Securing Infrastructure Access at Scale in Large Enterprises

Securing Infrastructure Access at Scale in Large Enterprises

The complexity and scale of computing infrastructure has exploded in recent years. In larger organizations, managing access, identities, and policies for people and machines to securely access diverse infrastructure resources – such as physical machines and servers, clouds, software apps, services, APIs – is a daunting task.

The larger the organization, the more costly and difficult it becomes to wrangle the complexity of this infrastructure in a way that is secure, efficient, and resilient.

Watch the webinar replay to explore:

• How to secure access to modern infrastructure at scale
• How to implement the principle of least privileged access for complex environments in a way that engineers like – so they won’t build backdoors
• New features in Teleport 17 that enable organizations to realize enterprise scale benefits:
  • Streamline integration with AWS, making it easy to manage identities across multiple instances
  • Support machine access at scale, for organizations with a high volume of non-human identities governing access
  • Eliminate shadow access and identify and mitigate risk in access paths
  • Achieve multi-region high availability, for companies that need global resiliency for their mission-critical operations

Expanding your knowledge on Securing Infrastructure Access at Scale in Large Enterprises

• 2024 Secure Infrastructure Access Report
• Teleport 17
• Teleport Access
• Teleport Identity
• Teleport Policy
• Teleport Device Trust
• Teleport Machine ID
• Teleport Passwordless
• Teleport Server Access
• Teleport Application Access
• Teleport Database Access
• SAML Identity Provider Access
• Teleport Workload Identity

Transcript - Securing Infrastructure Access at Scale in Large Enterprises

Introduction

Eddie: And I'm Eddie Glenn. I'm based out of Portland, Oregon. Just a little bit about me, I'm an old-time software developer. So infrastructure access is a really important topic for me these days. I've been in cybersecurity now for about a decade, but I really enjoy the software development aspect of infrastructure. This topic, in particular, I think is a great topic for us today because things have changed a lot over the last few years. I've been at Teleport now for about half a year. And Ben, why don't you take a few minutes to introduce yourself?

Ben: Yeah. Hi. I'm Ben Arent. I'm based in Oakland, California, Director of Product. More of a veteran of Teleport. I've been here six years. And prior to this, I've worked in a range of SaaS and hosting companies from small startups to very large enterprises. And I've seen all of the challenges of securing infrastructure access at scale in the large ones. And when I first joined a large enterprise, I thought it'd be better, but it's actually interesting. Sometimes it can be worse. And so I think today's a good webinar of how you can get a balance between taking the best of much larger enterprises and rolling it out.

The power of three

Eddie: Great. Thanks. So there are a couple of things that we want to cover today. And I'm going to start off the webinar first, and then I apologize for my voice, but I was at a conference this week and ended up getting sick. So I'm going to try to get through this as best I can. But I want to talk about just the state of modern infrastructure and modern infrastructure access. Some of the challenges that we're experiencing, we're seeing our customers experience with that. And then I'm going to turn it over to Ben, and he's going to talk about best practices and how Teleport can help. And then we'll finish up with more time for Q&A. But as Ben said, please, if you do have a question, go ahead and put it into the chat window, and we'll try to get to it throughout the presentation today. So with that said, I always like to tie things to a theme. And for me, the theme today is the power of three. There's really three things that I think are impacting us all. First one is—computing infrastructure is exploding. And I know at the beginning, I said that I used to be a software developer. And that was quite a few number of years ago. But back then, the infrastructure that we used was extremely simple. It was a network of about 10 computers because there were 10 of us on the software engineering team, and that was it. And they weren't even connected to the internet. That kind of really dates me. But when we look at infrastructure today, it's huge. We're talking about individuals, laptops, servers, cloud servers, mobile devices. And then probably the most recent addition to infrastructure are software services. And then on top of that, you've got the people. Again, I was working on a software development team of 10, and now it's not uncommon for there to be hundreds, or if not thousands, of people distributed globally. So it really does mean that infrastructure is exploding.

