Hello Teleport Community,
For this week’s newsletter, I’m focusing on an infrastructure attack. Most will start with a “Human Error + Pivot” attack — it starts when an attacker gets a foothold into a company’s computing resources by exploiting human error. The attacker will then gain access to adjacent computing resources on the same network. Besides exploiting human emotion, the vulnerability that attackers exploit is the usage of secrets.
This type of attack is well known for users getting access to a VPN, then being able to explore much of the network. Google recently put out an excellent documentary about Operation Aurora — I would highly recommend spending the 18 minutes to watch this video. This highlights how even the largest of companies can see human error and pivot attacks, with an aim to get access to SCMs to gain access to the crown jewels of the code that runs Google and 8 other US-based companies.
The resulting collective solution to this problem is to greatly reduce any possible blast radius of an attack. This is where concepts of Zero Trust come in. There is no longer a perimeter but instead every connection is encrypted, every session must be authenticated and every client must be authorized and send audit logs. This makes up four pillars of Infrastructure Access: Connectivity, Authentication, Authorization and Audit.
Historically all of these methods of infrastructure access have never been identity-based. It instead relied on data associated with an identity, a shared password, private keys or other secrets. To provide a strong, zero trust and secretless approach requires a move to Identity-Native Infrastructure Access. Similar concepts have been rolled out by the largest tech companies, and it’s the only way to securely scale access. We believe this is an important shift, so much so…we’re writing a book about it.
The first two chapters are now available to download, and please give us feedback in our #identity-based-infrastructure-access Slack channel.
This wraps up this week’s newsletter for Identity-Native Infrastructure Access. If you would like to learn more about Identity-Native Infrastructure Access, I would recommend joining us for Teleport Connect 22.
