Explore Teleport Academy: your go-to hub for insightful articles, learning resources, and comprehensive guides.

Teleport Academy

Cryptographic Identity

Cryptographic Identity refers to the use of computer science and mathematical theory to securely establish and verify the identity of a user, device, or system in digital communications. Identity-based encryption is vital in ensuring secure interactions over the internet and in various digital systems. 

What is Cryptographic Identity?

Short-lived certificates are digital certificates with a brief validity period, designed to enhance cybersecurity by expiring quickly.

What are short-lived certificates?

With cyberthreats on the rise and now centered on identity, there is a need for methods of authentication that are resilient to phishing and human error. 

Credentials vs. Cryptographic Identity

Whether you're new to SSH or looking to enhance your existing security measures, understanding the fundamentals of SSH keys is crucial for maintaining a secure and streamlined infrastructure.

SSH Keys Explained: Enhancing Secure Access

Zero Trust for Infrastructure Access

Most ZTNA technologies, although adept at securing zero trust access to networks, do not embed the identity and protocol-level information necessary to apply zero trust principles for application access or workload access in modern computing infrastructure. 

What is zero trust security for applications and workloads?

Authentication and Privileges

Secretless or passwordless authentication eliminates traditional password-based methods and instead uses mechanisms that rely on verifiable identity elements—such as biometrics, digital certificates, and hardware tokens

What is Secretless (Passwordless) Authentication?

Access Requests support the principle of least privilege by ensuring individuals have access only to the resources necessary for their specific tasks, thereby minimizing potential security risks.

What are Access Requests?

Authorization plays a pivotal role in cybersecurity and access management, serving as the gatekeeper that determines which resources a user can access and what actions they can perform within a system.

What is Authorization?

By granting temporary access rights that expire after a brief period, ephemeral privileges ensure that access is only available for the duration necessary to complete specific tasks.

What are Ephemeral Privileges?

Just-in-time (JIT) access refers to the provisioning of privileged access only when it is needed, and for a limited duration.

What is Just-In-Time (JIT) access?

Principle of least privilege defines just-in-time access to your cloud-native environment to meet security and compliance requirements without disrupting your teams.

Principle of Least Privilege: What It Is & How to Implement It

RBAC stands for Role-Based Access Control. It is a method of regulating access to servers, computers or network resources based on the roles of individual users within an organization. 

What is RBAC? 

Attribute-Based Access Control (ABAC) is a method of regulating access to resources based on the attributes of both the resource and the user requesting access.

What is ABAC?

Mandatory Access Control (MAC) is a type of access control that imposes a predefined set of security rules, or labels, to control which users or systems can access specific resources.

What is MAC (Mandatory Access Control)?

OAuth 2.0 (Open Authorization) is a standard for authorization where a user allows an application to access their resources hosted on another application, on their behalf, without the sharing of their credentials.

What is OAuth 2.0 (Open Authorization)?

FIDO, or Fast IDentity Online, is a group of open standard authentication protocols created to strengthen and simplify the security of online authentication by reducing the reliance on passwords.

What is FIDO (Fast IDentity Online)?

U2F (Universal 2nd Factor) is a universal authentication standard that provides an additional layer of security for online accounts.

What is U2F (Universal 2nd Factor)?

Single Sign-On (SSO) simplifies access to multiple applications with one set of credentials, boosting security and user experience. This guide explores SSO protocols, benefits, best practices, and future trends like passwordless authentication.

What is SSO?

WebAuthn is a web standard for secure, passwordless authentication allowing web servers to authenticate users with asymmetric cryptography instead of passwords.

What is WebAuthn?

OIDC, or OpenID Connect, is an authentication layer built on top of the authorization protocol OAuth 2.0 and provides a standardized way for users to authenticate themselves to web applications.

What is OIDC (Open ID Connect)?

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, and in particular, between an identity provider (IdP) and a service provider (SP). The Identity Provider will verify the identity of the user, verifying they are who they say they are.

What Is SAML (Security Assertion Markup Language)?

User authentication is a crucial component of securing any system. Access to sensitive infrastructure resources such as servers, databases and applications must be restricted to authorized users only.

The Failures of Shared Secrets and How We Can Replace Them

This article provides a deep dive into TOTP (Time-based One-Time Password), a popular multi-factor authentication method. It explains the inner workings of TOTP, its benefits, use cases, and compares it to other authentication methods like SMS and biometric authentication.

