Secure Remote Access: Akeyless Product Demo
Ori Mankali, VP R&D, Akeyless
Ori is a highly experienced and skilled software engineering leader. Ori masters a large variety of technologies, including Embedded Linux, Internet Protocol Suite (TCP/IP), Debugging, Multithreading, and Unix. Among his previous roles were Manager of Software Development at AWS and a Senior Software Engineer at Check Point Security.
Hello, everyone. My name is Ori. I’m super excited to be here at KeyConf in New York City. Unlike my colleagues, which provided super-interesting lectures, I’m going to show you a quick demo, an overview of the system and the platform. I actually logged into our web interface, Web UI, which is mostly for administrative access and management. And it’s also nice visual presentation of the secrets and the items that will work. But it’s important to say, as previous folks have mentioned, that the majority of the access to secrets is coming from workloads machines. And therefore, we have multiple integrations. The command line interface, of course, which can also be used by humans, but for automation scripts, as well as SDKs and plugins for various DevOps tool chain. So, basically, anything that I’m going to show here is accessible through one of the interfaces that we exposed. Being the API-driven platform that we are allows us to have full feature parity with everything that is on the web, CLI or SDK.
The secrets that we manage are basically stored in a file system like structure. So, you have folders. And in each folder, you can manage 1 or more secrets, and they can have subfolders, and so on and so forth. This also makes it easier to manage the access and permissions to those kinds of secrets. Typically, our customers choose to have a hierarchy of the environment that they’re working in, and then the specific business unit or projects. But this can vary based on the customer’s needs.
The types of secrets that are managing is obviously the static secret, which is basic element of key value where the value is being encrypted by the DFC technology. Rotated secret, which is the administrative access that can, once in a while, based on the configuration, rotate the administrative credential. Dr. Cunningham was mentioning the hassle of doing that every so often. And this is one of the benefits of using our platform, this is done automatically without even thinking about it.
The dynamic secret is a concept of just in time access, meaning that anytime that you need access to a certain resource, then a new credentials will be generated for you. And this is also bounded by time with a TTL that is configurable. And also, SSH certificate issuing and PKI certificate issuing, which are also part of the just in time concept, by signing short-lived certificates, we allow machines to authenticate against a target resource and actually expire after a certain amount of time and no longer be usable. This basically implementing the Zero Standing Privileges that was also mentioned before.
In terms of authentication methods, which I think is one of the key benefits of using the Akeyless platform, there are a variety of workloads and techniques to authenticate to the platform, starting by using the cloud native identity and access management. So, if you’re running on AWS or Azure or GCP, you can just authenticate using the identity of the resource that you’re running from. Same goes for humans that can use protocols like Open ID Connect and SAML, as well as the Universal Identity, which has our own proprietary authentication method to address the Secret Zero problem, and when talking about legacy or maybe on-premise infrastructure that does not have Trusted Identity.
All of that is basically combined into a role-based access control implementation. You can create a bunch of roles. Each role can be associated with one or more authentication methods. And even using claims are attributes coming from your IDP. And this can grant you access to certain secrets based on their location, as you can see here.
The concept of targets is trying to make the management of resources in our corporate network much easier. Because some of the secrets needs to be provisioned, for example, the just in time access, the rotated secrets and so on, and want to reuse existing resources, we created an object called targets which can also contain a secret, the credentials to that target. And we can reuse it by creating different permission profile to different kinds of users.
We talked about the architecture of having the Akeyless gateway. The Akeyless gateway is kind of an extension of our SaaS. We’d like to see that this way. It’s a stateless docker container that can run as part of your local orchestration. It doesn’t mean that it needs to run on-premise. It can run on your cloud subscription. But it gives us the ability to communicate with local resources without exposing them to the internet, so without opening any port. Each gateway is basically acting as a cluster, logical cluster, and can show you the list of rotated secrets managed there, the dynamic secret, and the number of instances composing these logical cluster. And this is easily manageable. You can see the last report time, the versions that are running, and so on and so forth.
In terms of control and usability, we allow administrators to have full idea of what’s going on in their environment, how many secrets they have, how many of each kind, the number of clients authenticating. This is just a demo account, so showing very minimal number, but you get the idea. And also, the separation per product that gives you some glance about the activity and workloads.
