Identity-Native Infrastructure Access Management: Preventing Breaches by Eliminating Secrets and Adopting Zero Trust [1 ed.] 1098131894, 9781098131890
Traditional secret-based credentials can't scale to meet the complexity and size of cloud and on-premises infrastru
132 105 2MB
English Pages 154 [155] Year 2023
Table of contents :
Cover
Copyright
Table of Contents
Preface
Who Should Read This Book
Goals of the Book
Navigating This Book
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction: The Pillars of Access
Most Attacks Are the Same
Access
Secure Connectivity
Authentication
Authorization
Audit
Security Versus Convenience
Scaling Hardware, Software, and Peopleware
Identity-Native Infrastructure Access
Chapter 2. Identity
Identity and Access Management
Identity and Credentials
Traditional Approaches to Access
Identity-Based Credentials
Establishing Trust in Identity
Identities in Infrastructure
Long-Lived Identities
Ephemeral Identities
Identity-Native Access
Identity Storage
Identity Attestation
Reducing the Number of Secrets to One
A Path to Identity-Native Infrastructure Access
Eliminate Access Silos
Move to Certificates for Identity Proofing
Extend Identity-Native Access to Service Accounts
Chapter 3. Secure Connectivity
Cryptography
One-Way Functions and Hashing
Symmetric Encryption
Asymmetric Encryption
Certificates as Public Keys
The Untrusted Network
Encrypted and Authenticated Connectivity
Moving Up in the Networking Stack
Perimeterless Networking for North-South Traffic
Microsegmentation for East-West Traffic
Unifying the Infrastructure Connectivity Layer
Secure Connectivity and Zero Trust
Chapter 4. Authentication
Evaluating Authentication Methods
Robustness
Ubiquity
Scalability
Secret-Based Authentication
Public Key Authentication
Certificate-Based Authentication
Multifactor Authentication
Single Sign-On
How SSO Works
Beyond Traditional SSO
Identity-Native Authentication
Identity Proofing
Device Attestation
WebAuthn
Authenticating Machines
Preserving Identity Postauthentication
Chapter 5. Authorization
Infrastructure Protects Data
Types of Authorization
Discretionary Access Control
Mandatory Access Control
The Bell–LaPadula Model
Multics
Mandatory Access Control in Linux
Nondiscretionary Access Control
Privilege Management
Principle of Least Privilege
Zero Standing Privilege
Just-in-Time Access
Dual Authorization
Challenges in Authorization
Access Silos
Privilege Classification
Authorization for Machines
Complexity and Granularity
Identity and Zero Trust
Identity First
Single Source of Policy Truth
Context-Driven Access
Identity-Aware Proxy
Chapter 6. Auditing
Types of Logs
Audit Logs
Session Recordings
Logging at Different Layers
Host Logging
Network Monitoring
Log Aggregation
Security Information and Event Management (SIEM)
Log Schemas
Storage Trade-Offs and Techniques
Evolution of the Cloud Data Warehouse
Log Analysis Techniques
Log Analysis Example: Modern Ransomware Attack
Auditing and Logging in an Identity-Native System
Chapter 7. Scaling Access: An Example Using Teleport
Access at Scale
Identity-Native Access Checklist
Necessary Components
The Teleport Infrastructure Access Platform
The Cluster
How Teleport Works
Managing Users
Managing Client Devices
Managing Permissions
Managing Audit
Zero Trust Configuration
Living the Principles of Identity-Native Access
Chapter 8. A Call to Action
Security and Convenience at Scale
The Future of Trust
Infrastructure as One Big Machine
The Future of Security Threats
Closing Words
Index
About the Authors
Colophon
Cover
Copyright
Table of Contents
Preface
Who Should Read This Book
Goals of the Book
Navigating This Book
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction: The Pillars of Access
Most Attacks Are the Same
Access
Secure Connectivity
Authentication
Authorization
Audit
Security Versus Convenience
Scaling Hardware, Software, and Peopleware
Identity-Native Infrastructure Access
Chapter 2. Identity
Identity and Access Management
Identity and Credentials
Traditional Approaches to Access
Identity-Based Credentials
Establishing Trust in Identity
Identities in Infrastructure
Long-Lived Identities
Ephemeral Identities
Identity-Native Access
Identity Storage
Identity Attestation
Reducing the Number of Secrets to One
A Path to Identity-Native Infrastructure Access
Eliminate Access Silos
Move to Certificates for Identity Proofing
Extend Identity-Native Access to Service Accounts
Chapter 3. Secure Connectivity
Cryptography
One-Way Functions and Hashing
Symmetric Encryption
Asymmetric Encryption
Certificates as Public Keys
The Untrusted Network
Encrypted and Authenticated Connectivity
Moving Up in the Networking Stack
Perimeterless Networking for North-South Traffic
Microsegmentation for East-West Traffic
Unifying the Infrastructure Connectivity Layer
Secure Connectivity and Zero Trust
Chapter 4. Authentication
Evaluating Authentication Methods
Robustness
Ubiquity
Scalability
Secret-Based Authentication
Public Key Authentication
Certificate-Based Authentication
Multifactor Authentication
Single Sign-On
How SSO Works
Beyond Traditional SSO
Identity-Native Authentication
Identity Proofing
Device Attestation
WebAuthn
Authenticating Machines
Preserving Identity Postauthentication
Chapter 5. Authorization
Infrastructure Protects Data
Types of Authorization
Discretionary Access Control
Mandatory Access Control
The Bell–LaPadula Model
Multics
Mandatory Access Control in Linux
Nondiscretionary Access Control
Privilege Management
Principle of Least Privilege
Zero Standing Privilege
Just-in-Time Access
Dual Authorization
Challenges in Authorization
Access Silos
Privilege Classification
Authorization for Machines
Complexity and Granularity
Identity and Zero Trust
Identity First
Single Source of Policy Truth
Context-Driven Access
Identity-Aware Proxy
Chapter 6. Auditing
Types of Logs
Audit Logs
Session Recordings
Logging at Different Layers
Host Logging
Network Monitoring
Log Aggregation
Security Information and Event Management (SIEM)
Log Schemas
Storage Trade-Offs and Techniques
Evolution of the Cloud Data Warehouse
Log Analysis Techniques
Log Analysis Example: Modern Ransomware Attack
Auditing and Logging in an Identity-Native System
Chapter 7. Scaling Access: An Example Using Teleport
Access at Scale
Identity-Native Access Checklist
Necessary Components
The Teleport Infrastructure Access Platform
The Cluster
How Teleport Works
Managing Users
Managing Client Devices
Managing Permissions
Managing Audit
Zero Trust Configuration
Living the Principles of Identity-Native Access
Chapter 8. A Call to Action
Security and Convenience at Scale
The Future of Trust
Infrastructure as One Big Machine
The Future of Security Threats
Closing Words
Index
About the Authors
Colophon
![Identity-Native Infrastructure Access Management: Preventing Breaches by Eliminating Secrets and Adopting Zero Trust [1 ed.]
1098131894, 9781098131890](https://ebin.pub/img/200x200/identity-native-infrastructure-access-management-preventing-breaches-by-eliminating-secrets-and-adopting-zero-trust-1nbsped-1098131894-9781098131890.jpg)
- Author / Uploaded
- Ev Kontsevoy
- Sakshyam Shah
- Peter Conrad
- Similar Topics
- Computers
- Networking
- Commentary
- Publisher PDF | Published: September 2023 | Revision History: 2023-09-12: First Release
