Exness Elevates Global Kubernetes & Infrastructure Security with Teleport

Challenge

As Exness expanded, so did the complexity of its infrastructure:

• Hundreds of Kubernetes clusters across on-prem and cloud environments
• Dozens of development teams operating with broad freedom in their technology choices
• Strict regulatory and internal security requirements
• Processes that served well in the past but were based on manual access routing and permanent privileges

These challenges underscored the need for an Infrastructure-as-Code-compatible, Kubernetes-native solution. Exness required full automation, GitOps readiness, SSO support, and machine identity — all in one platform. Teleport was the only evaluated solution that met every requirement.

Before Teleport, Exness faced several critical barriers:

• Fragmented Access Workflows: For instance, a K8s-related incident response may involve access to both Kubernetes API and SSH nodes, but no single solution provided unified access. The Security team had to stitch together tools and manually orchestrate approvals.
• Heavy Operational Burden on Security & DB Teams: Permanent or manually granted temporary access resulted in high volumes of approvals and operational load, with database bottlenecked behind the DB administration team.
• No Single, Security-Owned Access Layer: Identity lived in systems owned by other teams, forcing Security to create request tickets for access changes — slow and inefficient for critical operations.
• Shadow Access Pathways: Multiple ways to access Kubernetes (cloud-native tooling, auth certificates, external platforms) created audit blind spots that might lead to inconsistent security enforcement.

Solution

Exness began with Teleport Community Edition, validating the platform in full production conditions using the open source license before shifting to the Enterprise Edition. Teleport was deployed via Helm and Terraform across two high availability (HA) data centers, backed by Postgres and fronted by active-active load balancers.
Teleport became the unified access layer for:

• Kubernetes clusters (on-prem and EKS)
• SSH access to nodes
• Production databases
• Sensitive internal applications
• CI/CD pipelines via Machine ID

Key Architectural Choices

• Terraform Provider used for all Day-2 operations (roles, resources, access policies).
• Teleport Machine ID integrated with GitLab for short-lived CI/CD credentials, replacing a 3rd-party solution used to provide permanent non-flexible access tokens, thus improving pipeline security.
• Two Teleport agent replicas per cluster for resilient access and rapid failover backed by real-time monitoring based on the native agent metrics.
• Security Operations Center alerts triggered if any access path bypasses Teleport.

Results

Team Based Just-In-Time (JIT) Access

The biggest improvement was the creation of team-approved JIT access, eliminating permanent write privileges for developers and shifting approvals from a bottlenecked security team to the team closest to the workload.

• Developers request elevated access in Slack
• Any peer with equivalent permissions can approve
• Double approvals required for the most sensitive environments

This dramatically reduced operational load, improved response times, and tightened security.

Removal of All Permanent Database Credentials
Using Teleport Database Access, Exness eliminated all local DB credentials. Development teams now execute their own database write operations under Teleport-mediated, JIT-approved sessions, freeing the DB team from dozens of weekly manual tasks.

Unified Access Provisioning
Teleport became the first security-owned, unified platform to grant access across Kubernetes, servers and databases — removing the need to orchestrate changes among other internal departments.

More Secure CI/CD Push Model
Teleport Machine ID replaced permanent Kubernetes tokens used in GitLab pipelines, enabling secure short-lived credentials for push-based deployment workflows.

Elimination of Shadow Access Paths
Security now enforces Teleport as the exclusive access method for several types of infrastructure assets, with SOC alerts triggered whenever bypass attempts occur. This significantly elevated auditability and reduced risks.

Stronger Compliance Posture
Exness continues to prove its compliance with global regulatory requirements such as PCI DSS, SOC 2, and ISO 27001 certifications, with Teleport providing the fine-grained auditability, JIT controls, and identity-driven access required for regulated FinTech environments.

Future Plans

Exness plans to deepen its Teleport deployment by:

• Exploring additional asset types, e.g. Vertica database
• Working toward more granular logic of Teleport “deny” policy rules and managed sessions
• Seeking licensing models better aligned with Kubernetes cluster lifecycles
• Evaluating Windows access once agent privilege requirements and RDP limitations improve

Teleport remains a foundational component of Exness’ long-term infrastructure security roadmap.

Key Takeaways

Before Teleport: Manual workflows, fragmented access tooling, permanent credentials, shadow access paths, operational bottlenecks.
After Teleport: Unified, identity-driven access across critical assets; team-based JIT; reduced operational load; stronger security posture; improved auditability.
Impact: Faster incident response, elimination of credential sprawl, more secure CI/CD pipelines, and a scalable foundation for rapid global growth.
Looking Ahead: Continued integration of assets, improved logic of K8s “deny” rules andmanaged sessions, and licensing optimization.