Scaling Enterprise DevOps Security With Machine Identity – SSH
August 10, 2015 | DevOps | Kevin Gilpin
In our last post we talked about how secrets management impacts enterprise DevOps security. Today we are going to shift our focus to another important piece of the puzzle – SSH Management.
SSH is the de-facto standard for logging into Linux machines. And it’s not just a tool for human administrators to access their machines; it’s also a very important facility for machine-to-machine access.
Small Scale A centrally managed LDAP server and a rack of machines or small cloud operation within the same premise (cloud account or data center). Ops is (carefully) managing the LDAP server, and also performing the systems admin over SSH.
Large Scale A global system, being managed by an operations team with oversight from security. Both developers and ops are using SSH access to machines, for tightly controlled purposes. Security has a reporting interface which shows the policies and behavior of the system. SSH is centrally managed and scaled globally.
Like secrets management, SSH management is composed of two parts : authentication and authorization. Authentication can be provided by passwords (bad), public keys (better), or two-factor authentication (best). Unfortunately, the de-facto standard for SSH authorization is LDAP, a technology which was originally developed in the 1980s to implement telephone directories.
In LDAP, users are organized into groups, and then access to machines is granted by configuring each machine with an LDAP “search” which is supposed to return the list of users with access to that machine. However, the LDAP “search” model is weak. Typically, the only way to give a new user access to a machine is to add them to a group that already has the desired access. And, as a side effect, the user also gets access to every other machine which is using the same (or similar) LDAP search.
In addition to this lack of granularity, LDAP is also very cumbersome to manage compared to modern API-driven products, and high-availability LDAP doesn’t work in global cloud or hybrid deployments.
With machine identity, it’s possible to deliver much better SSH granularity. Using a thin LDAP capability on top of role-based access control, each machine authenticates (“binds”) using its own unique identity. As a result, LDAP searches performed by that machine are automatically scoped and filtered to only the users with access to that machine. The LDAP “search” string becomes irrelevant, because each client machine already has its own distinct user list.