Do you have resources on prem? In the cloud? How about in multiple clouds? How do you access them all, and how do you track all of those resources? How do you handle key management? Password management? User management? How do you maintain who or what has SSH and RDP access? How do you provide secure access to internal websites or even other data sources? How do you know your admins and analysts and end users are accessing them securely? How do you know who has keys sitting in their downloads folder? How do you track any of it?
Not so long ago, when AWS only had about 7 services, and the company I was working for wasn't even using it yet, I was responsible for maintaining a few hundred systems in a datacenter in Virginia. The cloud was still very young, and a lot of the questions I mentioned above were still being figured out across the board. One of the best solutions for our team those days was a tool called mRemote. It allowed me to keep an inventory of all of my systems, with keys/users/passwords/IP addresses stored as connections. It made SSH easy, it made remote desktop easy, but there were a few flaws here.
- Credentials were now stored in the mRemote config file on my computer, so if I wanted to share my inventory, it shared my credentials with whomever got my config file, which meant having to scrub the config file first. Which was tedious. Which meant it didn't get shared.
- Teammates were responsible for having to maintain their own inventory, and I know not everyone is obsessive as I am about keeping things like this accurate and up to date. So we were constantly out of sync when new systems were provisioned or addresses changed. That was always a fun game.
- This was just an app on my system. There was no log in. There was no history of my access other than the audit logs on the system itself.
The age old problem of resource management, but now at an even grander scale.
This was over 10 years ago, and luckily things have changed quite a bit since then. But are your admins taking advantage?
Now, more than ever, there are fantastic solutions available for all of these questions. Some of them even have a free tier. And what's better than free security?
Say I have 100 systems in AWS, 50 more in GCP, and a handful of analyst workstations sitting on prem somewhere. I will likely have at least a handful of keys I need to be aware of. I will also have several user accounts I need to be tracking. It would also be nice to have SSO and an audit trail of how and when these are all used. A girl can dream, right?
Here are just a few solutions that handle some or all of the problems I described above. Bonus--all 3 of these can help get you closer to a ZeroTrust model, and set you up for success if you are working towards SOC 2 compliance.
StrongDM
|
Pros
|
Cons
|
Tailscale
|
Pros
|
Cons
|
ZeroTier
|
Pros
|
Cons
|
All of these platforms still leave me wanting one thing--a user friendly UI for accessing all of my endpoints and data sources. At the end of the day, that's the least of my worries after we've gotten this far.
For years, I've been using a tool called Royal TSX. Termius (SSH only) and mRemote are also good options. But bottom line, I need to have a birds eye view of all of my resources, organized, without having to hunt through a web UI. Royal TSX is not free like the other 2, but it is worth it in my case, to now have secure, one-click access to everything I need on an hourly basis, and to be able to find it in a second. Your mileage may vary.
Of course, this is not an exhaustive list. Neither are the lists of pros and cons. These are simply 3 tools that we know well and have been highly effective for our team.
If you have any questions, or simply want to chat security with any of us here at Recon, feel free to contact us, or join us in our Discord! We are always happy to talk shop. :)