Ensuring users have access to only the resources they need, aka least privilege is great. But have you considered granting users only needed access?
This talk will introduce the concept of granting ‘Just-in-Time Access’. Securing an endpoint is more than patching and vulnerability management. Granting access to who, when and what also secures an endpoint. Only when a user needs to connect to a system, can access be granted. Ports such as SSH do not need to be open for the world to connect and probe. Database credentials do not need to last forever.
This approach limits the damage that can be caused by an account -- privileged or otherwise -- by reducing the amount of time an attacker has to gain access to the account, as well as the time they have to move from a compromised account before losing access.
The short explanation for Just-in-Time Access is providing short-term access in real time. It is a relatively new term in the industry and is another way to practice the least privileged best practice.
Key Takeaways:
• The benefits to Just-in-Time access for security and operations
o Improved visibility
o Minimize damage from compromised accounts
o Operational efficiency
• How SSH can be replaced with AWS SSM sessions
o Direct SSH replacement
o SSH reverse proxy
• How Just in Time Access for database credentials can help
o Example: Hashicorp Vault
o Example: Akeyless
• Resources for learning more
2. WHOAMI
➜ Principal Security Analyst in a cool as team
➜ A security practitioner with 10 years experience (where did the time go)
➜ Pentester > blue teamer > security manager > Security Analyst > Growing towards cloud
➜ Big 4, and SMB
Linkedin
https://www.linkedin.com/in/haydnjohnson/
Twitter:
https://twitter.com/haydnjohnson
3. Outline
Just in Time Access?
The what, why and
how
How JIT benefits
Operations and
Security
Examples with:
➜ AWS SSM
Sessions
➜ Akeyless
➜ Hashicorp Vault
Resources for
learning more
5. Just in Time access (JIT)
➜ provides short term access in real time / “as needed access”
➜ Different to providing open access
➜ It is a fundamental security best practice
➜ Also knowns as “true least privilege”
6. But securing the end point
How does this relate to securing the end point?
8. JIT - From an Operations perspective
➜ Managing access can become complicated - very quickly
➜ Knowing when to rotate everyone’s secrets has to be tracked
➜ Different software for different systems
9. JIT - From a security perspective
Attackers are ALWAYS:
➜ searching
➜ scanning ports
➜ attempting to crack credentials
➜ are always .. doing something
Goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
- Reduce open ports
- Reduce the time a password exists (preferably a whole account)
11. SSH
SSH is the protocol used mostly for command-line execution
Command-line execution is at the operating system level
➜ Used to manage servers and applications
➜ Apply OS updates
➜ Connect through port 22
14. Default state for SSH
Requires:
➜ port 22 OPEN on each system
➜ SSH credentials for a user to authenticate
credentials
15. SSH issues
From an Ops perspective:
➜ Can become difficult to manage at scale
➜ User accounts and credential sprawled everywhere
From an Security perspective:
➜ Many systems exposed via port 22
➜ Credentials can be difficult to rotate or revoke
➜ Once a pair of credentials are exposed, the attacker has access to multiple systems
How to improve these limitations?
19. Hence the Bastion host
Operations teams will use a bastion host aka jump host that forwards connections.
The bastion host is a hardened machine, used only to forward connections to the hosts behind it.
23. AWS Systems Manager (SSM)
AWS Systems Manager (SSM) can:
➜ View & control resources on AWS
➜ View operational data
➜ Automate tasks
➜ Help maintain security and compliance
A managed node is any machine configured for Systems Manager.
➜ Systems Manager supports EC2 instances, edge devices, and on-premises servers and virtual machines (VMs)
42. Database credentials
Database credentials allow a user to access a database.
A user can have different permissions in a database:
➜ Read only
➜ CRUD - Create, Read, Update, Delete
➜ Access certain tables and not others
➜ Others
45. Why does this happen
➜ It can become unmanageable
➜ It does not scale
➜ Easier to give a user the same credentials to access all the
databases
➜ Read only group
➜ CRUD only group
➜ Admin group
54. Hashicorp Vault
Hashicorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern
computing.
55. Hashicorp Vault - setup
➜ Policy
- What users can
and cannot access
within Vault (not
the DB)
➜ Role
- What user is
created on the DB
when this role is
executed
➜ Config
- Which Database
to create a user on
56. Hashicorp Vault - Roles
vault write database/roles/ROLE_A db_name=config_A
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED
BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
default_ttl="1h" max_ttl="24h"
60. To Wrap up
➜ Just in Time access is another way to secure an endpoint / database
➜ There are many operation and security benefits to Just in Time access
- Just requires the forethought and setup beforehand
Linkedin
https://www.linkedin.com/in/haydnjohnson/
Twitter:
https://twitter.com/haydnjohnson
Q&A
61. References
Just-in-Time Access
What is Just-in-Time (JIT) access?
https://thycotic.com/glossary/just-in-time-access/
Understanding just-in-time (JIT) VM access
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest
Editor's Notes
Quick intro of myself
Outline will be:
I prefer the time a needed access, you receive access when you need it
Most people when securing the endpoint think of the network and application running on it.
But it is more than that
Securing the end point also includes who can access, when and how.And WHAT access they have
How easy is it to give or remove access
How long do credentials live, all the things
Maintaining users access can be quite the job from an Operational perspective
Managing a few users is one thing, managing a hundred ormuch more is another
compliance
1 set of key pairs for multiple system, so it becomes a single point of failure
Remote friendly
So one solution that helps with these issues is AWS SSM sessions,
So what is the SSM Session
First of we need to understand what AWS SSM is
Or the AWS Systems Manager
Which is a central place to view and manager aws resources
This is a really great native service by AWS, as it allows many operations features and benefits
I would say its devopsy. I'm not an expert in devops, but it can certainly help automate a lot on the ops side of the house.
Here are some example screenshotsAWS SSM ingests data from systems and analyzes them, allow different output of the data
So first off we have the compliance resources summary. There are 28, and 2 non-compliant, this could be against a kernel version that you set
The inventory coverage type explains what it's covering, so the components of a system, the applications and instance detailed information
So far this was just AWS SSM, what we are really talking about today, especially with replacing ssh, is the AWS SSM Agent.This sits on ec2 instances to collect the data. But the real mange is that you can connect to the system via the AWS SSM agent
The cool thing with the AWS SSM agents can be installed on multiple systems,
So with AWS SSM sessions, it doesn't need port 22, or SSH keys
A user gains access as needed, when they want and when finished the access is removed.
So going back to our bastion situation
Multiple systems can be compromised
The life of the secret can allow an attacker to sit and wait
Multiple systems must have their passwords revoked and reset
Very similar to akeyless, except no SaaS platform in the middle
They configuration for vault is more complicated, but more versatile. It takes a little bit to get used to
The 3 main components in giving access to someone to a database is the following:
An example role here, the important bit being the creation statement, when connecting to the database
Here is a config.
Its a connection URL, this is an example for a db thats local, but in the demo