PLATFORM
Why TeleportHow It Works
ACCESS CONTROL
SSHKubernetesDatabasesInternal WebappsWindowsAWS Console
Our Features
AssistSingle Sign OnJust In Time Access RequestsRole Based Access ControlAudit
and Session RecordingsDevice TrustPasswordless
Solutions
BY USE CASE
Privileged Access ManagementRole-Based Access Control for
MicroservicesDeveloper-friendly browserPasswordless Infrastructure Access
BY INDUSTRY
E-commerce & EntertainmentFinancial ServicesSoftware-as-a-service (SaaS)
Providers
BY CLOUD PROVIDER
Infrastructure Access for AWS
BY COMPLIANCE STANDARD
FedRAMPHIPAASOC 2
Resources
TRY TELEPORT
Teleport LabsTeleport TeamIntegrations
Community
Our CustomersGitHubTeleport Connect 2023
Resources
BlogEventsWebinarsPodcastsTech PapersLearn
SUPPORT
Support PortalCommunity SlackGitHub DiscussionsSystem Status
Featured Resource
Documentation
DocumentationTeleport ClientsHow It WorksTeleport LabsTeleport CommunityTeleport
Slack ChannelGitHub
Pricing
Downloads
Sign In
SIGN IN TO TELEPORT
Teleport Cloud LoginLogin to your Teleport Account
Dashboard LoginLegacy Login & Teleport Enterprise Downloads
Get Started
WHAT IS IDENTITY-NATIVE INFRASTRUCTURE ACCESS?
Identity-Native Infrastructure Access is the concept of linking access to an
identity. Instead of sharing passwords or other secrets, access is granted on an
individual's identity. Deployed by the world's largest tech companies, it's the
only way to securely scale access. So, how can you secure access to diverse
infrastructure components, from bare metal to ephemeral containers, consistently
and simply?
In this practical book, authors Ev Kontsevoy, Sakshyam Shah, and Peter Conrad
break this topic down into manageable pieces.
Name
*
First Name
*
Last Name
*
Email
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Download
WHAT YOU WILL LEARN
Traditional secret-based credentials can't scale to meet the complexity and size
of cloud and on-premises infrastructure. Today's applications are spread across
a diverse range of clouds and colocation facilities, as well as on-prem data
centers. Each layer of this modern stack has its own attack vectors and
protocols to consider.
How can you secure access to diverse infrastructure components, from bare metal
to ephemeral containers, consistently and simply? In this practical book,
authors Ev Kontsevoy, Sakshyam Shah, and Peter Conrad break this topic down into
manageable pieces. You'll discover how different parts of the approach fit
together in a way that enables engineering teams to build more secure
applications without slowing down productivity.
With this book, you'll learn:
* The four pillars of access: connectivity, authentication, authorization, and
audit
* Why every attack follows the same pattern, and how to make this threat
impossible
* How to implement identity-based access across your entire infrastructure with
digital certificates
* Why it's time for secret-based credentials to go away
* How to securely connect to remote resources including servers, databases, K8s
Pods, and internal applications such as Jenkins and GitLab
* Authentication and authorization methods for gaining access to and permission
for using protected resources
AUTHORS
EV KONTSEVOY
CEO, TELEPORT
SAKSHYAM SHAH
DEVELOPER RELATIONS ENGINEER, TELEPORT
PETER CONRAD
AUTHOR OF WHAT IS KUBEVIRT?
BOOK OUTLINE
CHAPTER 1: THE PILLARS OF ACCESS
In a modern DevOps-driven infrastructure management, access should be both
secure and scalable. To achieve such security and scalability, organizations
must move away from traditional secret-based access to identity-based access.
For an effective identity-based access, true context identity must be applied to
each stage of access.
This chapter introduces four core stages of access: connectivity,
authentication, authorization and audit, which we essentially term as the
Pillars of Access. We also introduce the importance of security versus
convenience and the foundation of identity-based access.
CHAPTER 2: IDENTITY
Traditional access control has always been based on possession of some form of
secrets, such as passwords, private keys etc. But since these forms of secrets
are vulnerable to human error, and are easy to steal, spoof, lose, or misuse,
secretless access based on true identity proposes a secure alternative.
But how can we derive true identity and use that for access? For humans, true
identity can be derived from biological factors (such as fingerprint, retina
etc). For machines, hardware with TPM can be used to store machine-specific
digital certificates, attested by manufacturers. This chapter dives into more
details about how these true identities can then be attested by a certifying
authority in a process called identity proofing, paving a way for identity-based
access.