Eddie: And if you just look at some industry stats—this one kind of blew me away. There was one estimate that there was about 5 million Kubernetes clusters visible on the public internet. So that's not even counting all the ones that are hidden from the public, but that's a lot of Kubernetes clusters. Just looking at the number of businesses that are using Amazon, almost two-and-a-half million; number of customers using Google Cloud Platform, a million; half a million using Azure. So really, infrastructure is exploding, and this impacts how we access infrastructure and how we do it securely. The complexity of infrastructure is also exploding. Just for comparison—5, 10 years ago, the concept of hybrid cloud infrastructure really wasn't that common or frequently seen. But now we're dealing not only with just one single public cloud platform provider, but most companies, especially large ones, they're using multiple public cloud platform providers. They're using private cloud infrastructure. They're still using traditional infrastructure, data centers, on-prem servers. So the fact that it's hybrid makes it very complex. We talked about the people aspect. There are thousands of contributors participating in software development for applications that are using infrastructure. There are thousands of employees at large companies. So this adds to that complexity. Distributed environments. Not only are we seeing applications used to be—they used to be a one server—now they're being distributed across public clouds. That adds to the complexity.

Eddie: And the other big difference is that our businesses are now 24/7 global business. So that means that if you have a failure in one part of the world, it's going to impact your business probably in multiple parts. And we see many examples of that just in the past 12 months. I mean, how many global services have gone down recently during the past 12 months? A lot. This is an infrastructure complexity problem. And then this is another aspect that is really interesting that adds to complexity of infrastructure. And that is—we're not just talking about people accessing resources, but now we've got resources accessing other resources. So they're non-human identities. And I like to think of it as an iceberg. At the tip of the iceberg that you can see above water, it's the people that are accessing the infrastructure. But really, the majority of the infrastructure is hidden under the water that may not be seen. And it's things like service spots, CI/CD pipelines, all kinds of software applications, communicating with other software applications. So this really contributes to the complexity of infrastructure, and that is going to make securing that access that much harder. And then there's now regulatory compliance issues.

Eddie: And yes, this has always been an issue, but it has also exploded as a result of some of the breaches that we've seen over the past five years. Governments are now getting involved trying to minimize the impact that these breaches have to the public. And then that leads me to just the fact that breaches and compromises are exploding. So really, we see the trifecta effect here, power of three. And when we think about what some of the metrics are that indicates that breaches are exploding, 75% of the breaches just in the past year have been based off of identity compromises. Identity compromises used to be that they were a very manual process and involved some luck. But now with the advent of AI, they're becoming much more prevalent—13 attacks globally per second. Now, that's pretty amazing that around the world, our businesses are getting attacked on average 13 times per second—420 million attacks between January 2023 and January 2024. And then there was a recent IBM survey that said that a successful attack costs at least $5 million.

Eddie: That's not only in remediation, but a response to the attack, payment of fines, customer compensation. So these are all extremely important metrics that should make us take note that the way that we go about security and infrastructure, and as we'll see later in this webinar, doing it in a way that will scale across your global business becomes that much more important. And what's leading to some of these breaches? We've talked about identity compromises. We've talked about AI. I didn't really mention anything about state and organized threats. It used to be that it was some random person in their basement trying to create a compromise, but now most of them are coming from state or organized-crime type of organizations. And then another aspect—and this is one that I find particularly interesting and one that we can all collectively solve. Some of these attacks happen because we silo the way that we protect our infrastructure. So this is the decision that we as companies make where we've siloed that infrastructure, and Teleport is in a position to be able to help you address that particular problem. So there is hope on the horizon, at least in that regard.

Poll no. 1 – infrastructure security

Eddie: So with that, I'd like for us to do our first poll. I'm really interested in the people that are participating. How big is your organization? So thinking of your entire company, how many employees, laptops, mobile devices, servers, virtual machines, Kubernetes clusters, CI/CD workflows, APIs do you have? And just do an estimate. And if we can get that going, I don't have access to the results because I can't see that screen. So then maybe you can let me know how that's going.

Ben: Yeah, I think if we just keep this open a little bit more, and then we can close it, and then I think we can share it, can't we? Lexi is helping us on the back. You can probably close this poll out now. Okay. Looking at the results, a couple with more than 100,000 and mostly in the more than the 1,000 range, so far down the lower end, Eddie.

