Decentralized Key Management and Sharing Is Not The Answer Practice Safe SSH with Teleport
View PostAll projects start off with the best intentions, user management and security around accounts won’t be an afterthought. Despite those intentions, the requirements to move fast tend to override things suchDecentralized Key Management and Sharing Is Not The Answer Practice Safe SSH with Teleport All projects start off with the best intentions, user management and security around accounts won’t be an afterthought. Despite those intentions, the requirements to move fast tend to override things such as account hygiene, and before you know it, you are trying to manage hundreds, if not thousands, of SSH keys and privileged accounts either manually or with a tool that wasn’t designed for key management. You also probably need to keep track of authorization privileges, and a shared document or spreadsheet is not the correct method, especially when you have systems that need to be PCI compliant or are in SOX scope.
Centralized Key Management
Does your current SSH key management strategy feel like this? Are you using manual methods to distribute and manage SSH public keys? As the number of hosts and users increase, this method becomes more and more unwieldy and also can present you with security and compliance risks. By moving to a centralized approach with Conjur’s Teleport open source solution, you are now able to benefit from the following: ● No more SSH key sharing between developers ● Each developer has their own unique login, with their own distinct set of privileges ● Simple SSH key creation and deletion
User Management
A proper strategy for programmatic provisioning and deprovisioning of user accounts is equally as important as SSH key management. In addition to SSH key management, Teleport also provides an LDAP service that allows for a customized list of users/groups that can be associated with specific projects and environments. When a new developer joins a project, you can quickly programmatically provision the account and access rights, and when a developer departs, you can revoke the rights as well as remove the SSH key.
SSH Key Rotation
Scheduled SSH Key rotation should also be part of the overall security strategy and posture, and for those systems that need to be PCI DSS compliant, SSH keys need to be rotated annually. By providing a centralized SSH key solution, Teleport allows you to seamlessly rotate the keys, as well as keep a detailed audit log around which key was rotated when.
Conclusion
SSH is a powerful tool that provides a great deal of value and security for your developers, but with that great power comes great responsibility. Teleport is a tool that allows you to provide that power to your developers while also knowing that you are practicing safe SSH and are being secure and responsible.as account hygiene, and before you know it, you are trying to manage hundreds, if not thousands, of SSH keys and privileged accounts either manually or with a tool that wasn’t designed for key management. You also probably need to keep track of authorization privileges, and a shared document or spreadsheet is not the correct method, especially when you have systems that need to be PCI compliant or are in SOX scope.
About the Author/Mike Kail
Mike Kail was Yahoo’s CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly scalable architectures, prior to joining Yahoo. Most recently, Kail served as VP of IT Operations at Netflix. Prior to that, he was VP of IT Operations at Attensity, where he was responsible for the Americas data center operations team; including managing various big data systems with their Hadoop cluster, HBase, and MongoDB components. He has been recognized widely for his insightful industry commentary on Twitter, and was recently named by the Huffington Post as one of the “Top 100 Most Social CIOs on Twitter.” He holds a B.S. in Computer Science from Iowa State University. Reach out to him on Twitter or LinkedIn.