The Access Management System emerged in response to a client request: provide employees with simple but secure access to information needed to perform their work and ensure they only have access to data allowed to them.

Challenge

Every IT team regularly handles large amounts of sensitive information in their work. The ever-present challenge is how to keep confidential and private information safe, and to manage, store, and transmit secrets in a swift manner.

Criteria

There are four crucial points to keep private data secure and adhere to the GDPR rules:

Role-based approach – IT team must ensure each employee is granted a specific access level based on each individual’s role in the project.

Fast response on role changes – system/administrators must recall access privileges in a safe, simple and swift way based on pre-determined triggers, including status of each employee: promotion, resignation, termination, changes in responsibilities, etc.

Diverse nature of provided secrets – for example, a login/password pair for an app web interface and that of an API token or server SSH token make a big difference.

Lack of ready-made solutions for small to mid-sized teams – an initial investigation revealed several implementation options but all fell short of requirements:

а. Large, highly customizable software (ScaleFT/Centrify) targets enterprise-level solutions. Its implementation is too expensive and too ponderous for smaller businesses.

b. All available open-source solutions (e.g., Freeipa, PBIS) are heavy-duty and require installation of extra components and dependencies on the target server (sometimes even integration into directory services like ‘Active Directory’) that rarely makes clients happy.

Solution

It took a year of R&D for our DevOps team to prepare its own package.

Fortunately, IT Craft DevOps team also uses dozens of ‘diverse’ secrets in its workflow; hence all the above-stated challenges also apply to our processes.

At the first stage, we divided all secrets into three categories:

  • devops methodologies
  • management services
  • API token

The DevOps team’s goal was to integrate solutions for all three categories to one common platform under the operating name, ‘Access management solution’. The team uses a centralized LDAP user authentication that also functions as host inventory.

Basically, here the LDAP is a ‘Single point of truth’ and integrates with every service involved in safe storage of all three types of secrets:

Infrastructure access (servers – SSH/RDP)

The Secure Access Management System uses a bastion host-provisioned container integrated into our LDAP service that, in turn, has a Vault SSH Secret Engine onboard (with our unique CA [self-assigned certification authority certificate] to assign user SSH certificates). Every user logs into the bastion (with MFA [Multi-Factor Authentication] mandatory). When the user has no MFA, the MFA is generated during the user’s first login after LDAP authentication has been passed. Upon login, the current SSH certificate is verified automatically. If the SSH certificate has expired, the system issues a new one. To do this, the SSH signer service performs a number of security checks in LDAP (examines user status and role, TTL [time-to-live] of a certificate) and signs a user certificate with the system CA while taking all needed user attributes from the LDAP. At the sign-in stage, each certificate receives an expiration time and principal (user role).
With help from the SSH configuration panel, client hosts have been taught to trust certificates signed with our CA. The client host checks certificate attributes, including expiration time and principals, and responds based on values specified in certificate. Also, the reissue cycle starts every x hours (as many as needed; for us, it is 8 and 12 hours, depending on duration of a shift) to reissue all certifications while performing all required security checks in LDAP.

On the bastion host, users see the host’s entire inventory from LDAP where they have access to and log in transparently with a short-term certificate. It makes no sense to copy a certificate because it expires after a pre-set timeline.

Web applications

Currently, the DevOps team uses an SaaS solution that is integrated into the LDAP service. LDAP roles are mapped to this solution. We get a distributed app access system where every user group is granted a specific set of apps. Alternatively, the database can be connected to a third-party product through LDAP integration.

Other secrets (root passwords, API token, etc.)

For it, we have integrated HashiCorp Vault into our LDAP. Employees gain access to a role-defined branch of secrets. These types of secrets can also be used for products by making a special ‘shell’ for the vault. As an alternative solution, engineers can connect a client vault to a virtual LDAP service when required.

Do you want to see how this works?

Benefits

Secure Access Management System provides the following advantages to its owners:

Benefits of secure access management system

Potential owners

Access Management Solution will help several organization types:

Internal IT teams of any scale (mostly, developers)

Companies with high churn rates

Companies concerned with security (including GDPR): healthcare, fintech, ecommerce, etc.

  • access management solution
  • workflow managment

Distribution models

A workable solution is under way. However, we are considering the following options on how best to provide the product to our clients:

On-premise. A package with a set of pre-installed software and an administration panel deployed on the target (client) software.

SaaS solution (Virtual LDAP + Bastion + CA). Client registers on a platform, creates an organization, then creates employees, assigns roles, and adds hosts. Every role corresponds with a certain access level to the required object (host), i.e., mapping is implemented.

Enrollment of new hosts is easy: a simple script assigns each host a certain level of trust to the client’s CA and reports to an API of Access Management Solution that the registration in the system is complete. Simultaneously, the SaaS platform is integrated with a cloud provider (AWS) and provides a bastion host, which is automatically enrolled, to be configured in accordance with client’s settings. As a result, the client gets a ready-for-use bastion host with LDAP integration, cloud administration panel, and more.

Do you want to improve your access management with the same solution? Contact us to simplify your life and give you peace of mind.