Bastion hosts from all of our cloud environments are centrally managed, organized into projects, and assigned user entitlements based on Okta groups. Okta ASA enables our engineers to easily discover bastion hosts they have access to with one simple command sft list-servers. Regardless of where the bastion host is, users can access them all through the same method. This also greatly increases the usability for engineers. Solutions that can be used on any cloud provider, and integrated with any identity provider are best. There are some great cloud provider specific products for bastion hosts and SSH management(AWS SSM, GCP OS Login, etc.), but in order to be strategic and avoid vendor lock-in, it is important to remain cloud provider agnostic.
With this, our engineers are able to securely log on to our bastion hosts nearly as easily as any SaaS app! The ASA client brokers short lived SSH certificates for the user, based on their identity. With Okta ASA, engineers no longer need to juggle holding onto static SSH keys. We enforce MFA when authenticating to Okta, and therefore access to our bastion hosts are protected by MFA. Rather than manually adding and removing static SSH keys for individual users, you can centrally manage this process with groups within your identity provider.Īt Sigma Computing we use Okta for Single Sign-On (SSO) combined with Okta Advanced Server Access (ASA) for SSH certificate and server management. Combine using your identity provider with using a Certificate Authority for managing SSH certificates, and you’ll have an excellent way to automate user lifecycle management. Using your identity provider for authentication & authorization introduces multiple benefits. Introducing identity based authentication solves this problem. The world is moving toward passwordless authentication methods, and so should our bastion hosts. This isn’t great from a security perspective and is difficult to scale. Traditionally bastions hosts may have used standard static credential authentication, and perhaps directly granted access to resources once on the network. The ideal “Modern Bastion Host” has the following traits: What is a Bastion Host?Ī server whose purpose is to provide access to a private network from an external network, such as the Internet. Thankfully, modern bastion host technology makes this achievable while being user friendly. There are still great security benefits to having network layers for defense in depth.
In the modern world of networking, where do bastion hosts fit in? Even in a perfect world of Zero Trust with extremely robust user and device identity based authentication, it would still be risky to have all of your infrastructure publicly accessible.
0 kommentar(er)
