Identity-Native Infrastructure Access Management: Preventing Breaches by Eliminating Secrets and Adopting Zero Trust

Cover
Copyright
Table of Contents
Preface
	Who Should Read This Book
	Goals of the Book
	Navigating This Book
	Conventions Used in This Book
	O’Reilly Online Learning
	How to Contact Us
	Acknowledgments
Chapter 1. Introduction: The Pillars of Access
	Most Attacks Are the Same
	Access
		Secure Connectivity
		Authentication
		Authorization
		Audit
	Security Versus Convenience
	Scaling Hardware, Software, and Peopleware
	Identity-Native Infrastructure Access
Chapter 2. Identity
	Identity and Access Management
	Identity and Credentials
		Traditional Approaches to Access
		Identity-Based Credentials
	Establishing Trust in Identity
	Identities in Infrastructure
	Long-Lived Identities
	Ephemeral Identities
	Identity-Native Access
		Identity Storage
		Identity Attestation
		Reducing the Number of Secrets to One
	A Path to Identity-Native Infrastructure Access
		Eliminate Access Silos
		Move to Certificates for Identity Proofing
		Extend Identity-Native Access to Service Accounts
Chapter 3. Secure Connectivity
	Cryptography
		One-Way Functions and Hashing
		Symmetric Encryption
		Asymmetric Encryption
		Certificates as Public Keys
	The Untrusted Network
		Encrypted and Authenticated Connectivity
		Moving Up in the Networking Stack
		Perimeterless Networking for North-South Traffic
		Microsegmentation for East-West Traffic
		Unifying the Infrastructure Connectivity Layer
	Secure Connectivity and Zero Trust
Chapter 4. Authentication
	Evaluating Authentication Methods
		Robustness
		Ubiquity
		Scalability
		Secret-Based Authentication
		Public Key Authentication
		Certificate-Based Authentication
	Multifactor Authentication
	Single Sign-On
		How SSO Works
		Beyond Traditional SSO
	Identity-Native Authentication
		Identity Proofing
		Device Attestation
		WebAuthn
		Authenticating Machines
		Preserving Identity Postauthentication
Chapter 5. Authorization
	Infrastructure Protects Data
	Types of Authorization
		Discretionary Access Control
		Mandatory Access Control
		The Bell–LaPadula Model
		Multics
		Mandatory Access Control in Linux
		Nondiscretionary Access Control
	Privilege Management
		Principle of Least Privilege
		Zero Standing Privilege
		Just-in-Time Access
		Dual Authorization
	Challenges in Authorization
		Access Silos
		Privilege Classification
		Authorization for Machines
		Complexity and Granularity
	Identity and Zero Trust
		Identity First
		Single Source of Policy Truth
		Context-Driven Access
		Identity-Aware Proxy
Chapter 6. Auditing
	Types of Logs
		Audit Logs
		Session Recordings
	Logging at Different Layers
		Host Logging
		Network Monitoring
		Log Aggregation
	Security Information and Event Management (SIEM)
	Log Schemas
	Storage Trade-Offs and Techniques
	Evolution of the Cloud Data Warehouse
	Log Analysis Techniques
		Log Analysis Example: Modern Ransomware Attack
	Auditing and Logging in an Identity-Native System
Chapter 7. Scaling Access: An Example Using Teleport
	Access at Scale
	Identity-Native Access Checklist
	Necessary Components
	The Teleport Infrastructure Access Platform
		The Cluster
		How Teleport Works
		Managing Users
		Managing Client Devices
		Managing Permissions
		Managing Audit
		Zero Trust Configuration
	Living the Principles of Identity-Native Access
Chapter 8. A Call to Action
	Security and Convenience at Scale
	The Future of Trust
	Infrastructure as One Big Machine
	The Future of Security Threats
	Closing Words
Index
About the Authors
Colophon