What is Time-Based One-Time Password & How it Works

Risk-adaptive access control (RADAC) is a modern security approach that tailors authorization based on real-time risk evaluation and contextual factors, going beyond traditional static models. This article explores the benefits, key components, real-world applications, and future trends of RADAC.

Risk-Adaptive Access Control (RADAC): A Deep Dive

This article delves into the pros and cons of SMS MFA, highlighting its vulnerabilities and why it's often considered less secure than other methods like authenticator apps and security keys. It provides best practices for mitigating SMS MFA risks and discusses potential future advancements in SMS-based authentication.

SMS MFA: Is It Safe? Security Risks & Better Alternatives

This comprehensive guide to Rule-Based Access Control (RuBAC) explains how it strengthens data security by managing user access based on predefined roles and rules. Learn about the benefits of RBAC, best practices for implementation, and how it aligns with Zero Trust security principles.

Rule-Based Access Control (RuBAC): A Complete Guide

Time-Based Access Control (TBAC) enhances security by adding a temporal dimension to access control models. TBAC grants time-limited privileges, automatically revoking access upon expiration or task completion, minimizing risks and streamlining workflows.

Time-Based Access Control (TBAC): A Complete Guide

Two key concepts often come into play when discussing privileged access security: Privileged Identity Management (PIM) and Privileged Access Management (PAM). While both PIM and PAM aim to mitigate the risks associated with privileged access, they focus on different aspects of the privileged access lifecycle and offer distinct benefits.

PIM vs. PAM: Choosing the Right Approach for Identity Management

As a system administrator, you're always looking for ways to simplify user management across your organization's IT infrastructure. With the growing adoption of cloud services and the need for seamless integration between systems, a standardized approach to identity management has become essential. This is where SCIM comes into play.

SCIM Overview: Streamlining User Management

This article explores privileged access management (PAM), explaining its importance in securing critical systems and sensitive data. It covers best practices, common pitfalls, practical applications, and future trends like zero trust and AI integration.

Privileged Access Management (PAM)

Governance

Identity Governance and Administration (IGA) is a comprehensive approach to managing and securing user identities and access within an organization

What is Identity Governance & Administration (IGA)?

Identity Threat Detection & Response (ITDR) focuses on protecting organizational assets through the vigilant monitoring of identity-related events. 

What is Identity Threat Detection and Response (ITDR)?

Cloud Infrastructure Entitlement Management (CIEM) is a class of cybersecurity identity and access management (IAM) solutions focused on reducing access risk for cloud technologies.

What is Cloud Infrastructure Entitlement Management (CIEM)?

Observability is a critical capability in modern software engineering, enabling teams to monitor, diagnose, and optimize complex systems across various architectures, including cloud-native, microservices, and serverless

What is Observability?

Infrastructure Access

Bastion hosts act as fortified gateways that control access to internal resources from external networks. 

What are bastion hosts?

Mutual Transport Layer Security (mTLS) enhances the security of the TLS protocol by implementing two-way authentication and encryption.

What is mutual TLS authentication (mTLS)?

In DevOps architectures, where automation plays a key role, CI/CD systems and automated bots like Drone, Jenkins, and GitHub Actions, perform essential tasks related to the management, deployment, and maintenance of applications and services in cloud and on-premises deployments.

What are non-human identities?

TCP/IP, also known as Internet Protocol Suite, is a collection of networking protocols that works together to transfer a data packet from one computer to another using computer networks. 

What is TCP/IP protocol suite?

A VPN, or Virtual Private Network, is a tool that allows you to create a secure and private connection between your device and the public internet. A VPN connection will encrypt your internet traffic and route it through a remote server, keeping your activity hidden from hackers, ISPs, and any third-party with malicious intent.

What is a VPN (Virtual Private Network)?

TCP/IP and OSI model serves a similar purpose - to map all the bits and pieces involved in networked communication. While OSI is the recommended standard, the internet was designed around the TCP/IP model.



Comparing TCP/IP and OSI Model

IPv4 is a 32 bit network address scheme widely used on the internet. IPv6 is a 128 bit network address scheme designed to replace IPv4.

How IPv4 and IPv6 works

Uncover effective strategies for managing IoT devices remotely at scale. Our comprehensive guide provides security teams with solutions for secure and efficient IoT device control. 