Eddie: Okay. Okay. Yes. Definitely, depending on the size of the company, it's going to range from on the smaller side. And what's interesting for me is 1,000 is on the smaller range. It's not a trivial thing to protect, right? You have 1,000 infrastructure resources that need to control access on. So even 1,000 is a big number in my mind. One of the things that Teleport did this year is that we conducted a survey of—I think it was around 250 large enterprises. So these weren't necessarily small companies. They were substantially sized companies. And we asked them a series of questions of what are they doing to protect their infrastructure? How are they securing it? And the one thing that came out of this is that three out of four are saying that it is getting harder, and it's getting harder for some of the reasons that I've already stated. The other thing that was really interesting that came out of the survey is that there was a group of businesses that seemed to indicate that they had infrastructure access under control, and then there was a group that definitely didn't. And our writers of the report decided to kind of categorize and separate things into two groups. One we call virtuosos and the other novices. And when you look at some of the—these are self-reported issues that they had and compare the ones that were doing things right compared to those that maybe weren't doing enough to protect their infrastructure, it's pretty amazing.

Eddie: The ones that consider themselves experts reported about two security incidents over three years, whereas those that didn't consider themselves experts had 12. The ones that considered themselves experts reported that it cost about 637,000 to respond to these security incidents, whereas those that weren't experts said 6 million. And then if you take that number and compare it to the one that IBM reported at 5 million, these are substantial costs if you weren't taking the appropriate steps. 384,000 was what they reported on average to mitigate some of their issues compared to almost triple that at 1.1 million. And then this I thought was interesting. For those that consider themselves experts, they reported significant costs from staff firing and reported higher costs in brand for business interruption. Okay, why is that? We didn't really ask why that's the case, but just my opinion is that I think that the ones that are considered themselves experts take these kind of security incidents where the infrastructure is targeted much more seriously, so they have higher consequences for those that are responsible for the security of the infrastructure. So let's talk about how to secure infrastructure at scale. And we've all been doing this for many years as businesses and companies. And we can just continue to do what we've done in the past, right? Well, no.

Problems with legacy approaches

Eddie: I really think the answer here is no. We've got to do different things, especially as the environment has changed in the past 5 to 10 years. It's not simple the way it once was. And we've seen this now where most businesses have now abandoned that perimeter type of approach to providing security for their companies. So when we look at how we've done it in the past, what are some of the reasons for why this just doesn't work anymore? If I look at just legacy PAM tools and these are PAM tools that we've used in the past, why don't they work as well today as what's needed? Well, they really weren't designed for cloud and DevOps workflows. They weren't designed for automation, which DevOps and Cloud really depend on. They were designed for resources that live for long periods of time. And as we know, in cloud environments and DevOps environments, that's not necessarily the case anymore. Resources are constantly being spun up and spun down. They're ephemeral. These tools relied on static credentials. That just does not work anymore. We have one individual that has their identity compromised. If they have access to 5, 10, 50, 100 static credentials, all of those resources now become compromised. These tools don't necessarily easily support least privilege or just-in-time access. And then they're kind of designed for a siloed infrastructure approach.

Eddie: And as we've seen earlier in this webinar, that's an issue that we can no longer treat our infrastructure as being individual silos because it really is all connected. And they're not developer-friendly. And when something's not developer-friendly, being a developer, what do we do? We try to avoid using them. So that's why I feel strongly that Legacy PAM tools just aren't cut out for the kinds of moderate infrastructure that we need to secure. Then the other thing that I look at, and I've used this a lot in the past, is relying on VPNs, Bastions, and SSH keys. Those also have some significant challenges around them. One of the biggest challenges and one of the biggest problems is that they provide very broad infrastructure access. They often enable, excuse me, shadow access. Again, they rely on standing static credentials and standing privileges. They don't support modern security standards very well. So this is why Teleport, when we think about how can we secure modern infrastructure and how can we do that for companies that have a global presence, we take these things into account. And I'm excited to finish up my part here in just a minute and move it over to Ben so he can start to explain how we can help you do that.

Fragmentation and identity silos

Eddie: And then the other thing, the point that I wanted to make, is that fragmentation and identity silos is an enemy. And when we look at the approach that is legacy, very much of those are based off of silos. There's multiple reasons why this causes a problem. They're high cost. They get in the way. They don't allow for easy automation and they're high risk because they rely on static secrets. So with that said, let's move to the second poll, and if you can put that up, and then Ben, let me know when people have had a chance to participate. Then I'll move on.

