Title
#general
clippy

clippy

05/09/2018, 3:42 AM
a few more cents to dump on this. We've begun working on a slightly different approach, which requires that X machine has checked in within the last Y minutes via osquery and that a, b, c, d checks have passed. This relies on certain scheduled queries data being available from our backend logging systems, but avoid the issue of needed to get a "live" response back from live queries. I feel like the time window we work within (usually 5-10 minutes) provides "enough" guarantee on the identity of the laptop, combined with the device cert, to give a high level of confidence to the access request
s

seph

05/09/2018, 6:01 AM
@clippy Can you clarify this? I'm wondering what is being issued/granted if those checks pass. And what you can say about the mechanism.
clippy

clippy

05/09/2018, 7:19 AM
@seph it can be any number of things. Of particular interest to me is gating ssh access to sensitive resources. So the flow involves some automated checks like the ones mentioned, in addition to ssh key +mfa. If any checks fail, access gets denied
7:23 AM
Something I'm trying to focus more and more on is not treating an access request as un + pw + mfa, but also the context provided by the attributes of the request. Device Id, patch level, location, threat Intel, etc. Combination of such things results in a score that a given request must exceed in order for it to be allowed
s

seph

05/09/2018, 2:39 PM
@clippy I really like where you're pushing this. I may not be asking the right question. What's the implementation of the check? Is it server side? Is it pushing some kind of cert to the client that gets coupled with the access reqyest?
clippy

clippy

05/09/2018, 7:00 PM
@seph ah, I think (hope?) I see what you're driving at. In the case of ssh auth, its a custom module that makes an API call back to our backend which does the checks and then passes back an allow/deny
7:01 PM
for other things, like an API auth request, the laptop ID, cert, etc are bundled as part of teh user "identity" which is passed to the auth system (which in turn calls that same API used for ssh)
7:01 PM
API all the things
s

seph

05/09/2018, 7:14 PM
That's what I was asking, yeah.
7:14 PM
So there's some osquery/fleet manager/api which various things (like ssh or pam) would hit.
7:15 PM
Seems like a neat model. Thanks for explaining it
clippy

clippy

05/09/2018, 7:34 PM
No worries. Its not really a secret or anything. The backend that makes most of the assessments is just an ELK stack with some customer queries. Aggregate all results from the queries and create the answer. We use aws lambda, but it can really be whatever you want
s

seph

05/09/2018, 7:36 PM
I wonder if there's any standards work around this. It seems like a really interesting corner
clippy

clippy

05/09/2018, 7:39 PM
this is sort of a bastardization of "zero trust" or "beyondcorp". I don't know if i've seen any standardization or specs put out there, but https://www.amazon.com/Zero-Trust-Networks-Building-Untrusted/dp/1491962194 has some really good content
7:39 PM
they talk about a full model, not just the pidly things I'm doing, but a lot of the concepts can be applied without going all the way
s

seph

05/10/2018, 12:43 AM
I'm wondering if things like https://spiffe.io/ can fit. Somehow
12:44 AM
That stuff is really more about service auth, than human auth, but I wonder if there's commonality