Simplifying FedRAMP Compliance with Teleport
Jun 27
Register Today
Teleport logoTry For Free
Background image

Trustless Infrastructure Securing Critical Assets with Teleport - overview

The global pandemic and push for remote work are putting companies’ IT infrastructures at greater risk than before. This risk grows as infrastructure is scaled, and more people gain access to highly sensitive data, such as access keys to a valuable password vault. Another vulnerability is the use of passwords since they can also be compromised. To overcome these risks and protect critical infrastructure, the implementation of a zero-trust access solution is needed. But how can we accomplish that without slowing down engineers or adding administrative overhead? Teleport helps companies achieve a trustless architecture in multiple ways. Access becomes more secure when passwords, secrets, and keys are replaced with the use of short-lived certificates. Also, kernel-level auditing is provided which adds a high level of accountability and alert and response capability.

Key topics on Trustless Infrastructure Securing Critical Assets with Teleport

  • When we remove passwords, we remove an inherent vulnerability that’s been exploited millions of times.
  • A major consideration when implementing any access solution is: will it impact engineer workflow?
  • One way of addressing data exfiltration is having end-to-end traceability.
  • Teleport enables push-and-play security particularly helpful in today's ephemeral environments.
  • Teleport uses certificates to implement zero trust.

Expanding your knowledge on Trustless Infrastructure Securing Critical Assets with Teleport

Learn more about Trustless Infrastructure Securing Critical Assets with Teleport

Introduction - Trustless Infrastructure Securing Critical Assets with Teleport

(The transcript of the session)


Steve: 00:00:10.469 Hello. Good evening, good afternoon, and for those of you further afield, a very good morning to you all. Firstly, I just want to thank you all for joining us for another great live webinar brought to you by TechForge Media. For the eagle-eyed among you, you’ll notice that we were to have our Chief Editor Duncan MacRae moderating this session. Unfortunately, he’s not been very well. So I’ll be filling in his shoes today. We wish him a very, very speedy recovery. My name is Steve Downing. I’m the Group Operations and Delivery Manager for TechForge Media. And I am delighted to be joining you all today on this webinar session. So this time we’re going to be looking into trustless infrastructure and securing critical assets. The global pandemic and the push for remote work is really putting companies’ IT infrastructures at a greater risk than it ever was before. The risk grows really as infrastructure is scaled and more people actually gain access to highly sensitive data, such as access keys to a valuable password vault. Another vulnerability within the modern world is the use of passwords since they can be compromised. And to overcome these risks and protect critical infrastructure, the implementation of a zero-trust access solution really is needed. But how can we accomplish that really, without slowing down our engineers or adding administrative overhead? Well, our partner for today’s webinar, Teleport, actually hopes to be able to answer that question for you guys. So Teleport helps companies achieve a trustless architecture in multiple ways. Access becomes more secure when passwords, secrets, and keys are replaced with the use of short-lived certificates and also kernel-level auditing which is provided that adds a very high level of accountability and alert and response capability. Today we’re actually joined by Blake Brown. He’s a Solutions Engineer over at Teleport. Blake, why don’t you introduce yourself to our audience and tell us a bit about you?

Blake: 00:02:25.833 Sure. Hey, Steve. Yeah. No, I come from 10 years of engineering background. Most recently, I was a DevOps engineer at J.P. Morgan. And then last year, I transitioned to work at Teleport. My first startup. It’s been a great ride. But it’s been really, really neat working with them. First off, Teleport started as a Kubernetes product. And I had no idea about Teleport or Kubernetes in general when I moved over. So it was quite the learning curve. But I’m up to speed now. And yeah, I’ve been using Teleport personally and professionally now to access Kubernetes, Linux, Windows, database and applications. But just recently I’ve actually moved away from the engineering team, kind of going a little bit more on the dark side into sales. So it’s been a fun adventure so far. But yeah, Teleport, I guess in the short of it, like you were saying, zero-trust access to all of your infrastructure anytime, anywhere. So we’re being used by a lot of security-minded organizations like Google, Department of Homeland Security, Tesla. So, yeah, really cool customers.

What is trustless architecture?

Steve: 00:03:37.874 Awesome. Awesome. So I suppose to kind of kick things off, Blake, for perhaps the kind of less technically minded out there, such as myself really when we’re talking about trustless infrastructure, I suppose, could you run through a little bit about what that actually looks like and what that is, and what that really means to an organization?

