SlideShare a Scribd company logo

Zero trust server management - lightning

Kevin Gilpin, profile picture
Kevin Gilpin

The document discusses zero-trust server management as an alternative to traditional server access management using Active Directory and VPN. Zero-trust involves dividing systems into sub-systems with least privilege access for all users, machines, and code. It also recommends using public key authentication and bastion hosts to create security zones for access to servers rather than relying on Active Directory in cloud environments.

Technology
1 of 16
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Zero-Trust Server Management Boston DevOps August 2014
Traditional server access management has been based on Active Directory and VPN / perimeter
Data center - “Chewy interior” Perimeter - “Crunchy exterior”
What do you do when your perimeter is taken away?
Service A Service B Service C Service D
Zero-Trust: No “root” privilege Division of systems into sub-systems Least privilege among all users, machines and code
Zero-Trust is the future of infrastructure management http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap
Zero trust server management - lightning
Zero trust server management - lightning
What’s the practical challenge to implement zero-trust auth for systems management?
Don’t try and use Active Directory in the cloud. It won’t work, for more reasons than I can list here.
Front-End Back-End ◁ Corporate, password authentication ◁ Second factor ◁ Location-independent ◁ Public key authentication ◁ No shared keys ◁ Integrated with security “zones” such as cloud accounts and security groups Identity hand-off
ssh Corporate Password Authority ssh Bastion Service A Service B ssh Public key and systems authz authority
Apply intelligent use of openssh and PAM ◁ Public keys available as a network service ◁ Granular authorization via PAM ◁ Automatic audit of login/logout events
Use Bastions to create security zones ◁ Dedicated admin bastion(s) for access to management services such as Chef/Puppet server, log server, Conjur ◁ General-purpose bastions for access to everything else ◁ Let the back-end authz system provide most of the access control
Zero-Trust Server Management Boston DevOps August 2014

More Related Content

PDF
Building A Self-Documenting Application: A Study in Chef and Compliance
Kevin Gilpin
 
PPT
Bio IT World 2015 - DevOps Security and Transparency
Kevin Gilpin
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PPTX
Is DevOps Braking Your Company?
conjur_inc
 
PPTX
The user s identities
Giuliano Latini
 
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
PDF
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
PPTX
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Kevin Gilpin
 
Bio IT World 2015 - DevOps Security and Transparency
Kevin Gilpin
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Is DevOps Braking Your Company?
conjur_inc
 
The user s identities
Giuliano Latini
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 

What's hot (20)

PPTX
Security for cloud native workloads
Runcy Oommen
 
PDF
BeyondCorp and Zero Trust
Ivan Dwyer
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
PDF
Microsegmentation from strategy to execution
AlgoSec
 
PPTX
2018 11-19 improving business agility with security policy automation final
AlgoSec
 
PPTX
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
PDF
CSA SV Threat detection and prediction
Vishwas Manral
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PPTX
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
PPTX
Technologies You Need to Safely Use the Cloud
CloudPassage
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PDF
Dev seccon london 2016 intelliment security
DevSecCon
 
PDF
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
PDF
2021 01-13 reducing risk-of_ransomware
AlgoSec
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
PDF
Build and enforce defense in depth - an algo sec-cisco tetration webinar
AlgoSec
 
PDF
compliance made easy. pass your audits stress-free webinar
AlgoSec
 
PDF
VMUGIT UC 2013 - 03b Trend Micro
VMUG IT
 
PDF
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
PDF
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Security for cloud native workloads
Runcy Oommen
 
BeyondCorp and Zero Trust
Ivan Dwyer
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Microsegmentation from strategy to execution
AlgoSec
 
2018 11-19 improving business agility with security policy automation final
AlgoSec
 
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
CSA SV Threat detection and prediction
Vishwas Manral
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Dev seccon london 2016 intelliment security
DevSecCon
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
2021 01-13 reducing risk-of_ransomware
AlgoSec
 
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
Build and enforce defense in depth - an algo sec-cisco tetration webinar
AlgoSec
 
compliance made easy. pass your audits stress-free webinar
AlgoSec
 
VMUGIT UC 2013 - 03b Trend Micro
VMUG IT
 
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Ad

Similar to Zero trust server management - lightning (20)

PDF
Proven Practices for Office 365 Deployment, Security and Management
Perficient, Inc.
 