Poll no. 2 – security practices

Ben: Yeah, the poll should be in your poll tab next to the chat. It should have a little red thing, a little pop-up. And poll is: which of the following security practices does your company regularly utilize? VPNs, Bastions, Legacy PAM, phishing resilient passwordless authentication, cryptographically authenticated identity for users. That's a mouthful, huh? And same authenticated identities for systems and resources, and eliminating access silos for all identities, human and non-human. It looks like we have one vote, two votes in the VPN, Legacy PAM. Oh, now they're coming in. So it looks like we have a lot of people going in the VPN, Bastion, Legacy PAM section. One, a few more coming in now. Two for cryptographically authenticated identities for users, and one for the last two. So an interesting range, I think there, Eddie. I think primarily people are probably in the more VPNs, Bastions and Legacy PAM, but there's a few people sort of following, I guess, the limiting access silos from my identities. One person is there, so.

Eddie: Great. Thanks, Ben. So that leads me back to the report that I had mentioned earlier. What's the difference between those companies that consider themselves experts and then thus had the least impact on security incidents and the least number of security incidents from those that didn't consider themselves security experts. And the ones that were experts or virtuosos, the pattern that we saw was that they utilized 13 key safeguards for modern security safeguards. And they're listed here in this right-hand side of the screen, and I'm not going to read through them all, but you can see that a lot of the questions that we asked in the previous poll are these things, particularly focused around using cryptographically authenticated identities, not only for people, but for systems and resources. So pieces of the infrastructure as well. The other aspect here is using a single store for all identities, not just people, but for people and non-humans alike, and things like using AI to help improve security. So that's why I think this webinar is really, really relevant for today's audience, especially all of you that have infrastructure that is spread around the world. And we're really excited to explain how we can do this at scale for you. And with that, I think I'm going to move it over to you, Ben, and have you start talking about how we can help secure infrastructure at scale.

Ben: Yeah. Did you mind stop sharing? And I'm going to share from my side. Let's make it easier for seeing some demos I have.

Eddie: Yes.

How Teleport can help you secure infrastructure at scale

Resiliency and high availability across multiple regions

Ben: All right. Go to Share. Okay. Hi, everybody. Let me fix this up. Okay. So how Teleport can help you secure infrastructure at scale? I have this sort of window here. I've also shown a few demos as I go through this. One of the first things I want to touch on is the resiliency and high availability across multiple regions. One thing that we see with the—you see you go from the Bastion and the jump host approach. These are multiple things that you have to manage and maintain in multiple regions. And if you have a team in EMEA that needs to access the US, availability and resiliency becomes more of a problem. And we're seeing this more and more with globally distributed teams—that having a highly available and resilient infrastructure access tool is important. So one offering that Teleport Cloud can provide is a multi-region high availability setup. We also offer this for our on-premise solution as well, but we have a whole engineering team that has really architected this very well for our cloud product.

Ben: This is in addition if we have existing customers on the call who've self-hosted the Teleport binary that you can get multi-region, high availability across all regions with active-active, and four nines of availability. What I've seen for some of our competitors in the market is that sometimes their access platform goes down and for a day or two they don't have access or things very slow and laggy. And so it's really important to have both a system for access that's highly available and always up. Teleport has been battle tested. I've been here for a while. I think when I first joined Teleport, we would say you could have 10,000 connected resources. We have customers pushing up to 130,000 connected resources. I know initially we had people who had like 1,000, but very large scale across all different regions for both the servers and the end users connecting and accessing Teleport.

Scalable across human and non-human identities

Ben: And as we touched on, Teleport is also a great solution for scalable human and non-human identities for both securing access for people, processes, and software workloads. And you may think of your sort of Bastion or your VPN primarily for users. But moving to a zero-trust approach, it's best to also think about, "Hey, what are the other tools that are interacting with your software and how do you secure them?" So starting off with human identity, human identity often comes from an IDP provider. So this is often your Okta, your Entra, your source of truth for sort of identity. You may have syncing this with your workplace systems, one edition of Teleport Identity. This lets you take your existing IDP and also sort of harden it. You can add device trust or require MFA in addition to it. And so this is sort of the humans accessing all of your infrastructure and hardening it. We next saw that people like this kind of pattern for access to using SSH certificates and certificates for Kubernetes and extended it to machine identity. We first started with sort of the low-hanging fruit, updating sort of Jenkins configs. So instead of cutting a really long certificate for access, we have Teleport Machine ID which will issue a shortlist certificate which is always reissued and you have the ability of the visibility and the ability to lock it.