How to Access and Monitor IoT Devices Securely

Zero Trust Network Access (ZTNA) is a security solution that provides secure remote access to corporate resources based strictly on identity and context. Identity verification for every person and device is required continuously regardless of network location or whether they have previously accessed a resource or not. No one is trusted from inside the network or outside, which is a tighter ship than the traditional approach of one being universally trusted as long as they are inside the network.

Implementing Zero Trust Network Access in Cloud-Native Environments

Learn how to set up a secure SSH bastion server for your AWS EC2 instances with Teleport. Explore the advantages, setup options, and step-by-step instructions for enhancing your AWS infrastructure security. Suitable for all skill levels.

SSH Bastion Server on AWS: Setup Guide & Security Benefits

This article is a how-to guide to deploy self-hosted Teleport in a highly available mode on an on-prem environment using HAproxy, etcd, and minIO.

 Deploying self-hosted Highly Available Teleport on an On-Prem data center.

This article provides a comprehensive guide to using the ssh-keygen command for generating and managing SSH keys.  It covers key types, passphrases, using ssh-agent, best practices, and future trends in secure access.

Mastering SSH Keygen

The Backend for Frontend (BFF) pattern creates dedicated backends for each frontend application, optimizing user experiences and simplifying development. It acts as an adapter between frontends and microservices, increasing backend agility and promoting faster development processes.

Backend for Frontend (BFF) Pattern: Microservices for UX

IaC revolutionizes infrastructure management by automating provisioning and deployments through code.  It increases speed and reliability while enhancing collaboration and reducing costs, using tools like Terraform and Ansible.

Infrastructure as Code (IaC): Automating IT Infrastructure

This tutorial provides a comprehensive guide to AWS Organizations, explaining how to manage multiple accounts, implement service control policies, and optimize billing. Learn best practices and common pitfalls to effectively govern your AWS cloud environment.

AWS Organizations Tutorial: Mastering Multi-Account Management

Compliance & Audit

PCI compliance embodies the commitment of organizations to protect cardholder data by adhering to the Payment Card Industry Data Security Standard (PCI DSS).

What is PCI Compliance?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) represents a critical regulatory framework designed to ensure the privacy, security, and confidentiality of protected health information (PHI) within the healthcare sector.

What is HIPAA compliance?

The SOC 2 framework is published by the American Institute of Certified Public Accountants (AICPA) and is a voluntary cybersecurity attestation. 

What is SOC2 compliance?

FedRAMP (Federal Risk and Authorization Management Program) is a critical framework for cloud service providers (CSPs) aiming to offer their cloud solutions to the U.S. federal government

What is FedRAMP compliance?

Access logging is the practice of system monitoring via a file or a collection of files that detail all of the various activities on a system. Composed of various events and metadata, good access logging practices will help you stay informed on exactly what is happening in your infrastructure, and exactly who is carrying out these various activities.

Access Logging

No matter the size of your company or the size of your engineering team, it is always important to maintain visibility into what’s happening in your infrastructure. As your company grows, however, and you start to need to meet compliance standards like the SOC2 and FedRAMP frameworks, keeping detailed, specific audit logs becomes a must-have.

OS Default Logging with Windows

A deep dive into best practices for what is audit logging with best practices for cloud native companies.

Guide to Audit Logging for Cloud Native Companies

Auditing and reviewing workload access deployed in Kubernetes clusters is critical for achieving compliance.  Learn how to audit AWS EKS Workloads.

Auditing and Reviewing Amazon EKS Workloads  

Additional Resources

Discover the differences between Teleport and CyberArk, two privileged access management (PAM) solutions designed to secure critical infrastructure. While CyberArk uses secrets like passwords and keys, Teleport is an open-source, secretless, and cloud-native PAM that delivers essential capabilities while maximizing developer productivity and supporting modern tools like Kubernetes and cloud databases.

Teleport vs. CyberArk

Compare

The post compares StrongDM and Teleport, two infrastructure access platforms. StrongDM is proprietary, while Teleport is open-source and offers advanced security and compliance capabilities.

StrongDM vs Teleport

Hashicorp Boundary vs Teleport: Teleport is an open-source infrastructure access platform that replaces secrets like passwords and keys with secure certificates, providing a complete Zero Trust solution, while HashiCorp Boundary is a remote access solution offering deep integration with HashiCorp Vault for temporary credentials. Both solutions offer secure access to infrastructure, but Teleport boasts advanced security features, wider client and protocol support, and a secretless approach.