Being an enterprise-grade solution, we also need to reflect the audit logs and the access to different resources by specific individuals. These logs can be forwarded to your existing log systems, so it’s easily trackable and manageable. And insights of analytics can give you some idea about the geographic locations request made from number of secrets and transaction per specific time unit, and the request volume as well as the time it took for average. So, you basically have full control of the secrets in a click of a button.
We talked about the integrations. So, I think the next thing I’m going to show you is what we can do. To work with the platform. We’ll start by secret management, which is, as I mentioned, mostly for machines. And I have configured my gateway here. So, I’m going to sign in and show you how easy it is to migrate secrets into their Akeyless platform as part of the transition from another vault or previous vault solution. In this case, we have built a tool to migrate secrets from existing secret store. I have set up my cluster here, and simply basically, configured the target location.
If I go back to the console and visit this folder, I will see that they have 2 secrets now. And in this example, here, in a simple click of a button, the synchronization process begins. And after a while, you will be able to see in a matter of seconds that I’m able to migrate hundreds of secrets into the Akeyless platform without the hassle of writing automation and migration scripts and making sure that it works. So, I’m starting to see the secrets there. I have just illustrated folders with all the secrets there. And everything is easily migrated to the new platform.
We’ll go back to the previous folder, and I show you that I have 2 dynamic secrets, which can be consumed by machines, as I mentioned, as part of your CI/CD pipeline, for example, and can also be consumed using the web UI. And basically, by clicking this button, I just generated new credentials to my AWS demo account, which contains also the key ID and the secret key. Obviously, it’s not the full. And it’s also short-lived by nature, and it has predefined TTL.
Same goes for other types of dynamic secrets. For example, I have the ability to retrieve a GCP token to use in my workload environment. And I can also use it for generating session tokens for Kubernetes clusters, and so on and so forth.
Next thing that I want to show is the configuration of rotated secrets, and how easy it is to make your environment secure, limited or bounded by time without the hassle of going manually to each and every target and resource and modifying the password to have the right complexity and to do that in a timely manner.
So, in this case, I just configured a MySQL database administrative user. I associated it with an existing target, because I already have one I used for dynamic secrets. I configure the administrative user, in this case, it’s my name. And I currently have a password that was used for break glass cases, scenarios. And this password is stored as a secret in the Akeyless platform. This is obviously randomly generated and expires or rotated every so often. In my case, it’s every 10 days. And I can also trigger the rotation to be done manually at this point in time.
Once I’m clicking that, at this very moment, there was an interaction between the gateway and the target resource. And the gateway was in charge of modifying the password to a new one based on the policy that was scheduled. And this is the new password we have just rotated once again for security. And then, you can also see all the previous version and manage them that were rotated before. I can also view previous one. I can restore them if I’d like in case some catastrophe happens, and so on and so forth.
The types of secrets that we support are various dynamic secrets. We can rotate API tokens, passwords for databases, and for most of the resources, Linux machines, Windows boxes, and so on and so forth. And just to give you a glance about the types of dynamic secrets that we have as well. So, variety of databases, all of them are natively supported by Akeyless, RDP access, generation of cloud identities for all the major cloud providers, Kubernetes access, and so on and so forth.
Oded was just few minutes ago presenting our secure remote access offering, which is a relatively new product that we’re launching. And it’s important to say that our platform is basically unifying everything into one place. So, this is the secret management, as well as the secure remote access and everything else is managed there. So, the concept of having the role-based access control also controls the secure remote access.
In terms of usability and usage, we have 3 different ways to allow humans to connect to different resources. We support the web access using a proprietary web portal that we developed. We support command line interface. We support the use of native desktop applications in some particular applications that supports that.
So, I’m going to start by showing how the portal looks like. First of all, you need to select the authentication method to allow humans to connect. In my case, I chose my identity provider. And the portal is as simple as logging into my account. In this case, I can incorporate the multi-factor authentication to make sure that I have all the authentication parts completed. And based on my permission profile, based on my role defined on the Akeyless platform, I’m getting a populated list, a generated list of applications that I’m authorized to use. All of them are using ephemeral credentials, either dynamic secrets, SSH certificates, or anything that is bounded by time. And whenever I click the button, only then the Bastion, the Akeyless Bastion is the one generating the credentials and allowing you to have access to the target resource.
