Jungle Buzz by Bret Piatt Jul 13, 2016 Behind the Scenes - Jungle Disk First Peek We’re going to start talking about some of what we do ‘Behind the Scene’ at Jungle Disk to run a Software-as-a-Service (SaaS) business with lots of customers and data. Typically these ‘Behind the Scene’ articles will come from the technical lead on the project. In this case I’m writing it as our CEO because Tom is unable to do so today. Shortly after wrapping up the enhancement of our platform credential management using ScaleFT (link to our customer story) Tom suffered a stroke. His family and friends have put together a Tom Welch Medical Expense Fund (on GoFundMe) to cover those expenses outside of those covered by health insurance. We all miss Tom’s energy and candid opinions around the office and look forward to the day when he’s back with us—Get well Tom! TLDR Synthesis Prior to ScaleFT, Jungle Disk used key based ssh authentication for our Linux infrastructure and Active Directory for Windows Server authentication. Now with ScaleFT we use an integrated authentication system with dynamic credential creation unifying our Linux and Windows authentication to a single platform with even greater security. Diagram 1 - Architecture Overview First, our Identity Provider integration and recommendations Every employee at Jungle Disk has a primary identity source in a secure platform. Our identity provider ties into the single-sign-on (SSO) integration at ScaleFT. Google Identity Platform, Okta, and Microsoft Azure Active Directory are all good platform choices to provide identity for your organization in a SaaS and cloud infrastructure based future. Second, User Authentication validation and permissions From an engineer’s computer now they authenticate against our identity provider (AuthN) and when that is verified by ScaleFT they are granted credentials based on the authorization permissions (AuthZ) they have for the device they want to login on. Now with ScaleFT all of our AuthZ information is in a single system with consistent policies and logging whereas it was in Active Directory for Windows Server (AD does both AuthN and AuthZ) and for our Linux hosts it was based on our key management and deployment recipes where we had to maintain different hosts, host groups, admin users, and admin groups. Note: definitions for AuthN and AuthZ along with other terms our available on our industry news and glossary page. Third, Credentials to Production Hosts Prior to using ScaleFT for AuthZ we had to manage authorization through our configuration management systems pushing policies to each production host. This also required us to maintain separate recipes for Windows and Linux. Additionally we needed to track which AuthZ version of the recipe was deployed on each host to understand who had credentials where and with which key from which of their engineering workstations or bastion hosts. Now with ScaleFT we have their credential management agent on each host and it pushes down a temporary expiring credential to the host after a successful AuthN and AuthZ checks. In addition, it logs everything in one place so we can track and monitor all credential requests for production systems. Lastly, Engineer logs into Production Hosts with a temporary Certificate The temporary certificate is granted to the engineer for them to login to the production host — once they’re in it is revoked so it cannot be reused with a replay attack or other types of man-in-the-middle where credentials are sniffed. If an engineer’s machine is compromised you no longer have the worry of “we need to go revoke their keys on all of our hosts” because no engineer has credentials on a host until the moment they need them. Closing In most situations you have to trade usability for security. This was one of the no-brainer projects that improved both security and usability for our engineering team. These type of projects are a pleasure to work on as you know you’re making the lives of your coworkers and your customers both better at the same time.