Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

April 2022

On terminals and sessions

In this post I will be announcing a new open source project: Teleport Connect. It is a dedicated secure web browser for accessing cloud infrastructure. But first, let me explain why we've decided to build it, starting with a bit of historical context. As a kid I have always enjoyed imagining the process of programming to having a conversation with a machine. The REPL loop is the most obvious example of this interaction. As our code grows it no longer fits in a REPL environment.

6 Best Practices for Kubernetes Audit Logging

Running a Kubernetes-based infrastructure is challenging and complex. Administrators often lament how complicated performance optimization and monitoring are, which can lead to problems in production. Additionally, even finely-tuned Kubernetes deployments can encounter sporadic issues. When Kubernetes starts behaving in strange ways, digging into logs can help you uncover breadcrumbs. These contextual hints can help lead you to possible solutions.

Lessons From Billions of Breached Records by Troy Hunt of https://haveibeenpwned.com

Security flaws, hackers and data breaches are the new normal. It’s not just those of us in the industry facing these foes every single day; it’s everyone. Whether you’re online or offline, you simply cannot exist today without your personal information being digitized in systems which are often left vulnerable and exploited at the whim of attackers. But who are these people — the ones who seek to break through our defenses and exploit our data? And how are they continually so effective at doing so, despite our best efforts?

Innovation lessons we can learn from hackers

In 2022, Cyber Security is no longer about protecting secrets. It is about our way of life that relies on digital technology everywhere: from clouds to smartphones, from medical facilities to stock markets, and everything in between. In the past 2 years, threat actors have innovated faster than ever before, even using “growth hacking” tricks to increase the impact of their criminal enterprises. At the same time, our own connected lifestyle and digital footprint keep changing at breakneck speeds. How can we prepare for what comes next? By learning from hackers! @Keren Elazari — security researcher, TED speaker, and friendly hacker — joins us for a conversation on emerging security threats, new attack vectors and techniques, and innovation lessons we can learn from hackers.

Rethinking Privileged Access Management for Cloud and Cloud-Native Environments

SSH was designed in 1995, LDAP was initially developed in 1993, and role-based access control was introduced in 1992. The concept of least privilege was introduced in 1975. With all of these existing technologies, when are modern privileged access management solutions necessary? This is a common question asked when we pitch the idea of modern privileged access management (PAM).

How to Generate and Configure SSH Certificate-Based Authentication

The SSH protocol offers multiple authentication options: passwords, public keys and certificates. Certificate-based authentication is the most secure of them all, but historically, it has been the most complicated to set up. This tutorial guides you through simple steps to configure certificate-based authentication for an OpenSSH server. First, let's consider the differences between certificates and keys. As you can see, an SSH key is a binary proposition.

How OAuth 2.0 Works

The modern human likely has profiles on dozens of applications. Whether it’s social media applications, music/video streaming, or workspace resources, each of us must manage accounts that contain personal information. Over time, these siloed applications have become increasingly connected. Twitter allows news sites to directly tweet, Discord searches Facebook for suggested friends, and Jira creates user accounts using Github profiles.

Alternatives to a Corporate VPN

Many businesses use virtual private networks (VPNs) to provide secure remote access to their systems, but this has increasingly become a liability as more people switch to remote work. The greater demands placed on VPNs to offer safe access can expose organizations and employees to security vulnerabilities. In order to better protect their data and systems, organizations may need to seek alternatives to VPNs.

Amazon EC2 SSH Session Recording and Auditing with Teleport

This blog is Part IV in a series about identity-based access management of AWS resources. In Part I, we covered how to use OSS Teleport to access Amazon EC2 instances running in private subnets. Part II explained implementing identity-based access via SSO integration with Okta. Part III covered the steps to configure privilege escalation for just-in-time access requests. In Part IV, we will guide you through the steps to configure SSH session recording and auditing.

Secure Redis Authentication Using Teleport Database Access

As part of our Teleport 9 release, we added support for three more databases: Redis, MariaDB, and Microsoft SQL Server. In this post we’ll cover the steps needed to protect your Redis instance using Teleport Database Access. Teleport Database Access allows you to easily secure your databases using security best practices such as identity-based SSO, short-lived certificates for engineers or service accounts, multi-factor authentication, RBAC, and audit of all access and queries.

Amazon EC2 Just-in-time Access With Teleport and Slack

This blog is part three in a series about identity-based access and management of AWS resources. In Part I, we covered how to use OSS Teleport to access Amazon EC2 instances running in private subnets. Part II explained implementing identity-based access via SSO integration with Okta. In Part III, we will guide you through the steps to configure privilege escalation for just-in-time access requests.

kubectl Cheat Sheet

Kubectl is the default command-line tool for Kubernetes. It makes it easier to use the Kubernetes API and manipulate Kubernetes resources, allowing you to control Kubernetes clusters and run commands to deploy applications, manage cluster resources, and view logs. This guide will look at how best to integrate the most common and useful kubectl commands into your workflows, as well as provide some helpful tools for further optimization.

How We Built Machine ID

The DevOps workflow is all about automation driven by machine-to-machine access. To maintain the automated DevOps pipeline, engineers configure service accounts with credentials such as passwords, API tokens, certificates, etc. The issue is that engineers often fall into the security mispractice of creating long-lived credentials for service accounts to facilitate automation and lessen manual intervention.

Comparing SSH Keys - RSA, DSA, ECDSA, or EdDSA?

This blog post was originally released on 08/26/20. What’s worse than an unsafe private key? An unsafe public key. The “secure” in secure shell comes from the combination of hashing, symmetric encryption, and asymmetric encryption. Together, SSH uses cryptographic primitives to safely connect clients and servers. In the 25 years since its founding, computing power and speeds in accordance with Moore’s Law have necessitated increasingly complicated low-level algorithms.

Why The Four Eyes principle is critical for access

The four-eyes principle means an activity must be approved by two people, or from Argus Panoptes if the ancient Greeks needed access controls. This principle is commonly used in both routine and non-routine scenarios. On the routine side are “Business Execution” processes. Here the Four Eyes principle is used to stop negative outcomes as the result of poor execution of a regular business task.

Teleport 9 - Introducing Machine ID

In this blog post we're excited to announce Machine ID, an easy way for developers to secure machine-to-machine communications based on X.509 and SSH certificates. But before we go deeper, let’s step back and think about what’s happening during a hacking attempt. Every security breach has two things in common. Addressing cybersecurity challenges requires a solution to both.

Setting Up an SSH Bastion Host

What is an SSH bastion and how is this different from an SSH jump server or an SSH proxy? In this post, we’ll answer this question and will show you how to set it up using two popular open source projects. Both Teleport and OpenSSH support bastions, and they are extremely similar as they are both single-binary Linux daemons. Both require a simple configuration file usually stored somewhere under /etc/.