Dec Newsletter. Never Trust an Elf, Always Verify

It’s been a year since we debated if Santa is an insider threat. For this festive newsletter, I’m going to be following up with how to wrangle in the elves. Historically Santa elves are known for their workshop skills, putting together cute wood toys and sewing holiday stockings. Fast forward to the 21st century and the skills required to be a modern elf have exploded. Not only do they need to deal with modern injection molding—more and more of elf production has moved to the cloud, as more kids add video games, NFTs, and meme coins to their Christmas lists. Elves have had to upskill.

But there is one problem with elves: they are mischievous. Let’s explore how we can help support the elves, keep an eye on what they are up to, and try to understand their sneaky ways.

Accessing ‘Santa's List’

The first stage of any build is to understand what you are building. The requests are stored in Santa's list, or the Naughty or Nice list. With approximately 2 billion children under 16, this dataset is a beast to wrangle with, requiring sophisticated big data processing tools and careful access controls to maintain both performance and security. With modern regulation, some EU children have data residency requirements, and also Database Access controls. Teleport's Database Access Controls (DAC) is the perfect addition to any monster database, allowing only EU Elves to access EU requests.

As with any 2 billion size dataset, data is often spread across multiple data systems. This is why Teleport’s broad support for all cloud providers and databases can come in handy. See our list of 113 + integrations.

Locking Down Production

After last year's egg nog incident, Papa Elf has had to take measures to lock down multiple production systems. For legal reasons, we shall not talk about the shelf.

To help lock down production, understanding the scale of the problem is the first step. The “Santa's List” Database has been marked as a crown jewel and we can quickly see that over 30 Elves have access to it. We start with a checklist to better lock down prod.

• ✅ Move Elves to Zero-Standing Prod access, and require an Access Request
• ✅ Enroll Elves Devices into Device Trust
• ✅ Add hardware MFA Token for all admin actions
• ✅ Secure Backend with HSM support
• ✅ Lockdown AWS Santa Cloud IAM access, with AWS IAM Identity Center Integration
• ✅ Monitor Session Recording
• ✅ Use Moderated Sessions for the most reckless of elves

The Naughty Elf

After production is locked down, a naughty elf has gone rogue and we’ve had to backtrack his activity. This is where some auditing, reporting, and recording come in helpful to quickly provide a 360 degree review of activity on the elf; without having to jump into SIEMs or other larger monitoring tools.

These are my recommendations for quickly reviewing all of the naughty elf’s activity:

1. Find all the access paths for the 'naughty_elf' user. By executing this query, it’s easy to see access patterns for the naughty elf user.

SELECT * FROM access_path WHERE identity = 'naughty_elf';

2. Add an Access Monitoring Query. Teleport Access Monitoring builds on top of AWS Athena and is the perfect way to detect changes to high-value data sources.

SELECT
  event_date,
  user,
  db_query
FROM
  santa_list
WHERE
  db_protocol = 'postgres'
  AND (db_query LIKE '%DROP%' OR db_query LIKE '%ALTER%' OR db_query LIKE '%INSERT%secret%' OR db_query LIKE '%SELECT%credit_card%')
ORDER BY event_date;

3. Lock the user, device, and critical resources. The next stage of containment is to provide a temporary or maybe permanent lock on the user. This can be done via the UI, or using tctl.

tctl lock [email protected] --message="Please come back tomorrow." --ttl=24h

4. Now The Elf has been locked, and the audit log has been queried. It’s time to start reviewing session recordings to see what he’s been up to.

Teleport cybersecurity blog posts and tech news

Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.

Subscribe

Wrapping Up the Festive Mayhem

As the holiday rush intensifies and elves continue pushing the boundaries of modern production (and occasionally your patience), Teleport’s access controls, audit trails, and streamlined management tools can help restore order to even the most mischievous workshop. From safely browsing “Santa’s List” to tracking down the antics of a rogue elf, Teleport’s Access Platform ensures that no matter how complex or distributed your infrastructure becomes, you always have the insight, control, and peace of mind you need.

Ready to bring order and visibility to your festive operations?

• Try Teleport: Schedule a demo or start a free trial to experience how easily you can secure and manage access at scale.
• Join the Community: Need advice, want to share a holiday security tip, or just say “hi”? Join our community Slack.
• Stay Tuned: Expect more tips, tricks, and best practices in our next newsletter as we continue to help you verify (and occasionally wrangle) your ever-growing band of digital helpers.

Until next time, keep your sleigh secure and your elves accountable!

ICYMI

• Webinar Replay: Securing Infrastructure Access at Scale in Large Enterprises (Dec 12)
• MegaCast: Securing and Protecting Enterprise Cloud Data (Jan 16)
• Upcoming Webinar: Simplifying Zero Trust Security for AWS with Teleport (Jan 23)