a few more cents to dump on this. We've begun wor...
# generalc
clippy
05/09/2018, 3:42 AMa few more cents to dump on this. We've begun working on a slightly different approach, which requires that X machine has checked in within the last Y minutes via osquery and that a, b, c, d checks have passed. This relies on certain scheduled queries data being available from our backend logging systems, but avoid the issue of needed to get a "live" response back from live queries. I feel like the time window we work within (usually 5-10 minutes) provides "enough" guarantee on the identity of the laptop, combined with the device cert, to give a high level of confidence to the access request
💯 1
s
seph
05/09/2018, 6:01 AM
@clippy Can you clarify this?
I'm wondering what is being issued/granted if those checks pass. And what you can say about the mechanism.
c
clippy
05/09/2018, 7:19 AM@seph it can be any number of things. Of particular interest to me is gating ssh access to sensitive resources. So the flow involves some automated checks like the ones mentioned, in addition to ssh key +mfa. If any checks fail, access gets denied
clippy
05/09/2018, 7:23 AMSomething I'm trying to focus more and more on is not treating an access request as un + pw + mfa, but also the context provided by the attributes of the request. Device Id, patch level, location, threat Intel, etc. Combination of such things results in a score that a given request must exceed in order for it to be allowed
s
seph
05/09/2018, 2:39 PM
@clippy I really like where you're pushing this.
I may not be asking the right question. What's the implementation of the check? Is it server side? Is it pushing some kind of cert to the client that gets coupled with the access reqyest?
c
clippy
05/09/2018, 7:00 PM@seph ah, I think (hope?) I see what you're driving at. In the case of ssh auth, its a custom module that makes an API call back to our backend which does the checks and then passes back an allow/deny
clippy
05/09/2018, 7:01 PMfor other things, like an API auth request, the laptop ID, cert, etc are bundled as part of teh user "identity" which is passed to the auth system (which in turn calls that same API used for ssh)
clippy
05/09/2018, 7:01 PMAPI all the things
s
seph
05/09/2018, 7:14 PM
That's what I was asking, yeah.
seph
05/09/2018, 7:14 PM
So there's some osquery/fleet manager/api which various things (like ssh or pam) would hit.
seph
05/09/2018, 7:15 PM
Seems like a neat model. Thanks for explaining it
c
clippy
05/09/2018, 7:34 PMNo worries. Its not really a secret or anything. The backend that makes most of the assessments is just an ELK stack with some customer queries. Aggregate all results from the queries and create the answer. We use aws lambda, but it can really be whatever you want
s
seph
05/09/2018, 7:36 PM
I wonder if there's any standards work around this. It seems like a really interesting corner
c
clippy
05/09/2018, 7:39 PMthis is sort of a bastardization of "zero trust" or "beyondcorp". I don't know if i've seen any standardization or specs put out there, but https://www.amazon.com/Zero-Trust-Networks-Building-Untrusted/dp/1491962194 has some really good content
clippy
05/09/2018, 7:39 PMthey talk about a full model, not just the pidly things I'm doing, but a lot of the concepts can be applied without going all the way
s
seph
05/10/2018, 12:43 AM
I'm wondering if things like https://spiffe.io/ can fit. Somehow
seph
05/10/2018, 12:44 AM
That stuff is really more about service auth, than human auth, but I wonder if there's commonality
4 Views