Ben: And earlier this year, we launched Workload Identity. Workload Identity is an interesting addition to Teleport that it doesn't go through the Teleport proxy, but it's a way in which you can use Teleport's CA for issuing TLS certificates for services. And this is also SPIFFE compatible. And this is important if you're thinking in microservices, you want to secure them using mutual TLS, but there's other identity-based benefits you can have. So by baking in Workload Identity with SPIFFE, you have this benefit of SVIDs and you can say, "Hey, we can prove that this workload is coming from this particular service, and it has these attributes." There's multiple security benefits to this, but there's also an interesting compliance benefit. You can do things like you can say, "Hey, my EU region has this identity, and it can't talk to my US region." And by having this, you can obtain lots of compliance benefits.

Scalable infrastructure Defense in Depth

Ben: Going a little bit deeper into the Defense in Depth, I kind of touched on this a little bit with our IDP internal integration. It's also important to think about—you've provided access, but how do you also provide more defense in depth? We believe this starts with providing ephemeral access management, so leveraging zero-standing privilege through access requests or dual authorizations. So you don't have any sort of super users within your organization. They all go through an access request flow, so there's zero-standing privilege. MFA required for protective admins. We've seen this that simply by adding a sort of non-phishable hardware token—big fan of YubiKeys—for admin actions, this greatly reduces sort of attacks on the administrators of your tool. And sort of there's a checklist of best practices here which include Device Trust and WebAuthn to sort of lock down and restrict administrative actions in your system. And there's a few more kind of maps that you can provide. So for end users, you can map IDP users to the roles and resources. You can use IP binding. So you can say, "Hey, when this user connected, it connects from this IP. They can't connect to this other one." So by taking all of these together, you greatly improve the Defense in Depth and get access to Teleport. So it keeps access very easily available but also greatly improves security. MFA-required protective actions. I touched on this a little bit. This is providing phishing-resilient MFA actions. And you can sort of enforce this too. One thing I like about this is often when you have an organization, your IT team might manage Entra or Okta, but they may not roll out YubiKeys for everyone in your organization.

Work with existing enterprise tools

Ben: By using Teleport Identity, you can take the identity provider, SAML or OIDC from that third party and say, "Hey, I want to make sure that while IT doesn't want to send YubiKey to everybody, I want to enforce them." And we've seen that WebAuthn and passkeys and YubiKeys are a great way to make phishing-resilient access. Next up, we're going to be talking about working with existing enterprise tools. And I want to go back a little bit to something that Eddie talked about at the beginning—is this range of long-lived credentials and hacks that we've seen, and also the complexity of infrastructure. So back in the day, you might have a bare metal provider. You might have some firewalls. They're sort of configured. You don't do much else. What we're seeing is that not only do you have to manage for AWS—you manage the access to the EC2, your EKS, your databases. You also have to think about how do you access the access plane for AWS console authentication. There's also multiple ways in which you can access it. You can use root users, you can use IAM users, or you can use federated users. This image here is from Datadog's state of security, and organizations are still mostly using unmanaged users with long-lived credentials. And this is becoming a known attack vector. So people will use IAM instead of federated users. And this will mean that if someone gets access to the IAM user, it's a pivot and access to the AWS account.

Ben: So we've sort of solved this with our most recent AWS IAM Identity Center integration. AWS IAM Identity Center is a tool for managing multiple AWS organizations. And so it makes the burden of managing them all of them much easier. Our integration makes it much easier to provide a consolidated access and access request flow with Just-in-Time Access and also hardening to provide access to your AWS accounts as well to as all of the infrastructure that you might be familiar with Teleport. So what does this federated access look like? I've kind of talked about this. You often have a group of users in your IDP, in this case, Okta. Then you map them to Teleport, and then you get access to those resources. And the flow for people accessing the AWS console—they don't go through aws.com. They come into Teleport, they have all of their resources, and they can now access AWS accounts. And this sort of line here kind of represents you can also use a just-in-Time Access Request flow. And I think one thing that's nice about this—I don't have finance connected—but you may want to say, "Hey, end of the year, you want finance to get all the reports. How do you give your finance team access to AWS accounts?" This is one method. You can give a policy to them, to all of your accounts for a short period of time. And once it's removed and it's a federated user, you have the CloudTrail logs to figure out what happened. So now I'm going to segue into a demo of Teleport's AWS IAM Identity Center integration. Okay. So if I come to this tab here. This is the login screen to Teleport, the Teleport proxy. See, I have two different IDPs here: Entra and GitHub. I'm going to log in with GitHub. This is my demo account, but many organizations use a more enterprise IDP.

