Overview of Gravitational Teleport: Privileged access management software for elastic infrastructure that doesn't get in the way.

1. Teleport
Privileged access management
for elastic infrastructure
that doesn’t get in the way
April, 2018

2. 2
What is Teleport?
Teleport provides privileged access management for elastic
infrastructure that doesn’t get in the way.
Infosec and systems engineers can secure SSH access to their
infrastructure, meet compliance requirements, reduce operational
overhead, and have complete visibility into access and behavior.
You get security best practices out-of-the-box in a people-friendly
solution that employees will actually enjoy using.

3. 3
Isolate access to critical
infrastructure: Proxies (aka, bastions)
are used as unified access points to
control and monitor activity across the
system.
Time based access: Identity aware,
short-lived certificates are used for
authorization.
Role Based Access Controls: Auth
servers integrate with existing identty
systems and permissions for RBAC.
Security best practices out-of-the-box
Pass Compliance Requirements

4. 4
Sessions recorded: Complete session
logging and recording, including
metadata and user identities, across
entire clusters.
Activity logged: All operational activity
across the system is logged and shipped
to secure logging servers.
Share knowledge: Sessions can be
joined by multiple people, everything is
recorded and available for playback for
root cause analysis.
Everything is recorded and auditable
Visibility into Access and Behavior

5. 5
Access control across region: Server
clusters can be linked together in order
to traverse across infrastructure types
and regions.
Access follows workloads: Role based
access and permissions can follow
dynamic workloads / services.
Works with existing tools: Fully
compatible with OpenSSH and existing
SSH-based automation tools like
configuration management systems.
Designed for multi-region clusters
!
!
!
!!
Built For Modern Infrastructure

6. 6
Reduces Operational Overhead
Simple to configure. Just install a
lightweight Go daemon and a command-
line tool.
Short-lived certs for authorization. No
keys, VPNs, firewalls, jump boxes, or IPs
to manage.
Complete session logging and recording,
including metadata and user identities,
across entire clusters.
Less Setup And Maintenance Doesn’t Get In The Way
Integrates with existing identity management
solutions: SAML, Okta, 0Auth, OpenID
Connect, Auth2, Active Directory, etc.
Choose between a simple command-line
tool or a web client. Works on all major
Operating Systems.
Use with existing OpenSSH server fleets; no
need to lift and replace. All SSH commands
are supported to fit existing end-user and
automation workflows.

7. 7
Trusted in Production
The Teleport open source edition is
widely adopted by teams around
the world.
Security audits have been
conducted by leading security
consulting firms.
Teleport Enterprise is trusted by some of the largest enterprises in
software, finance, healthcare, manufacturing, IT, security, telecom,
government, and other industries.

8. 8
Appendix: Teleport Architecture
For more details visit the Teleport documentation:
https://gravitational.com/teleport/docs/architecture/

9. 9
Appendix: Why not DIY?
Infosec Requirement OpenSSH Teleport
Integration with corporate identity
(SAML / LDAP) and SSO
Two factor authentication
Role based access control (RBAC)
Permissions that follow dynamic workloads
Dynamic configuration at runtime
Audit logging and session recording

10. 10
Appendix: Teleport Use Cases
Access control.
Implement technical policies and
procedures for electronic information
systems that maintain electronic
protected health information to allow
access only to those persons or
software programs that have been
granted access rights as specified in §
164.308(a)(4).
Source: HIPAA §164.312 Technical Safeguards
(https://www.law.cornell.edu/cfr/text/45/164.312)
Achieve regulatory compliance with proper access control policies.
HIPAA
Strong Access Control Measures.
To ensure critical data can only be
accessed by authorized personnel,
systems and processes must be in
place to limit access based on need to
know and according to job
responsibilities. Need to know is when
access rights are granted to only the
least amount of data and privileges
needed to perform a job.
PCI
Privacy by Design.
Article 23 calls for controllers to hold
and process only the data absolutely
necessary for the completion of its
duties (data minimisation), as well as
limiting the access to personal data to
those needing to act out the
processing.
GDPR
Source: PCI Quick Reference Guide
(https://www.pcisecuritystandards.org/pdfs/
pci_ssc_quick_guide.pdf)
Source: GDPR Key Changes
(https://www.eugdpr.org/key-changes.html)

11. 11
Appendix: Teleport Use Cases
Is the production network segmented into
different zones based on security levels?
Do you require multi-factor authentication
(MFA) for employee user authentication to
access your network (local or remote)?
Which groups of staff (individual contractors
and full-time) have access to personal and
sensitive data handed to you?
Satisfy security requirements from enterprise customers.
Which audit trails and logs are kept for systems
and applications with access to customer data?
Are all security events (authentication events,
SSH session commands, privilege elevations) in
production logged?
How are cryptographic keys(key management
system, etc) managed within your system?
Source: Vendor Security Alliance questionnaire (https://www.vendorsecurityalliance.org/questions)

12. Additional Information
Demo: https://youtu.be/bprRpX-4R_0
Docs: gravitational.com/teleport/docs
info@gravitational.com
855-867-2538