Access to production systems: risky yet often necessary
Development teams, engineers and SREs often have or require access to the systems they work on. Even with deployment pipelines and automation, there are still times when teams are required to access systems, including production. Production can have access to sensitive data, especially when connecting to databases.
The access to these privileged systems is well known by both auditors and hackers. There have been multiple attacks targeting engineers due to their elevated system access. Examples are highlighted in attacks at LinkedIn and SolarWinds.
The easiest way to fix this problem is by removing all access to production systems, but this is often impractical or impossible for specific teams. To solve this, follow best practices such as the principle of least privilege (PoLP) and zero standing privilege (ZSP). These are helpful principles to follow in providing just the right amount of access at the right time.
To support a system like this, it’s important to change how you think about secrets and passwords. By moving to a secretless system and using short-lived credentials, it’s possible to bake in short-lived access with specific permissions, including such things as which devices are allowed to use those credentials.
Teleport is an open infrastructure access platform providing secure, short-lived access to SSH and Windows servers, Kubernetes, databases, AWS Console and web applications. Starting with Teleport 12, Teleport now supports Device Trust, enabling teams to quickly roll out and deploy zero-trust best practices to their organization.
Overview of Teleport Device Trust and Jamf Pro
Teleport Device Trust is a security feature that restricts access to infrastructure resources protected by Teleport, allowing only devices that are registered and trusted to connect to resources like SSH, databases and Kubernetes.
Teleport Device Trust can be enabled at both a cluster and per-role level. Once enabled, only devices enrolled in Teleport Device Trust will be able to access the resources.
The next problem posed by teams is enrolling their workforce into Teleport Device Trust. This is where Teleport’s integration with Jamf Pro comes into play. Device Trust Jamf Pro integration lets you automatically sync your Jamf Pro computer inventory into Teleport.
The Teleport Jamf Pro service is a distinct Teleport process that periodically reads your computer inventory from Jamf Pro and syncs it to Teleport. It performs both incremental (called "partial") and full syncs, as well as removals from Teleport if a computer is removed from Jamf Pro. This service makes it easy to always know the status of devices enrolled in Teleport.
Example: unauthorized device from a non-trusted computer. Note: Teleport Device Trust only works on the CLI using tsh.
If a device is compromised, it’s possible to lock it out from system access. Locks are handy during a possible incident or when offboarding an engineer. The flow is available in Teleport’s Session and Identity Logs.
Having an audit log of events is critical to monitoring, alerting and debugging what’s happening within a system. Teleport integrates with a range of SIEM solutions so that the team can easily receive alerts on new system activity and access patterns from enrolled devices.
Allow only registered and trusted devices
Securing access to vital infrastructure is critical in the face of rising sophisticated attacks targeting engineers. Using Teleport and Jamf Pro is pivotal for enforcing access to only trusted devices and securing sensitive data and critical systems. Teleport Device Trust, integrated with Jamf Pro, allows only registered and trusted devices to connect to essential resources, adding an extra layer of security. The feature of lock access and comprehensive audit logs further strengthens the security posture, enabling quick response to compromised devices and suspicious activities, thus enhancing organizational resilience against potential threats.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.