Demo: Teleport AWS IAM Identity Center Integration

Ben: And we support everything from Okta to Entra to any SAML or OIDC provider. Once I'm logged in—since I'm already logged in, there's this special flow for Device Trust. Device Trust means that only my device that has come in—let me authorize my session. I have Teleport Connect running locally. And you can see now my session has been authorized with Device Trust. This is a nice addition that you can do if you're managing end users’ laptops. So you can say, "Hey, bring your own device. You can access staging or development." But for production systems, you can say, "Hey, only make sure that devices enrolled within our JAMF setup can access those resources." For people who aren't familiar with Teleport, we have three products. We have Access, which is all about providing short-lived SQL access to resources. We have identity, which is about moving to just-in-time access, seriously standing privilege, and then Policy, which is about understanding who has access to what in infrastructure. And I'll probably touch on a few of these. If there's any questions in chat, I can deep-dive into something. But to go back to AWS integration, in our prior versions of Teleport, you would have to link AWS Console Access to specific roles.

Ben: But with our AWS IAM Identity Center integration, if I log in here, I'll be taken to a flow of an AWS Access Portal, and I have access to a range of users. When I log in here, you'll see I go through another kind of flow. I've come in as my user. `benarent` is my GitHub user. And you can see here that I'm a federated user. There's a lot of benefits of using federated users for AWS. Any action is tied back to the identity of myself. So if you are not using federated users and you're using a shared login, you get less CloudTrail events. And so this is a great way of getting visibility into what's happening in those accounts and the ease of use. It also supports access keys, and so it makes it very easy to provide access to AWS accounts. Other support, I talked a little bit about Entra, but we also have a deep integration with Okta. In our most recent version, we added support for SCIM integration. This is part of our edition of Teleport Policy. The SCIM provides immediate addition and removal of users, and then also syncing of Access Lists and groups to make it much easier to match your groups within your IDP into Teleport.

Ben: And then you can add the addition of Defense in Depth that I've shown you such as Device Trust or Access Lists. Access Lists is a very handy feature that you can provide an audit log of, "Hey, we're adding users to this account. They get access to these roles. At a certain period of time, you can review their access." And as I talked about access requests, one thing that we noticed is that having an access request flow is great, but often you want timely access. And so we have a range of integrations, PagerDuty, Slack. We just added Datadog incident management. So whatever tool you use, you can either build a plug-in or we have one out of the box that can make it very quickly to improve Teams access. And actually, I've had some customers who have automated this. So if a user is on call, they automatically get access, which is a nice kind of workflow that you can build into your setup. Moving on to infrastructure access control. One thing that we've noticed as part of rollout of Teleport in multiple organizations is that, as companies roll out Teleport, they discover certain shadow access patterns and certain visibility. So this could be in the case of moving to Teleport. People may still have SSH backdoors into the infrastructure.

Ben: With Teleport Policy in 17, we have the ability to detect authorized keys on hosts and also link them to the individual user. And so this can be very handy to figure out, "Hey, what were the keys on which machines, and what could it get access to?" Both from a security perspective and making sure that it's locked down. So if I come to my Sub Resources here, you can see what's kind of interesting for this setup. I have access to Packer, which is a tool from HashiCorp. It's interesting—actually leaves an authorized key on the machine. And so this may or may not be a security issue. I'm pretty sure it's ephemeral, but it's interesting to understand, "Hey, what is happening?" And if I come to this key here, I can click View Access, my break-glass key. I can quickly see this key has access to all of these principles and arrange a host. And by using our SSH key scanning, I can tell, "Huh, it's my own key, which I have my own SSH backdoor onto my hosts." And so we believe by having this tool, it provides great visibility into possible shadow access patterns that you may not be familiar with. And you can have other approaches to sort of locking down and securing those systems.