CHAPTER 3: SECURE CONNECTIVITY
This chapter starts with a brief introduction to cryptography, symmetric and
asymmetric encryption and digital certificates, which are fundamental technology
that enables identity-based access. This chapter then introduces zero trust
approaches for secure connectivity.
Historically, network connectivity used to be synonymous with access. An
ethernet cable connecting the client's computer to the office network would
literally mean the client can “access” the network, and server hosted on that
network. Gradually, security champions started to add authentication and
encryption to a perimeter-defined network and VPN was born. VPN’s did a great
job to secure access to the network. But that’s an obsolete model which no
longer makes sense because:
* The perimeter-based model worked by treating clients connecting from outside
the perimeter to be insecure and clients inside the network to be secure.
This model means that if an attacker would be able to breach the perimeter,
then they would have an open pass to access and compromise the internal
network.
* Computing infrastructure itself is spread out between multiple data centers
and cloud providers. There’s no single corporate network where perimeter can
be easily defined. Shoehorning would only increase complexity while adding
little value.
* Furthermore, most of the infrastructure attacks target application layer,
where a VPN based security can have a complete blind spot. Addressing these
challenges, this chapter lays out techniques for modern zero trust
connectivity.
CHAPTER 4: AUTHENTICATION
Traditional Secret-based authentication has two major security flaws:
* Insecure by design: there’s no default security boundary, requires high
entropy and sets of constraints in place (e.g. minimum character, special
characters etc), requires careful (hash+salt) storage in the backend
* Insecure in practice: depends on the user not writing them down on sticky
notes, developer not pushing them in git commit, susceptible to phishing etc.
Besides security, there’s also an operational side of managing authentication,
i.e., scaling the authentication to several hundreds and thousands of clients on
demand and being able to authenticate properly both humans and bots. This
chapter evaluates different schemes and methods of authentication appropriate
for secure and scalable authentication.
CHAPTER 5: AUTHORIZATION
Authorization must be scalable, expressive and account for insider threats.
Access policy should be context driven, based on identity, roles, intent and
attributes rather than trust. This chapter explores the three evolutions in
access control: From simple access control models such as MAC, DAV, RBAC to
privileged access management to zero trust and identity-based authorization.
Finally we introduce core concepts and techniques on identity-based
authorization.
CHAPTER 6: AUDIT
A detailed audit log (who did what, when and how) is an important artifact that
is valuable to investigate a security incident. Real-time audit logging can even
help detect anomalies before an incident. But when it comes to access audit
logs, there’s a catch: when access control depends on secrets, and spoofable
identities, audit data can be meaningless.
This chapter goes into details on the basics of auditing with an emphasis on
identity-aware logging.
CHAPTER 7: SCALING ACCESS
The best form of access control is the one that lets us scale infrastructure
operation without compromising on security. At the end, an obtrusive security
may hinder engineering workflow, costing more than the assumed security incident
itself.
This chapter discusses how identity-native systems enable for scalable and
secure infrastructure access and lay out technical concepts to implement an
identity-native system.
CHAPTER 8: CALL TO ACTION
In the previous chapters, we’ve talked a lot about what we don’t want to allow:
human error, vulnerabilities, attacks, and threats. But the point of the book is
about access—letting people in, not shutting them out. We want people to be able
to work together easily.
This chapter will offer some parting words on security and convenience at scale,
the future of Trust, infrastructure as one big machine, and the future of
security threats.
CLIENTS
Trusted by leading organizations
*
*
*
*
*
*
*
*
*
*
* PROTOCOLS
* Teleport Overview
* SSH
* Kubernetes
* Databases
* Applications
* Windows
* Teleport Features
* Teleport Pricing
* DOCUMENTATION
* Teleport Documentation
* Download Teleport
* How Teleport works
* GitHub repository
* LEARN
* Why Teleport?
* Teleport Learn
* Blog
* Customers
* Resources
* Events
* What is SSH?
* What is a Kubernetes cluster?
* COMPANY
* About us
* Security
* Careers
* News
* Partners
* Status
* GET IN TOUCH
* (855) 818 9008
* General inquiries
* Customer support
* CONNECT
* Teleport Community
* Slack
* GitHub
* Twitter
* LinkedIn
* YouTube
© 2023 Gravitational Inc.; all rights reserved.
* Terms of Service
* Website Terms of Use
* Privacy
* Job Applicant Privacy Policy