Why Secure Access to Cloud Infrastructure is Painful

Secure Access to Cloud Infrastructure is Painful

Introduction

Can you enumerate every single network socket which can be used to hack into your cloud environment and steal your data?

When counting, are you including the laptops of people who already authenticated and have access? The purpose of opening with this question is not to instill fear. Trying to answer it probably leads to “it’s complicated” and the complexity of access is what this article will cover.

Complexity is our collective enemy in the computing industry. Complex systems are admired, yet they are hard to reason about, hard to secure, and let’s not forget — often unpleasant to use. Below, I will try offering a simple framework for how to think about secure infrastructure access, about its complexity, and a possible solution.

You are reading this on a web site of the Access Plane company. Of course we are biased because there will be the plug for Teleport, our open source infrastructure access solution. But the advice offered here applies to almost everyone, and Teleport users such as NASDAQ, Snowflake, IBM and Google seem to think about access the same way.

What is infrastructure?

A long time ago infrastructure used to mean servers, networks and storage. Today we are working and deploying into complex computing environments that consist of virtual machines, virtual load balancers, virtual storage volumes, virtual databases — the list goes on and on. Everything is defined as code. Everything listens on a socket, and everything needs access.

What is access?

The word “access” is generic enough to mean many things to different people. There are numerous open source projects and companies that promise access. Let’s go from generic to specific by decomposing the access problem into four commonly requested capabilities:

What is access?

You may agree or disagree with the definition above, but this is what we hear from the users. Let’s dive deeper:

This simple decomposition of “access” should help you understand and evaluate your current situation as well as the product landscape. VPNs, for example, cannot do authorization and audit for every resource; a VPN does not know if you have or do not have permissions to DROP TABLE. They only provide the connectivity part of access.

Why is access painful?

Why are connectivity, authentication, authorization and audit painful? Have they always been hard?

They are hard because the world’s computing needs are growing. Think of “computing” as a joint activity between hardware, software and people. Therefore:

What is Pain?

The struggle comes from scaling all three:

How do we cope?

What do organizations do to deal with the increasing complexity of implementing secure access? The popular strategies come with their own trade-offs:

These approaches present numerous problems:

The power of consolidation

Wouldn’t it be great if we could consolidate connectivity, authentication, authorization and audit in one place? This would make it irrelevant how much software, hardware and peopleware is involved.

The power of consolidation

That’s where the idea for the Access Plane comes from. The word “plane” means “consolidation”. By unifying all pillars of access in one place, the pain introduced by scaling goes away.

It does not matter how many engineers, servers, or databases an organization has if it uses an access plane.

Teleport cybersecurity blog posts and tech news

Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.

Trying it out

What does an access plane look like? How can you build one? Essentially you will need the following components:

An access plane allows us to implement and enforce simple and logical rules with ease, such as: “Developers must not access production data”.

Most technically sophisticated organizations implement access this way. One can rely on a combination of open source components and in-house expertise. Downloading Teleport is a much faster way to do it, and that’s why we started this project in 2016 and open sourced it a couple of years later.

Teleport is not yet a complete access plane. It does not support every computing resource. Currently it provides unified access to SSH, Kubernetes clusters, MySQL, PostgreSQL, MongoDB and internal web apps. We’re launching support for additional protocols rapidly, so join our community Slack to learn from other Teleport users and talk directly to Teleport core contributors.

Related Posts

teleport security engineering
 

Try Teleport today

In the cloud, self-hosted, or open source

View Developer Docs

This site uses cookies to improve service. By using this site, you agree to our use of cookies. More info.