Hashicorp Boundary vs Teleport

Having some issues with StrongDM or just want to see what else is out there? Today we’ll walk you through what StrongDM is good at, what it’s not so good at and some alternatives that match different use cases. 

StrongDM Alternatives to Secure Infrastructure Access

How-to Guides

Configuring Role-Based Access Control (RBAC) for Microsoft Azure Managed Kubernetes Service (AKS)

Azure AKS RBAC

In this tutorial, we’ll look at how to authenticate Microsoft Azure Kubernetes Service (AKS) Kubernetes clusters with GitHub single sign-on (SSO).

Authenticating Azure AKS Kubernetes Clusters with GitHub SSO

How to Authenticate Azure AKS Kubernetes Clusters with Okta SSO. Consolidating access and providing an audit log for access

Authenticating Azure AKS Kubernetes Clusters with Okta SSO

A practical guide showing how you can implement just-in-time access for EKS using Teleport.  


Just-in-Time Access for Amazon EKS

In this tutorial, we’ll look at how to authenticate AWS EKS Kubernetes clusters with GitHub single sign-on (SSO).

Authenticating AWS EKS Kubernetes Clusters with GitHub SSO

Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO. A how-to guide. 

Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO

In this article on securing access to Kubernetes, we will explore how Teleport brings an additional layer of security to clusters based on Google Kubernetes Engine (GKE) managed service from Google Cloud Platform (GCP).

Authenticating Google Kubernetes Engine Clusters with Okta SSO

Authenticating Google Kubernetes Engine Clusters with Google Workspace SSO

Authenticating GCP GKE with Google Workspace SSO

Configuring Role-Based Access Control (RBAC) for Google Cloud Kubernetes Engine (GCP GKE). 

RBAC for Google Cloud Kubernetes Engine (GCP GKE)

In this tutorial, we’ll look at how to authenticate Google Kubernetes Engine (GKE) Kubernetes clusters with GitHub single sign-on (SSO).

Authenticating GKE Kubernetes Clusters with GitHub SSO

We will guide you through the steps to configure single sign-On (SSO) for Amazon EKS clusters with Okta, SAML and Teleport Enterprise.

How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters

An overview guide for how to protect and connect to Proxmox VE edition using Teleport. 

How to Access Proxmox Virtual Environment with Teleport

Resource Access and Identity Verification Methods

Learn how to use EC2 Instance Connect for secure, SSH-keyless access to your AWS EC2 instances. Simplify your workflow and boost your cloud security today.

A Guide to EC2 Instance Connect

Master kubectl for Amazon EKS in this concise guide. Learn key commands to deploy, manage, and scale applications on AWS Kubernetes clusters. Ideal for IT pros and developers seeking to streamline their EKS workflows

Managing Amazon EKS Clusters with kubectl

This guide explores AWS EC2 Serial Console, a powerful tool for remotely accessing your EC2 instances, even when traditional methods like SSH fail. Learn how to enable, access, and use EC2 Serial Console for troubleshooting, system maintenance, and more.

Accessing the Inaccessible: Your Guide to AWS EC2 Serial Console 

This guide provides a comprehensive overview of establishing secure EC2 RDP connections to your Windows instances. It covers the setup process, security best practices (including alternatives to direct RDP), troubleshooting common issues, and answers to frequently asked questions.

Secure EC2 RDP: The Ultimate Guide to Safe Access

This guide explores AWS Session Manager as a secure alternative to SSH for accessing your EC2 instances. Discover its benefits, step-by-step setup, and how it enhances your cloud security posture while simplifying management.

Secure AWS EC2 Access with Session Manager

This comprehensive guide provides a step-by-step walkthrough on how to establish a secure SSH connection to your Amazon EC2 instance. It covers key concepts, security best practices, and common troubleshooting tips for a secure and efficient remote access experience.

How to SSH into an EC2 Instance: A Step-by-Step Guide

This guide provides a detailed walkthrough of setting up LDAP authentication for PostgreSQL, explaining how to enhance database security and simplify user access management. It also covers benefits like centralized control and answers frequently asked questions about the process.