PDF
Red Hat Summit - OpenShift Identity Management and Compliance
Marc Boorshtein
 
PPTX
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Max Fritz
 
PPTX
Decentralized access control with anonymous authentication of data stored in ...
LeMeniz Infotech
 
PPTX
Azure Community Tour 2019 - AZUGDK
Peter Selch Dahl
 
PDF
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
PDF
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
PPTX
Privileged Access Management (PAM)
danb02
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PDF
SSL VPN Evaluation Guide
Array Networks
 
PDF
Webinar hiware
Seokminyoon4
 
PDF
Why Should Organizations Secure User Access Across Borderless Workspaces?
SEQRITE
 
PPTX
Secure Application Development InfoShare 2022
Radu Vunvulea
 
PPTX
Taw opening session
Michel Burger
 
PPTX
Secure your Azure Web App 2019
Frans Lytzen
 
PPT
Cloud Security Overview
Heather Axworthy
 
PDF
ClearPass Overview
JoAnna Cheshire
 
PDF
UiPath - IT Automation.pdf
Cristina Vidu
 
PDF
UiPath - IT Automation (1).pdf
Cristina Vidu
 
PPTX
When Your CISO Says No - Security & Compliance in Office 365
Ricardo Wilkins
 
Proven Practices for Office 365 Deployment, Security and Management
Perficient, Inc.
 
Red Hat Summit - OpenShift Identity Management and Compliance
Marc Boorshtein
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Max Fritz
 
Decentralized access control with anonymous authentication of data stored in ...
LeMeniz Infotech
 
Azure Community Tour 2019 - AZUGDK
Peter Selch Dahl
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
Privileged Access Management (PAM)
danb02
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
SSL VPN Evaluation Guide
Array Networks
 
Webinar hiware
Seokminyoon4
 
Why Should Organizations Secure User Access Across Borderless Workspaces?
SEQRITE
 
Secure Application Development InfoShare 2022
Radu Vunvulea
 
Taw opening session
Michel Burger
 
Secure your Azure Web App 2019
Frans Lytzen
 
Cloud Security Overview
Heather Axworthy
 
ClearPass Overview
JoAnna Cheshire
 
UiPath - IT Automation.pdf
Cristina Vidu
 
UiPath - IT Automation (1).pdf
Cristina Vidu
 
When Your CISO Says No - Security & Compliance in Office 365
Ricardo Wilkins
 
Ad

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
KodekX | Application Modernization Development
KodekX
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Zero trust server management - lightning

  • 1. Zero-Trust Server Management Boston DevOps August 2014
  • 2. Traditional server access management has been based on Active Directory and VPN / perimeter
  • 3. Data center - “Chewy interior” Perimeter - “Crunchy exterior”
  • 4. What do you do when your perimeter is taken away?
  • 5. Service A Service B Service C Service D
  • 6. Zero-Trust: No “root” privilege Division of systems into sub-systems Least privilege among all users, machines and code
  • 7. Zero-Trust is the future of infrastructure management http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap
  • 10. What’s the practical challenge to implement zero-trust auth for systems management?
  • 11. Don’t try and use Active Directory in the cloud. It won’t work, for more reasons than I can list here.
  • 12. Front-End Back-End ◁ Corporate, password authentication ◁ Second factor ◁ Location-independent ◁ Public key authentication ◁ No shared keys ◁ Integrated with security “zones” such as cloud accounts and security groups Identity hand-off
  • 13. ssh Corporate Password Authority ssh Bastion Service A Service B ssh Public key and systems authz authority
  • 14. Apply intelligent use of openssh and PAM ◁ Public keys available as a network service ◁ Granular authorization via PAM ◁ Automatic audit of login/logout events
  • 15. Use Bastions to create security zones ◁ Dedicated admin bastion(s) for access to management services such as Chef/Puppet server, log server, Conjur ◁ General-purpose bastions for access to everything else ◁ Let the back-end authz system provide most of the access control
  • 16. Zero-Trust Server Management Boston DevOps August 2014