Blake: 00:03:59.685 Sure. So I mean, let’s just first look at legacy where I’m going to be pulling out a password or maybe I just have a static credential and I can access infrastructure. Now, the only thing — that is a very trustful relationship, it’s trusting that since I have that — since I have a password, I have access and I don’t need any further authorization. Now zero trust or trustless access would imply that I’ve logged in and then that piece of infrastructure that I’m accessing is going to continually checking in or checking in to make sure that I am authenticated, that I am authorized. So what we’re doing with certificates is using Teleport certificate, internal certificate authority, I’ve accessed Linux or Windows or database infrastructure and each piece of that infrastructure is going to be checking back in with Teleport, making sure that I do have access, rather than just trusting me based on my password. Now, when we’re removing passwords, that’s removing an inherent vulnerability that’s been exploited millions of times. One of the big names that come to mind is like the Colonial Pipeline hack. And so when you look at hacks like that, you try to dig to find out what happened there. And the investigators couldn’t actually determine it. They did determine that there was a password that was probably purchased on the dark web and that was leveraged for the Colonial Pipeline attack.

Blake: 00:05:18.945 Now when you look around, I mean there’s passwords that get leaked all the time. There’s the Adobe hack where all these customers’ passwords were leaked. Now you and I as an engineer, you probably still use the same password professionally as you do privately. Now if your private password was leaked, if I’m a smart hacker, I can go buy that password and then try it in your professional platforms. Now removing passwords removes that vulnerability. So again, making a very trustful atmosphere, or sorry, zero trust atmosphere and then pairing that with like you mentioned, the kernel level auditing really applies a lot of accountability and really a lot of hands-on administrative stuff where you can actually disable people’s sessions as they’re doing something that you wouldn’t want them to do. So again, it’s all about accountability and removing trust.

Steve: 00:06:06.519 Awesome. Awesome. Just one actually quickly for the audience as well guys. I forgot to mention at the beginning, but we are so, so excited to be able to get your questions in. So please do feel free to send questions to us through the Q&A button at the bottom there. Blake will be able to kind of run through those during the kind of next 40 minutes or so. So Blake I suppose, well, one kind of thing that really interests me actually regarding Teleport is that recently you guys actually advised around implementing the Principle of Least Privilege, I believe is the phrase that you guys use in practice, meaning eliminating root type of accounts. I wonder if you’re able to just expand on this really for us and for the audience here and why zero trust really is becoming so critical within that?

The importance of zero trust and Principle of Least Privilege

Blake: 00:07:05.363 Yeah. So one of the things you have to look at when you’re implementing any access solution is, am I going to be bothering my engineers? Engineers are very smart people and they’re going to find loopholes and workarounds to make their jobs easier and faster. When I worked at Chase, for example, when we were using passwords, I would pull out a password and it takes 5, 10 minutes to be able to create the ticket to be able to go to the password vault, pull that out. Now, when you look at Teleport, that’s a much quicker access. And so compared to that, when I was over at Chase, maybe my co-worker knows that I pulled out that password. Rather than spend 5, 10 minutes himself, he would rather just message me, ask me for the password. Again, there’s a lack of accountability in those kind of environments. Now. When there’s a lack of accountability, you do need to have a lot more security, a lot more eyes on glass, a lot more alerting response, and event management workflows. But when you’re looking at zero trust, when you’re looking at Principle of Least Privilege, you want to make this the least cumbersome process possible. So by using just-in-time access and being able to automate just-in-time access, whether it’s using PagerDuty and building it out around people’s schedules and shifts, or whether it’s building it into some kind of ticketing system like ServiceNow to automatically approve access requests, make it as easy as possible, but also make it granular. So what I mean by that is you don’t need to have read access right away. You might need just read-only access, maybe just to a particular set of infrastructure. Maybe as a DevOps engineer on a day-to-day basis, when you log into Teleport, you only need access to your development environment, not production or test. So with that in mind, you just use role-based — role-based access controls or RBAC to build out granular permissions. And as a user needs additional permissions, just-in-time access is there and they can go ahead and request that through that automated workflow.

Steve: 00:09:16.367 Awesome. Awesome. Thank you for that. Thank you. That’s super cool. Just a real quick one, actually. We’ve got our first question in from the audience. Emma Shatter has just asked really to clarify zero trust. It does use certificates, right?