Ben: As we talked about critical systems, one thing you might have seen in that view is we—of all of the Access Graph and if you have millions of resources, some of those resources are more important than others. One thing you can do with Teleport Policy is mark certain resources as critical using our Crown Jewel feature. So I like to match resources with, let's say, my top secret one will be an example. So let me just make this a bit smaller. Anytime any access has happened to my top secret database, I can figure out what happened in the changelog. And this changelog, if I come down here, if you access, you can see, "Hey, my user changed access." And this access pattern is in real time. And we also get a comprehensive audit log that you can send to a SIEM—that the access path has changed for this particular user. And so this makes it very easy to alert, "Hey, is someone accessing a critical resource at a certain period of time that they're not meant to? Did the intern accidentally get access to the top secret database? What is happening?" It gives you sort of great real-time visibility into these access patterns and roles and resources that you may not be aware of.

Ben: And same with standing privileges, implementing principles of least privilege and Just-in-Time Access. This just gives you an overview, "Hey, do certain users or bots have overprivileged access?" This gives you sort of a baseline that you think, "Oh, okay, maybe this user doesn't need all of this access. How can I move them off production systems to adjust the time access flow and figure out if that person was to get compromised? What would the potential risk be based upon their standing privileges?" One thing I kind of touched on a little bit is our syncing with IDPs access lists and groups. We've now added the addition for inherited permissions, and this sort of can make it much easier to map how you think about your users within your IDP. This is a common pattern we see. So you have company access, engineering, and then front-end. Inherited permissions make it very easy to provide nested access for all those users but also inherit those permissions. And the other addition of Access Lists that's great is you can provide our access reviews, so you can review on whatever basis to make it very easy to sort of keep up to date with your compliance frameworks. So final thoughts. I think, Eddie, I'm going to transition it back to you.

Ben: I can just keep these slides going if you want to talk on these.

Why modernizing scalable access matters NOW

Eddie: Yes. Yeah. Thanks a lot, Ben. That was great. Really enjoyed the demos. Excuse me. So just to kind of tie this back to what I was talking about in the beginning—that modernizing scalable access matters now for our businesses. We continue to see that identity is the primary attack vector that threat actors are using. AI increases this complexity—increases these theft threats. And the other thing that has been evident in the recent years is that there is an executive responsibility for addressing this. We can no longer just kind of brush an incident under the rug. It's gaining media attention, legal attention, and this becomes the responsibility of one or more executives within a company. Next slide, please.

Ben: Oh, there you are.

Benefits of consolidating identities in a scalable platform

Eddie: Okay. And there are definitely benefits that organizations will experience when they are able to consolidate identities in a platform that is scalable no matter if they're operating in a single region or operating globally. It includes improving workforce productivity. As I talked about earlier, engineers do not like to have their day-to-day jobs slowed down by added security measures. And Teleport has gone to great lengths to ensure that this doesn't happen to them. We want to increase or reduce the business risk by increasing security, shrink attack surfaces by eliminating standing privileges, by enforcing this privileged access. And then the other aspect here of what Teleport is able to do for you is to help you pass compliance audits. And those are becoming increasingly more common and prevalent in today's business. So next slide, please. And Ben talked about the various products that make up the Teleport Access Platform. I'm not going to go into detail here, Ben, if you'd like to talk about some of these, if you think we need to say anything additionally to what you've already mentioned. Let's go ahead and do that. Otherwise, we can start to wrap this webinar up.

Q&A

Ben: No, I would say we just kind of scratched the surface of the platform in this webinar. If anyone has any questions, I think now's a great time to go to Q&A or if there's anything else that we can demo. We're happy to talk to you. I know the chat's been pretty quiet. Okay. So one question coming in. How is the Teleport integration with AWS IAM identity center better than using AWS Identity Center by itself? This is a great question. So kind of out-of-the-box with AWS IAM Identity Center, it would be best practice to bring an identity provider. So you want to connect whatever your source of truth is for people working at the organization, whether this is your Okta, your Entra, your Google Workspaces. But one of the limitations of all these various tools is it's sort of a raw list and a directory of users. One of the benefits of using Teleport with IAM identity center is the Just-in-Time Access Request flow with all of the integrations that we have. And then the second one is the hardening of that access. So are you adding Device Trust? Are you adding required MFA? Do you have a comprehensive audit log as well? We have another question coming in here. Is Teleport available as SaaS or an on-premise solution?