PostgreSQL LDAP Authentication: A Step-by-Step Guide

This guide provides a comprehensive overview of implementing RADIUS authentication for your PostgreSQL database. It covers the benefits, setup process, and answers frequently asked questions to help you strengthen your database security.

Secure PostgreSQL with RADIUS Authentication: A Step-by-Step Guide

This guide explores how Simple Random Tokens provide a critical layer of security for web applications by generating unique, time-limited identifiers for user verification.  Learn how these tokens work, their advantages, and best practices for implementation to strengthen your authentication processes.

Simple Random Tokens: A Guide to Secure Authentication

This guide explains how PostgreSQL password authentication safeguards your data. You'll learn how to configure authentication methods in pg_hba.conf, set strong passwords, and follow essential security best practices to protect your database from unauthorized access.



PostgreSQL Password Authentication: A Complete Guide

This guide provides a comprehensive walkthrough of setting up SSL authentication for your PostgreSQL database. It covers generating SSL certificates, configuring your server, and enforcing secure connections, ensuring your data remains protected.

PostgreSQL SSL Authentication: A Step-by-Step Guide

RBAC stands for Role-Based Access Control. It is a method of regulating access to servers, computers or network resources based on the roles of individual users within an organization. RBAC allows administrators to define roles, assign permissions to those roles and then assign users to the appropriate roles for their job functions. This allows for a more fine-grained approach to access control, as users should only be given the permissions they need to perform their jobs.

A common role in a cloud environment might be "Cloud Infrastructure Administrator" or simply an “SRE Team”. This role would manage and maintain the organization's cloud infrastructure. As such, the SRE role would likely be granted permissions to perform tasks such as:

Managing and provisioning cloud resources, such as virtual machines and storage

Configuring and managing network and security settings

Monitoring cloud resource usage and costs

Managing user access and permissions to the cloud environment

Automating cloud infrastructure deployment and scaling

This example is just one of the many roles that can be defined in a cloud environment, depending on the specific needs of the organization and the different job functions that exist within it.

Access Control Lists (ACLs) are access control mechanisms often used in conjunction with Role-Based Access Control (RBAC). Using ACLs in combination with RBAC provides a more fine-grained and flexible approach to access control.

In an ACL-based system, each resource is associated with an ACL specifying the permissions different users or groups have for that resource. For example, an ACL for a file might specify that certain users have read-only access while others have read-write access.

RBAC, on the other hand, is a method of regulating access to resources based on the roles of individual users within an organization. RBAC allows administrators to define roles, assign permissions to those roles and then assign users to the appropriate roles for their job functions.

When used together, ACLs and RBAC provide a powerful and flexible way to control access to resources. For example, an organization might use RBAC to define roles such as "developer" and "administrator" and assign permissions to those roles and then use ACLs to further refine access control by specifying individual role/shared user permissions or groups for specific resources. This allows for a more fine-grained and flexible approach to access control, as users are only given the permissions they need to perform their jobs.

For example, with Teleport, teams will use RBAC to map an SSO user to a Local Linux User. Consider this: If Alice logs into a server with ubuntu, the user will have access to `rwx`. If you want to provide more fine-grained ACLs in Linux, a dedicated user with specific ACLS should be created if a team wants to restrict access.

RBAC (Role-Based Access Control) is a widely used method for controlling access to resources and has several benefits, such as fine-grained control and ease of management.

 RBAC can be limited in its ability to express complex access control requirements, particularly those that involve multiple roles or attributes.

 As the number of roles and users in an organization grows, the number of role-permission assignments can grow exponentially, which can make management and maintenance of the access control system difficult.

Limited support for dynamic environments:

 RBAC is designed for static environments where roles and permissions are predefined and do not change frequently. It may not be as well-suited for dynamic environments where roles and permissions need to be updated frequently or in real time.

Limited support for delegation of authority:

 RBAC does not inherently support delegation of authority, meaning that a user cannot assign permissions to another user.

 RBAC does not provide an inherent mechanism for tracking which users have performed which actions, making it difficult to determine accountability in case of a security incident without other tooling in place.

The Teleport Access Platform

Featured Resource

Integrations

Featured Resource

Use Cases

Featured Resource

Industries

Featured Resource

Compliance

Featured Resource

Strategic Partners

Featured AWS Webinar

Read

Experience

Discover

Featured Blog Post

Company

Explore

Featured Event