Zero trust utilizing certificates

Blake: 00:09:33.322 Our implementation does, yeah. So what we do is, based on — well, we reach out to your SSO provider as you’re logging in. You reach out to your SSO provider. And based on those SSO groups, that information is going to be captured and translated into a Teleport role. And based on those Teleport roles, you get access to a whole set of infrastructure and certain rights, whether it’s read-only writes in your database or whatever it might be. But all that information is going to be encapsulated within that X.509 TLS certificate. And that TLS certificate is what’s going to be used for access in that zero-trust framework.

Steve: 00:10:08.738 Oh, cool. Thank you for that. I hope that helps, Emma. Awesome. Thank you for sharing that. I mean, when you were kind of talking there about kind of streamlining and efficiencies and kind of providing your engineering team with a little bit less work by running these kind of infrastructures — one thing that for me personally coming from an operations background, I’m there thinking, “Doesn’t this sound like a lot of extra admin work on top of it as well?” So in terms of the kind of like organization or extra workload, I suppose, how can you implement a trustless infrastructure without causing all of those extra tasks administratively?

Implementing zero trust without adding administrative burden

Blake: 00:10:54.716 Sure. Yeah. We found that, based on the SSO to Teleport role mapping, that it’s eliminated a large amount of administrative overhead compared to other solutions like CyberArk or HashiCorp. Which a lot of these other solutions typically require a dedicated administrative staff, at least from the customers we’ve heard from. And so just being able to remove a lot of that user management overhead has saved teams like that — we’ve heard upwards of 20% as far as man hours for administering solutions like ours. So yeah, it definitely makes a big difference. And with the access request workflows, like I was mentioning with PagerDuty, I know when I was on call at Chase doing DevOps stuff; I spent a lot of time on the phone chasing people down in the wee hours of the night trying to get approval for access. Now, Teleport with PagerDuty, you’d be able to schedule out people’s shifts. So as you’re on call or you’re working on the weekends, PagerDuty would automatically approve that access request, at least to whatever level you think is appropriate. So again, just saves a lot of time, a lot of headaches, and frustration, especially when you’re working in the evenings and weekends.

Steve: 00:12:12.451 A smart little bit of kit, right? [laughter]

Blake: 00:12:14.649 Yeah. [laughter]

Steve: 00:12:16.239 So of course we’re kind of talking about trustless infrastructure in the form of securing your most critical assets, really. And kind of starting off on the broader scope in terms of being able to secure those really business-critical assets, what do you think really out there at the moment are kind of the most kind of key and kind of looming cyber threats to businesses’ assets?

Key cyber threats to business assets

Blake: 00:12:46.951 Right now it is still just passwords. There are just so many passwords out there that are just static. Either it’s because developers find it convenient to keep a password static and maybe they don’t upload it to the corporate vault. Which I’m not going to point out specific instances, but there were instances I’ve seen at Chase where there are passwords out there that are just old and antiquated. And because it’s easier to keep these passwords on the side and keep them static, developers oftentimes choose to do that. And what that leaves is I still know passwords. Me as a disgruntled employee might know passwords. So I think in a lot of occasions right now where like the cyber actors — the hackers — are a very sophisticated bunch these days rather than just kind of shoot and pray like they were in the early 2000s. There is going to be a lot more focus on phishing and social engineering when it comes to these static passwords and trying to dig those out of your employees — your disgruntled employees — and I think that’s a really big concern. Especially when you look at places like Russia and Ukraine right now with what’s going on over there just in a matter of days, when the invasion kicked off, their media sites, their news stations were all taken offline, and then they were able to put in their own media, their own radio stations. And that was all done through cyber ops. And that isn’t done because they were able to hack. That was likely done because they were able to find passwords in a relatively quick and easy way. And that’s what Teleport is looking to fix.

Steve: 00:14:23.170 Awesome. So I suppose it’s kind of like the next level of — and I’m kind of showing my age off a little bit here. But I always remember back along used to have like little card readers basically to be able to log into laptops without passwords and things like that. So I assume it’s kind of like the evolution of that, really, right?