Ben: So the answer to this is both. And so if you go back to what we talked about for high availability and redundancy, that is available with our Teleport Cloud as an addition. But we also provide on-premise solution. And Teleport is an open-source, open-core product. You can review most of the code on GitHub, and you can sort of run it and operate it yourself. We have great architecture guides about how to run it in a highly available mode. But if you're thinking of true active-active, four-plus-nines of availability, our team can help architect a solution that works well for you, or you can use our Teleport Cloud products sort of out of the box without having to worry about that. And I would say, compared to some of our competitors, often when you get to over 10,000 or 20,000 connected resources, many of them sort of fall over and aren't very available, which isn't very helpful for at all that you need access to. Let me see.

Ben: If you feel free to use the chat or the Q&A box, I see there's like another one to come in here, which is—how does Teleport help with regulatory compliance? What does it record? We help organizations in a range of compliance regimes, whether it is SOC 2, FedRAMP, HIPAA, PCI, and often it depends upon where and which it's deployed and what you're doing. Often, for FedRAMP specifically, many customers who have SaaS products who want to deploy on-premise—they use Teleport as the access method. And we have a bunch of great documentation of our NIST controls that we match. We actually have this interesting way in which we run it with [inaudible] FIPS mode to give access. And so, yeah, we can help, basically, all compliance regimes. What does it record? It records both the interactive playback of the session. We record Windows sessions. We capture protocol-level database auditing, a whole range of events in our log, which I could probably show, which is always a fun thing if I come to my Session Recordings. You can see here, this is `nivasomu`, who is one of my teammates, accessed it. I guess didn't do much on this host, but you can have full playback of the hosts and see what happened, which is good. So he's kind of like typing something, going back and forth. Nothing exciting.

Ben: But you can also use that order log with us to sort of understand what's happening. Same. If we come back to this one, this is a playback of our Windows box logging in. So a very comprehensive audit log that you can view. Okay. Someone's coming in the chat. Is the feature to detect authorized keys on service available to everyone in 17? This is available via Teleport Policy. So if you're an existing user, you may not have Teleport Policy available. Best to reach out to our sales team and we can connect you with them. We're also looking for people who are particularly interested in understanding shadow access patterns. So just reach out to myself. I'm [email protected]. I'd love to learn more about what access patterns are you really concerned about and figuring that out.

Eddie: And then before we finish up, we do want to do one final survey. We always want to produce content that all of you find valuable and useful. So if you can just take a minute to answer the survey, that would be much appreciated.

Ben: Yeah. I think I don't know if we have to launch that one or if it's been launched. Okay. It's launched. Yeah, so you should see that should be available post-webinar feedback. I think we have one last question in here. Can you explain again how Teleport reduces the number of standing privileges needed by an organization? It's a great question. I often like to start with this, "Do you know what your standing privilege in your organization is?" And that's where Policy can come in, and you can sort of understand the scope of who has access. When we built this ourselves, surprise, surprise, our CTO was the most privileged person. And so because he had created many of these services. And then I think once you understand, "Hey, who has access to which systems, what are approaches that you can move to either removing the access or moving to zero-standing privilege?" You can do this via our role binding and access request flow, which is a great way to say, "Hey, let's say you take your environment production. You use tags and our roles, and say, 'Hey, let's just remove—no one has standing privilege for our production systems.' That has to always go through an access request flow." And I think that's a kind of a good way to start thinking about, "Who has standing privileges? How critical are those systems, sort of tabletop? If someone accesses this database, what's the worst thing that could happen?"

Ben: And let's see. I think we have a few more minutes. A few more people in here. Happy to take any more questions. I'll give five more seconds. Okay. Well, it doesn't look like there's any more Q&A. Thank you for coming today. I really appreciate everybody's time on this Thursday morning or evening. Like I said, we're more than happy to take your questions offline or our sales team can talk to you. I know Lexi has put a thing on more Teleport events. We go to a range of conferences, and we're always available. Eddie, do you have anything else you want to close with?

Eddie: No, I just wanted to thank everyone for attending today. Thank you, Ben, for the demos that you gave. They're very informative. And I just wanted to wish everyone a great rest of their day. So thank you.

Ben: All right. Thank you, everyone. Bye.