And as you can see, we have variety of applications that we support natively, starting from various databases, Kubernetes access, SSH, remote desktop, and so on and so forth. Just I’ll give you some examples. In the MySQL example, we have web and command line interface. When I’m clicking on the web, I’m basically being directed to web client. The credentials that were used to authenticate who just generated in a glance of a moment. We can see them here. This is the temporary user that was used to do the command. And also, you can run queries on the database. This is a randomly generated data, and as well as SQL command to that target. Same goes for any database that we have. And also, we have the command line interface, which is just giving you a web access to the CLI, the native CLI of this particular database. And I can run all the queries that I want here, something like that. Let me see.
And this is based on the permission profile that I have. So, I have access to specific database to a specific table there. I guess that I need to check. Anyway, you get the idea. And also, other applications like SSH and RDP, and so on and so forth. Just to show you how easy it is to access using the native terminal. So, I can run a command that using the Akeyless Connect command to allow me to connect to my Kubernetes cluster using the standard kubectl command. Keep in mind that I don’t need to run the Native Client on my laptop. It’s sufficient to have that on the Akeyless Bastion itself. This also helps when you want to have security patches to all the endpoints. So, it’s as simple as upgrading the Akeyless Bastion to the latest and most patched version. I configure it to use my SAML authentication, even though I can use any kind of authentication methods, if I’m running from AWS or Azure or any other cloud provider can use, the native identity and access management to authenticate. This is just an example.
And when I do that, basically, I’m successfully authenticating. I can go back to my CLI. I see that my temporary session is being provisioned at the moment, and I’m landing on a shell that is generated on the bastion itself. Here, I can run all sorts of commands to show the existing pods, during pods, executing into a pod, logging into it. So, you basically can do everything you want. And this is just from the CLI. This is also supported using native desktop applications without having the credentials reaching to the endpoint.
Another example that I have is using SSH. Typically, when using SSH, most of the users are using public key authentication, which means that you have a very secure private key on your endpoint, and you need to upload the public key to the server side. But the main problem with that is the management that you need to revoke access to send an application, it’s not limited by time. And using SSL certificate to basically achieving a good and secure replacement to that there, there is no dynamic configuration on the server side. It’s a single line of configuration that allows you to have access to the target server.
So, in this case, basically what I’m doing, just pointing to the target server. And this hostname is basically being resolved on the SSH Bastion. And I’m directing it to go to a Bastion. Again, temporary session will be configured. Temporary credentials based on SSH certificate will be generated at the moment. And I’m logging into the server, and I can run whatever commands that I want here as a specific user.
And important to say that everything, every command that I run here, both for the Kubernetes and MySQL and anything else, is audited and recorded in your existing log services. So, when I did that, all I need to do is to go to my log service and just see that all the session was forwarded to this server. This can be tracked. Alerts can be defined in case some unauthorized command has been executed. Revocation process is super simple. It’s as simple as going to the role-based access control and revoking access from the user that perform this operation, and so on so forth. This gives you full control and visibility for the entire activity of your workload, applications, automations, humans and so on.
The last thing that I want to show as part of that demonstration is the ability to revoke access for existing sessions. It doesn’t mean that I just prevent you from future logins, I can also terminate and control security incidents by revoking access immediately.
So, in my case, I’m going to show that using the remote desktop protocol. So, I’m actually using the same concept, generating just in time credentials for this Windows machine. In this case, it’s using temporary access, but it can also be supported on domain users. I’m logging into my Windows machine, and basically can perform any administrative tasks that I need to do.
Now, when I’m going back to the gateway, as an administrator, I can search for the right producer, right dynamic secret generator, and see that I have an existing outstanding session that is already generated. It was configured to have 15 minutes TTL. And right now, you see the counter is going down. I can modify that and extend it to something larger than that if I want to control the session. This can also be done automatically. But I can also revoke the session when I want to. So, this is still running, just in another tab. And what I’m going to do now is just, as an administrator, revoke the access from this specific user. What’s going to happen behind the scene is that the gateway will communicate with this resource, in this case, it’s a Windows machine, delete the user, and log it off immediately without the ability to modify that. So, when I’m revoking here, I’m going to track that. As you can see, the session was terminated immediately. This can be done for any applications because you’re going through the Akeyless Bastion. So, the connection is not being done directly from the endpoint to the target. And the Bastion is allowing us to have the session recording and session management and revocation in a click of a button.
That’s in short about the platform. I was very focused on showing very the highlights of things. There are more features to show, more products to be released. And I’ll be happy to take offline any questions you may have in the corridor. Thank you very much, guys.