Blake: 00:14:42.728 Yeah. And funny that you bring up that because, with our Windows access, it’s actually really neat. I don’t fully understand it. We’ve got some really bright minds at Teleport. But the way we’re actually doing that is with a virtualized smart card. So it kind of has gone full circle plus one, right? We’ve removed passwords using that same technology, but technologies enabled us to virtualize it. So there is not vulnerability of a physical device that can be taken. So, yeah.

Steve: 00:15:13.594 So do you think then that we’re reaching the end of these kind of traditional kind of standardized security kind of processes and kind of physical cards and access keys and things like that?

Teleport vs VPNs

Blake: 00:15:30.407 Yeah. There’s a whole migration going on right now. I mean, half the people that we talk to are very, very passionately excited about getting rid of VPNs. And Teleport is seen as a perimeter solution that can replace VPNs or firewalls. And so as groups like Teleport start to get out there and build their products out, you’re going to see a lot of these legacy solutions, legacy perimeter solutions, be reduced or completely removed. Without a need for a VPN or firewall, you can kind of consolidate to a unified access solution. And I think that’s where what’s really kind of driving this migration from passwords to password lists, from VPNs to logical perimeter solutions is I think we’ve realized that security and depth isn’t always the answer. And sometimes it’s better to replace depth with logic. And that’s what I think Teleport's doing with the certificates as opposed to VPNs or firewalls.

Steve: 00:16:32.917 Awesome. Awesome. It sounds like there’s loads of really, really cool stuff going on actually in the world of kind of cyber security at the moment. And I mean, kind of touching on — because obviously, you mentioned the big global conflict that’s going on at the moment. I mean, do you think that obviously with that kind of specific example, but also kind of looking at the wider kind of global conflict landscape, do you think that that’s had a direct impact really on the need for this kind of architecture, the zero-trust kind of framework?

Blake: 00:17:03.971 Yeah. I mean, just don’t need to look too much further than the U.S. Government. Right now, they’ve written out a — or I’m sure other governments have too, but I’m referring to one of the Federal guidance’s they’ve just recently released — I think that was a couple of months ago, pushing all agencies, all parts of the Federal Government, to zero trust. And looking at them taking it seriously, that should really be a red flag for, I think, a lot of enterprises out there. I mean, just looking at how much money — obviously, I’m not going to predict the future as far as global events go. But looking at how much money China and Russia and other countries that are kind of starting to form a pact of their own is spending on military and spending on their cyber ops is, it’s going through the roof. And I think waiting to find out if we’re going to be attacked or waiting to find out if there’s going to be any kind of cyber conflict is kind of a bad attitude. Companies, especially enterprises that would have, I guess, strategic infrastructure like fintech or oil and energy companies, things like that, really need to be taking a proactive approach to zero trust and really need to get ahead of the ball before something bad does happen.

Steve: 00:18:24.137 Yeah. No, that’s really interesting. I mean, it’s quite funny — again, kind of showing my age — back in the day, you used to have all of the kind of email campaigns going around. Phishing is like the worst thing in the world, basically. Your spamware and your malware that come through via emails. It’s just completely evolved the entire landscape at the moment. Whereas you used to have a very kind of proactive potential involvement if you were to let a cyber-attack happen in your organization. I.e., opening a dodgy email or something like that. Something as simple as literally just releasing your password, as you say, potentially, accidentally out to the dark web, can have these massive catastrophic effects. And it’s really, really interesting to see how that’s developed over the years.

Blake: 00:19:12.572 Yeah. Definitely. I mean, like I was mentioning, when you’re starting to talk about nation-states entering the space of hacking or cyber warfare, that is when you start looking at ultra-sophisticated actors. Where they start pinpointing specific points of entry or specific people with specific access. And when you start looking at that more narrow-minded approach or a less general approach than we’ve seen in the past, that’s when you really need to start considering strategic — like you were mentioning. A social engineering or phishing and think that it isn’t just always going to be these poorly worded bad-grammared emails that some people click on and you get your information stolen or you get a virus. Sometimes it’s going to be a lot more sophisticated. And in those kinds of instances, you can’t always just trust your employee or you can’t always just trust that cyber training that they got. You have to go zero trust.

Sensitive data breaches from within a company

Steve: 00:20:12.168 Yeah. Yeah. Absolutely. So I mean, I think I saw actually not too long ago I was reading a report actually talking about within the workplace; I was reading a report that said around about 60% or so of respondents to this specific kind of questionnaire believe that an employee will accidentally breach sensitive data within the next year. I’m assuming, of course, trustless infrastructure, it really does help to protect against those threats such as social engineering, like you just touched on there a moment ago. But from the kind of developed world that we’re living in, I suppose the move towards hybrid and remote working how can organizations really ensure that security is maintained, I suppose, wherever an employee’s working? Because before you had to worry about just the security of the mainframe within your office. But now you’ve got hundreds of hundreds of remote offices dotted around kind of internationally.

Blake: 00:21:20.829 Yeah. I mean, data exfiltration’s a real concern, definitely. And we’ve seen this addressed a couple of ways. In Teleport, specific ways. But generally, I think the way that people should be addressing this is, one; you need to have end-to-end traceability. And that means every query a user is running needs to be tracked and needs to be tied to the user. And not just implied or not just an implicit title user, but more explicit. Just because in that example, like I mentioned, where I can pull out a password and pass it to my buddy and he can hop in. That would be implicit. But explicit, making it tied to that short-lived certificate where I know exactly who’s doing what and when. And then being able to build that into an event management workflow. So cases that we’ve seen with cryptocurrency companies, there are wallets that need to be secured. So with those wallets, they have keys. Keys that should never be seen by anybody because these keys are worth tons and tons of money. So how do we secure those keys? How do we make sure that nobody can see them? Well, with Teleport we leverage Berkeley Packet Filter to get kernel-level auditing that you mentioned earlier. So with that, we can see what user is running what commands on which host. And with an event management workflow and leveraging our administrative command line, you would be able to immediately lock that user session. So that user runs that command to either CAP a file or he runs a query against the database, you would be able to have an event management workflow readily available to immediately lock that user session. So really, really nice for data exfiltration prevention. Now we have seen a use case where people want even more security than that. And it is kind of a little bit more cumbersome, but we built out essentially a secured terminal. Where we take our Windows access, we disable, copy, and paste, and then we have a secondary Teleport cluster that’s exposed only to the Windows terminal. So within that, I log into the Windows terminal, I can’t copy and paste, and then I can access my database. So again, just another level of control and another level of session recording that would also be on top of that.

How Teleport helps achieve trustless architecture

Steve: 00:23:40.986 Wow! Very, very thorough indeed, there by the looks of things. So I’d kind of like to get to know a little bit more about you guys, really, as well. With regards to, I suppose how you really help organizations actually achieve this kind of like trustless architecture. Is it literally just kind of like a plug-and-play thing or do people operate through a certain platform that you guys run? Or?

Blake: 00:24:13.468 Yeah. So we do have a SaaS offering that’s SOC type 2 compliant. But some of our customers are concerned with even more stringent compliance concerns, more like FedRAMP or FIPS. And in those situations, that would be a self-hosted option. And it’s typically a self-hosted. We see that hosted on EKS or Kubernetes cluster. This is just the typical deployment. With the DynamoDB backend and an S3 backend. So that isn’t all-inclusive. If you are on different platforms, we can support those as well. But basically, one of the really nice things about Teleport, especially for an ephemeral world, maybe like the military, where you’re going to be spinning up infrastructure and setting it back down in a very quick order because we’re using a reverse tunnel to set up this connection to our proxy from our nodes it makes it really, really easy to shut down and spin up your infrastructure anywhere in the world and be able to connect right back to Teleport. So ephemeral environments — it makes it kind of very push-and-play like you’re mentioning.

Steve: 00:25:19.513 Awesome. So, I mean, are there kind of any industries that really scream out to you Blake as being like particular kind of areas where you think this is really needed?

Blake: 00:25:32.371 Oh, yeah. 100%. Like I was mentioning with just — right now, I’m primarily concerned with trying to reach out to our customers that have what I would say, like strategic or highly sensitive infrastructure. And those would be like all of our partners in finance. So right now, we work with NASDAQ. NASDAQ would be a good example. But any big bank. Any banks in general. And also, our energy partners too. Again, like Colonial Pipeline. That incident would have been something that Teleport would have been able to prevent. So I’m really, really keen to meet those kind of partners, meet those kind of customers, and see how we can kind of strengthen our society as a whole through zero trust.

Steve: 00:26:14.694 Awesome. And I mean, kind of piling down a little bit further into that, from those industries, what kind of particular functions or kind of parts of the business would you say really are the most exposed when it comes to these kind of infrastructure attacks, I suppose?

Blake: 00:26:34.504 Sure. Yeah. I mean, there’s going to be a lot — especially in finance, there’s a lot of old applications out there in the Fintech world that, like I mentioned, there are going to be passwords that are sitting out there the developers have that don’t they don’t want to tell you about, but they use anyway. Those are the environments that we should be focusing on right away. Because right now there are just — it just is the nature of Fintech. There is just going to — because old things work — it’s bringing back the old euphemism. Don’t fix something that isn’t broken. That definitely applies to how a lot of Fintech organizations think about their applications and their infrastructure. And now we definitely need to get a lot more aggressive. And that’s going to be when we’re talking about customer data and how we see customer data get leaked all the time from credit card companies, things like that. That’s data exfiltration that could be prevented with zero trust. When we look at things like Okta, recently, a tech company that had a contractor that had their password leaked and then leveraged for, again, stealing customer data. These are all examples of critical infrastructure, critical companies like Okta especially, providing access to so many companies that are being taken advantage of because they’re in a trustful environment and they need to definitely take the step forward. And so I don’t think that there’s anything super specific. I think this kind of applies to all lines of business but definitely some industries more than others.

Steve: 00:28:12.176 So one thing that I’m actually really interested to find out from you, Blake, is I’ve been super, super into learning all about this kind of infrastructure and how we’ve come such a long way from those more kind of traditional cybersecurity kind of techniques. What’s the next frontier in terms of evolving cybersecurity protocols? I mean, what do you see to be kind of the next big thing, really, in terms of this landscape, I guess?

Blake: 00:28:46.669 Sure. Just in cybersecurity in general, I mean, I think that one of the big concerns that isn’t being taken seriously enough is encryption at the moment. And right now, there’s a huge concern with the massive advancement in computing, especially when you look at studying quantum computers, that these computers are going to be able to break modern encryption in zero time. And the timeline for this is looking at 5, maybe even 10 years. But we haven’t made far enough advancements as far as encryption goes to be able to mitigate the risk yet. And so a lot of companies are trying to figure out — because there is this — there’s this concept of steal now, decrypt later. So hackers are going in and you don’t know it. They’ve already taken your customer data. And they’re waiting for the opportunity when computing power exists, to be able to decrypt in a couple of years. And so right now, if you’re not taking a proactive approach to that, then you might already be a sitting duck as far as that’s concerned. But I think that’s a really, really, really big concern. And especially when you’re talking about finance companies, when you’re talking about governments and states, when all the secrets are going to be able to be decrypted, there’s going to be a lot of problems. So when you are going to be looking at trying to prevent things like that now, we don’t have new encryption to be able to cover or to be able to mitigate the risk yet. But what you can do is put in logical perimeter solutions, limit data exfiltration as much as possible, and adopt zero trust.

Steve: 00:30:27.757 Wow. Lots to do there for lots of people out there. So I’ve been kind of talking about it throughout this whole kind of last half an hour or so that we have been chatting. Obviously, securing critical assets is a real major feature to any kind of any organization, really, anywhere, I suppose, be that private or public. But when it actually comes to those critical assets, what does that actually look like? Are we talking about kind of specific software? Are we talking about data sets? Are we talking about just kind of like customer information or employee information?

Blake: 00:31:14.306 I mean, because of how intertwined most IT environments are, I think we’re talking about everything. Because when you look at a good perimeter solution, especially when you’re trying to remove depth, hopefully, for some of our customers, we’re removing firewalls. We’re removing VPNs that are unnecessary and redundant to Teleport. But in doing that, we need to make sure we have a solid perimeter. If you start making your perimeter just A instead of A through Z, then there’s going to be a lot of gaps. Or just A and then C, there’s going to be gaps where B could potentially be exploited to get access to CRA, right? So I think when you’re looking at adopting a zero-trust approach, it has to be as fully zero trust as possible. And there is no exception as far as critical infrastructure once you decide to make that move.

Steve: 00:32:10.218 So everything basically?

Blake: 00:32:12.357 Yes.

Steve: 00:32:13.137 Secure everything. Cool. I mean, I do have still a couple of questions that I would like to ask you as well. But I just want to remind the audience just to put yours in as well. We have got Blake here for another few minutes, so do feel free to send anything in. I have got one question, actually, funnily enough, which came from a team member of mine and they asked me to pass this on to you, Blake. They were kind of after a little bit of inside knowledge; I think. In terms of best practices, then really when it comes to securing critical assets and perhaps you don’t have access to a trustless infrastructure, what would you say are kind of like the top few tips for your kind of standard discerning business owner?

Blake: 00:33:12.965 Oh, yeah, for sure. So I think one of the — if you’re going to be as secure as possible, obviously MFA is going to be — multi-factor authentication’s — going to be step number one. But to take it a step further though, like phones and for example, Google Auth, other things, your phones can be virtualized. So if you’re very concerned or like a lot of people in cybersecurity like me, a little bit paranoid, you can opt for a YubiKey. Physical MFA is much more secure. Now as far as your password goes, there are options out there that are looking at doing password-less authentication for SSO to a lot of — for federated SSO to a lot of normal mainstream sites. I can’t name them off the top of my head. But for passwords themselves, though, sticking to revolving passwords would be best if you can. Otherwise, using just like LastPass. LastPass is a tool I use when I can’t use any more secure method. But yeah, that’s my recommendation.

Advice on adopting trustless architecture

Steve: 00:34:24.745 Awesome. So what advice do you think that you would possibly give to any kind of organization, be they small or medium or even your big corporates when they’re actually looking to start out on their kind of trustless infrastructure journey?

Blake: 00:34:44.693 Sure. I mean, I think first off; you need to have a conversation with your engineers about what bothers them today about their current access workflow. What bothers them today about access requests or elevated access or getting into anything. Because, like I mentioned earlier, engineers are smart people. Engineers will always find a workaround or they will attempt to. And so when you want to have something that is going to be zero trust and is going to avoid any kind of social engineering and also is going to encourage developers to take those legacy passwords that they’ve been hiding for their applications and bring them into Teleport and replace that with a zero-password infrastructure we need to ensure that I’m not going to be making any more work for them. So I think that’s the number one concern is making sure that you’re hearing your engineers. Making sure that you’re making this fit into their workflow rather than the other way around. And then at that point, you can start looking at zero trust with that in mind.

Steve: 00:35:51.155 Awesome. And in terms of being able to introduce that then quickly to an organization and be able to quickly scale up, is that quite a straightforward kind of process for someone to undergo?

Blake: 00:36:10.872 Yeah. I mean, for example, with Teleport within our AWS environment, we can automatically discover your RDS instances. So based on the tags that we get applied to the RDS instances and your users’ access within Teleport, your user would automatically be provisioned access as RDS instances are spun up. Same thing applies for EC2 instances. But in general, auto-discovery is there. And with that in mind, it makes it really, really easy to scale out. And also, like I was mentioning, with the administrative overhead, when you have everything set up on a role-based access approach, everything is infinitely scalable in my mind. A lot of times it’s a set it and forget it kind of a setup. And yeah, so anyway. That’s my answer.


Steve: 00:37:04.517 I love that. Set it and forget it. Super, super, super simple. Well, I just want to thank you really, Blake, for the time that you spent with myself here and our wonderful audience as well. Going into such in-depth detail. Personally, I feel like I have learnt so, so much in this last kind of 40 minutes or so. So thank you very much. I don’t know if you have anything that you would like to kind of just — any final comments for our audience at all?

Blake: 00:37:36.872 Yeah, no, I mean thank you for having me, Steve. And if anybody’s interested or wants to learn more, if you have any other questions that you’d like to follow up on, feel free to shoot me an email — [email protected] — and I’ll be happy to respond. Otherwise, feel free to check out our website, There’s a lot of cool information. And we are open-source first. So if you want to check out our GitHub or play with our open-source Community Edition, I use it for securing my home lab environment. Feel free to check it out.

Steve: 00:38:07.164 Awesome. Awesome. Brilliant. Well, that is everything from us here at TechForge Media. Thank you everyone so, so much for joining us this afternoon. This recording will be available via the TechForge website for 30 days afterwards. So if you haven’t been lucky enough to catch the whole of this session, don’t worry, it will still be available online and you can catch me and Blake chatting together. Once again, thanks very much, everybody. Take care and have a great rest of your week. Goodbye.

Join The Teleport Community

Background image

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs