Table of Contents
1. Executive Summary
The nature of business has changed from digitally enabled to digital first, and that has forced businesses to rethink how security is delivered. As the NIST National CyberSecurity Center of Excellence pointed out, “To protect a modern digital enterprise, organizations need a comprehensive strategy for secure ‘anytime, anywhere’ access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located.”
In this report we examine one solution provider, Teleport, that sees secure infrastructure access as a particular challenge to those with large engineering and development teams. It claims to not only remove much of the complexity and limitations of traditional approaches to infrastructure access but can do so while showing significant cost savings. To evaluate these claims, we consider the key criteria a modern infrastructure access solution should meet:
- Simple user experience to improve efficiency
- Reduced reliance on password- and secrets-based access
- Support for traditional resources like servers and databases as well as cloud-native platforms such as Kubernetes
- Robust identity lifecycle and certificate management
- Role-based granularity of access
- Extensive audit capability to reduce compliance overhead
Based on our findings, we believe Teleport has an approach that is worth consideration. Whether it is the right solution for a business will depend on many factors, however, our research shows it has a significant effect on:
- Reducing the threat of data breaches caused by the excessive amount of static credentials held
- Reducing infrastructure complexity by removing or reducing the use of legacy components
- Improving productivity of engineering and development teams by reducing the high impact of context switching
- Improving identity lifecycle management and reducing the risk and cost that comes with legacy approaches
- Improving auditability and traceability to provide an accurate audit trail of all infrastructure access and reducing the costs associated with audits
Our research shows that the above findings allow Teleport to make a strong case for an organization to challenge whether its current approach truly is “good enough” and whether now is the time to change it.
2. Infrastructure Access and the Complexity Challenge
Today’s businesses are more software-driven than ever, investing heavily in internal development as they look to transform their operations. To do this, they have built software development teams capable of delivering solutions needed to power today’s enterprise. This move has coincided with other significant changes such as the rise of the cloud, pandemic-driven acceleration of work from home, and the adoption of new development practices such as DevOps and new platforms like Kubernetes. All of this is taking place alongside a critical shift from traditional security paradigms that no longer meet the needs of the modern enterprise and toward strategies built on identity rather than location, the so-called zero trust model.
As NIST National CyberSecurity Center of Excellence pointed out in its advice on implementing zero trust, “To protect a modern digital enterprise, organizations need a comprehensive strategy for secure ‘anytime, anywhere’ access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located.”
Meeting the demands these shifts have generated has placed strain on traditional approaches to infrastructure access. Approaches built upon VPNs, privileged access management (PAM), shared secret vaults, and manual user lifecycle management are no longer effective for DevOps teams operating highly elastic environments. It is time for organizations to look critically at current approaches and ask whether “good enough” is truly acceptable.
Traditional approaches hinder the enterprise in several ways.
- VPN solutions focus on the perimeter but fail to secure infrastructure resources based on identity.
- PAM solutions are cumbersome and difficult to use for modern DevOps-driven workflows, adding infrastructure costs, developer inefficiency, and operations overhead.
- There is a lack of auditability for access approaches such as VPNs, PAM, and vault solutions that enable use of shared credentials.
- Existing approaches are complex to administer and use, and with this complexity comes great expense and security risk as engineers find less secure workarounds to improve their own productivity.
- The use of secrets such as passwords, keys, and tokens to access infrastructure present unacceptable security risks for privileged access as these can be stolen.
GigaOm Analyst and former CTO of American Airlines Michael Delzer validated this as he observed, “VPN access is not dynamic enough to work with today’s Kubernetes ephemeral instances. To ensure people can do their jobs, too large of an IP:port range is exposed to their tunnel and it does not prevent hopping from one server to another.” He also noted, “Having to use username and password to connect to or receive connections from infrastructure resources like databases and internal applications is a problem. We need to find ways that speed up deployments and simplify operations while also improving security.”
As organizations modernize their security models and drive to build zero trust architecture, they must ensure simultaneously delivery:
- Secure connectivity: All communication must be encrypted, whether between people and protected resources or service-to-service.
- Secure authentication: Must ensure the authentication attempt is coming from who it claims to be.
- Secure authorization: Ensure the user or service is allowed to perform the action.
- Detailed audit: Record who did what and when.
- Modern development: The ability to meet the needs for development of modern distributed applications composed of microservices, with highly automated lifecycles.
How does today’s organization achieve this?
This analysis looks at Teleport, which claims to offer a solution to address these challenges and deliver a modern secure infrastructure access platform. This report will analyze these claims and examine whether there is a strong commercial case to support change.
3. How Teleport Works
In our research we have concluded that at the heart of Teleport’s approach are four core differentiators compared to more traditional infrastructure access approaches.
- Identity-based, single sign-on to all infrastructure resources that reduces the impact on efficiency.
- Replacement of secrets such as SSH keys, passwords, and tokens that are subject to theft with auto-expiring identity-based certificates.
- Unification of infrastructure access policies into a single location regardless of infrastructure resource type.
- Complete audit and recording of all access and behavior.
These elements are critical to Teleport’s ability to deliver a modern zero-trust architecture that mitigates the risk of data breach, reduces complexity and cost, and reduces developer inefficiency. Teleport delivers these capabilities for both traditional infrastructure resources such as Linux and Windows servers, databases and internal applications, as well as modern platforms like Kubernetes. The deployment and management of Teleport itself can be fully automated as well, reducing administrative costs.
The diagram in Figure 1 provides an overview of a standard self-hosted deployment of Teleport. We have focused on this as we find many enterprises still want infrastructure that controls access to sensitive systems within their cloud environments or data centers.
However, it should be noted that the solution can be consumed as a Teleport-provided service.
Figure 1. A Standard Self-Hosted Teleport Deployment
Teleport provides access based on identity, not based on whether a user has access to a credential such as a password or key that may have been stolen. In the Teleport platform, identity is verified using biometrics and a user is issued a digital certificate attesting to their identity. These certificates are dynamic, expire automatically, contain data that can be used for advanced authorization, and may be revoked at any time.
Identity-based access using certificates provides a significantly more secure approach than secret-based access, and is fully managed and automated by the Teleport platform, removing any overhead or complexity from either the user or operations teams. Teleport can also provide certificates to software programs such as CI/CD works or microservices, enabling these resources to benefit from the same policy and audit unification. This certificate management is critical, as Delzer points out.
“Failure to manage digital certificates prior to them expiring is a large cause of outages that takes a lot of time and effort to recover from,” he says.
In addition to its security benefits, Teleport delivers a very efficient workflow for end-user developers and engineers. Once logged into Teleport using biometric authentication, developers can access any authorized resource without any other login prompts. All resources—Linux and Windows servers, databases, Kubernetes clusters, and internal applications—are collected into the single interface, allowing developers to move between them rapidly. The use of identity eliminates the need for users to have to constantly re-authenticate using credentials. Teleport makes it easy to request privilege escalation and provides a structured way for requests to be approved by one or more parties in line with compliance obligations, making it a viable solution for just-in-time access programs. This has a significant positive impact on user productivity.
While this document is not intended to provide a detailed analysis of Teleport’s installation and configuration, it is clear it greatly reduces complexity associated with traditional infrastructure access approaches, improves the end-user experience, and enhances secure remote access security.
4. Teleport: Addressing Challenges
Traditional secure access methods are no longer appropriate for the enterprise looking to provide access for a largely distributed workforce to modern applications built using DevOps techniques such as CI/CD, infrastructure-as-code, microservices, and Kubernetes. So a choice needs to be made on how to address these challenges.
Still, it is worth asking, beyond functionality, what business value does Teleport provide? In exploring this we looked at how Teleport provides five key benefits that are crucial to the modern organization.
- Mitigates risk of data breach
- Reduces infrastructure complexity
- Improves productivity
- Improves user lifecycle management
- Improves auditability
Mitigating the Risk of Data Breach
Credentials such as passwords, keys, and tokens are at the heart of the security battle, and remains the single most frequently exploited attack vector of any data breach according to both the Verizon Data Breach Investigation Report and IBM’s Cost of a Data Breach Report. The risk of breach caused by credentials is exacerbated by the amount of credentials held by the average enterprise. Solution provider SSH.com shared in their article “The risk of unmanaged SSH Keys” that the number of keys held by a typical Fortune 500 company, ranges from hundreds to millions. The likelihood of breach is borne out by the high numbers of businesses that are impacted by credential theft. A recent study into credential theft of companies listed in the Financial Times Stock Exchange (FTSE) 100 (The FTSE 100 lists the 100 companies with highest market capitalization on the London Stock Exchange) showed 81% of them had at least one credential compromised and exposed on the dark web. While the Cost of a Data Breach report showed the frequency of attacks via credentials, it also is important to recognize it also noted that these breaches are also hardest to spot (on average 243 days to identify and 84 to contain).
While the threat of breach caused by credential remains a high risk, the cost of a single breach also continues to rise. The IBM report showed the average cost to an organization of a breach caused by credential theft rose to $4.91 million. Organizations have traditionally tried to protect themselves from this impact with cyber insurance. However, due to the rapid rise in the number of claims made, this is likely to become more difficult, according to S&P Global Market Intelligence. It cited a spike in cyber insurance premiums, which were up 74% to $4.8 billion, compared to a 9% rise in premiums across all categories of property and casualty insurance categories.” According to data from PCS this was coupled with “payouts to customers [that] nearly exceeded the amount they collect via premiums.”
This is a situation that is untenable. Businesses must either address the threat posed by traditional use of credentials and keys, or face the prospect of paying much higher insurance premiums or having no access to cyber insurance at all.
Teleport mitigates this at the very core of its technology by removing a reliance on secrets and replacing them with auto-expiring identity certificates. Using this approach almost eliminates the possibility of breach caused by credentials theft. First, by removing credentials as an access method, credential vaults and the risks they pose (including developers creating insecure workarounds) are eliminated.
Additionally, certificates that are short-lived greatly reduce the risk of them being exploited at a later date since they expire automatically, unlike stolen credentials that can be used for months or years after a breach.
To highlight the potential impact of this reduction, let’s consider an enterprise that has 500 developers, each with access to 200 credentials. That is 100,000 credentials in total. Let’s assume there is only a very small 1 in 1,000,000 chance of a theft of one of these credentials. However, with 100,000 credentials there is actually as high as a 1 in 10 chance of losing a credential.
With Teleport, we can remove this risk by eliminating the use of secrets, with the only remaining secret being the private key for the Teleport certificate authority. To minimize the threat to this private key, Teleport supports the use of a hardware security module (HSM) device to store and handle private keys. The result: That 1 in 10 risk across 100,000 credentials drops again to just 1 in 1,000,000, nearly a 200% reduction in threat.
The use of this method removes other business overhead, such as the support cost that comes with password resets, which are a leading cause of IT service desk calls and typically cost about $70 per incident to resolve, according to former American Airlines Chief Architect and GigaOm Analyst Delzer.
Takeaway: The risk and cost of a credential-based breach are significant. It is hard to identify (average 243 days) and carries a significant cost (average $4.91 million per incident). However, Teleport’s use of identity instead of credentials will, as demonstrated, reduce this risk by 200% compared to that posed by static credentials. Importantly, while enhancing security it also removes other costs associated with key/password management such as resets. The move away from password and secrets based authentication is essential to reduce risk and cost from infrastructure access security.
Reducing Infrastructure Complexity
Not only are legacy remote access solutions inadequate for accessing modern infrastructure, the number of components it demands leads to excessive cost and complexity. Teleport’s deployment model removes the demand for:
- VPNs: Teleport is a zero trust solution that makes the corporate network perimeter irrelevant. All connections to corporate infrastructure in the cloud or on-premises go through the Teleport proxy where identity-based authentication and authorization take place, providing identity-based role-based access and audit. There is no requirement to VPN into corporate infrastructure.
- PAM solutions: Teleport can provide an identity-based replacement for PAM for Linux and Windows servers, databases, Kubernetes clusters, and internal/private applications.
- Credential vaults: Because Teleport uses identity, not static credentials, use of a credential vault can be greatly reduced if not eliminated.
Removing these elements significantly reduces costs, including support and administration expenditures associated with those infrastructure elements. Additionally, the simplicity of Teleport’s deployment greatly reduces or completely removes the requirement for much of the traditional secure remote access environment.
To evaluate Teleport’s cost savings, let us use the example of an enterprise with 500 developers, each requiring access to four to five different types of endpoints; this could be servers, applications, databases, or modern development platforms such as Kubernetes. To support the demands of this team, the organization has an infrastructure comprising a VPN, cloud based PAM solution, and a credential vault cluster. Each of the 500 users is appropriately licensed.
The cost model below compares current costs with how they can be reduced by using Teleport, and shows whether an investment in Teleport produces an overall cost benefit. Costs used assume the following:
- Publicly available costs for industry-leading VPN and credential vaults deployed on-premises.
- AWS marketplace costs for a leading PAM solution. A 60% discount is applied to these costs to recognise likely volume price reductions.
- AWS marketplace costs for Teleport, using all protocols. A 60% discount is applied to these costs to recognize likely volume price reductions.
- Support costs are based on 15% of total service price, in line with industry standards.
- Internal support costs for users of PAM and VPN services, are based on an average of one 30-minute support call per month with an industry average cost of $30 per hour.
First, we calculated current costs based on our simple environment, as shown in Table 1.
Table 1. Average Infrastructure Deployment Costs
Component | Annualized Cost |
---|---|
VPN Licenses (500) | $2,495 |
VPN Hardware Annualized Plus Support | $22,000 |
PAM Service License Costs (500) | $380,000 |
PAM Support Cost | $18,750 |
Secrets Vault Annualized | $194,000 |
Support Costs (based on average of one 30-minute support user per month due to PAM/VPN issues) | $90,000 |
Annual Infrastructure Costs | $707,245 |
Source: GigaOm 2022 |
If we deployed a Teleport platform described in section three, we could assume a number of impact areas. We have not assumed that all costs will be removed; however, we conservatively estimate the removal of 500 VPN and PAM licenses (although the VPN hardware and associated support costs would remain since non-technical users may still use the VPN), a 50% reduction in support calls, and a reduction from a medium-sized credentials vault to a small one.
To achieve this, we have used the Teleport cloud service, available in the AWS marketplace, and applied a 60% discount to costs in line with reductions expected for enterprise-level purchases. The cost for this service would be $264,000.
Table 2 summarizes the potential cost benefits of Teleport’s approach, based on reduction in and removal of existing infrastructure. By taking the original annualized cost of $707,245 and subtracting from it the annualized new cost and the cost of the Teleport cloud service, you arrive at the total cost savings by using Teleport, which is $279,425. That’s a total savings of 40%.
Table 2. Potential Cost Benefit With Teleport
Component | Original Annualized Cost | Annualized New Cost | Annualized Savings | Teleport Cost |
---|---|---|---|---|
Teleport Investment | - | - | $264,000 | |
VPN Licenses (500) | $2,495 | - | $2,495 | - |
VPN Hardware Annualized Plus Support | $22,000 | $22,000 | - | - |
PAM Service License Cost (500) | $380,000 | - | $380,000 | - |
PAM Support Cost | $18,750 | - | $18,750 | - |
Secrets Vault Annualized | $194,000 | $97,000 | $97,000 | - |
Support costs reduced to average of one 15 minute support call per user/month | $90,000 | $45,000 | $45,000 | - |
Annual Costs | $707,245 | $164,000 | $543,245 | $264,000 |
Source: GigaOm 2022 |
Takeaway: The figures in Table 2 show the clear validity of Teleport’s claim. Not only does the solution reduce complexity and improve efficiency, but, as shown in our model, it does this while reducing annual infrastructure, license, and support costs by 40%.
These are the hard infrastructure cost savings. These do not include the other cost benefits from increased productivity, reduction of audit costs, and reduction in security risk; these are evaluated in subsequent sections. Also note that while engineers will no longer be using the VPN, this table assumes that the VPN hardware and access for other non-technical employees will remain. You can remove this line if only technical resources use a VPN.
Improving Productivity
A significant issue reported by many enterprise developers and engineers (as borne out in conversation with Teleport customers as part of this research) is the inefficiency of legacy secure remote access approaches. In a modern environment, gaining the low-level access needed by developers and engineers requires numerous developer and administrative tools and protocols.
For example, look at connecting to a remote server via SSH. With a traditional PAM solution, the engineer needs to authenticate with the PAM portal each time they need to retrieve a key to authenticate with SSH. This sounds like a small ask for a security benefit. But if we consider the number of servers and the frequency of remote access for daily administrative tasks, this workflow dramatically slows down engineers because it gets them out of “the zone.”
Now, consider the same inefficient workflow for every infrastructure resource an engineer needs access to: a database, a Kubernetes cluster, a monitoring dashboard, a CI/CD environment, a version control system. Each time an engineer needs to access infrastructure, they first need to go to the PAM tool to check out their credentials, and then go to the resource to continue their work. It is this context-switching interruption that has a significant impact. A study by Cornell University’s Idea Lab suggested that after each switch, it takes an engineer 9.5 minutes to regain focus. While this effort sounds minor, it becomes significant if we extrapolate this into the number of times a developer or engineer switches between platforms daily.
As discussed in section three, Teleport’s approach significantly simplifies this experience. Using single sign-on and reducing the need to reauthenticate as users move between resources will, while not removing all of the impact of context-switching, greatly reduce the impact and the loss of productivity.
To quantify this, consider an organization with a 500-person team of developers. Let us assume that each switch takes only 9.5 minutes (as suggested by Cornell University’s Idea Lab) before the engineer is fully re-engaged in their work. If that engineer switches between 10 applications a day, they would lose 95 minutes of productivity or approximately 20% of their work day. If we extrapolate that across a team of 500 engineers with an average salary of $75,000, then this 20% loss of productivity would equate to $7.5 million.
Let us assume, conservatively, that Teleport’s efficient approach only reduced the time lost to context-switching by 50%. We would see the time lost halved from 9.5 minutes to 4.25 minutes and a reduction in the cost associated with lost productivity of $3.75 million.
Takeaway: The cost of context-switching in an organization should not be underestimated. It is a problem that is real, impacts efficiency, and ultimately costs an enterprise money. Teleport’s approach will reduce the impact of context switching conservatively by 50%, delivering a cost reduction of $3.75 million per year for a team of 500 developers.
Enhancing User Lifecycle Management
While data breaches caused by credential misuse are a significant issue, an area rarely discussed is the impact of poor user identity lifecycle management. Without a robust lifecycle management approach, organizations end up with hundreds if not thousands of “zombie” accounts across their infrastructure, wherein an employee who no longer works at the company can still access sensitive infrastructure resources using old credentials. Each one of these zombie accounts presents a security risk.
Why does this happen? Because identity lifecycle management can be hard, especially with large engineering and development teams which only need access to systems for short periods. The task of providing access can often be time-consuming and when the access is no longer required or the user has moved to a new role, these accounts are not effectively managed out of the environment.
Teleport links engineering access to an organization’s authoritative identity platform such as Okta or Active Directory: users only exist in the Teleport environment if they exist in the authoritative directory. So when an employee is offboarded in Okta, as an example, Teleport automatically disables all infrastructure access. Additionally, just-in-time account creation on target systems and the use of identity certificates for authentication removes multiple layers of complexity in identity lifecycle management. There are no longer keys to rotate, for example.
To illustrate the cost benefit, let’s assume an enterprise needs to provision access to 50 systems for 500 engineers, each taking 15 minutes. This equates to 6,250 hours in provisioning alone. Based on a full-time administrator working 2,080 (50 weeks x 40 hrs) hours per year, that is the equivalent of three full-time administrators provisioning accounts. If we use an average salary figure of $75,000 per year, provisioning alone has a cost overhead of $225,000. This number can be doubled if we need to de-provision all of those accounts.
With Teleport’s approach, we can assume provisioning in the authoritative directory still takes 15 minutes. However, because the user is only provisioned here and not across 50 individual systems, we would see overhead reduce from 6,250 hours to 125 hours (15 minutes x 500 users), or just 2% of a single full-time resource’s available time. Using the same $75,000 per year FTE cost, this equates to a cost of only $1,500, reducing the previously stated overhead of $225,000 by over 99%.
Takeaway: Teleport’s technology vastly reduces the cost overhead of provisioning and deprovisioning, by simplifying user provisioning into a single identity platform and automating it across all other systems. The automation of the approach across multiple systems will have a significant impact on incurred costs. In our analysis, we saw the ability to manage identity lifecycle through a single platform reducing these costs by over 99%.
Streamlining Audit Costs
IT and security audits add considerable, often unavoidable costs to a business. To ensure audit costs do not escalate out of control, it is essential to have systems and processes that report accurate information in real time to an auditor (internal or external). With traditional secure remote access, however, multiple loosely integrated systems make it difficult to audit all connectivity and connection actions.
Teleport’s platform addresses this by providing detailed auditing across all user connections and systems. Those audit logs fall into three categories:
- Access events: These include security-related auditable events that happen “on the wire,” such as login attempts, remote command execution, access denied events, session creation, termination, and the like.
- Session recordings: When users create interactive sessions, these sessions are recorded and can be replayed later via a web interface with features like pause, rewind, etc.
- Host events: This is also called enhanced session recording. When enabled, host events allow Teleport to capture and store detailed low-level audit events that happen on a host during a user session, such as file system changes, network activity, and process execution.
These capabilities can help reduce audit costs. The typical audit preparation cost for a SOC2 audit can run anywhere from $20,000 to $100,000. Assuming a mid-range audit cost of $50,000, the detailed audit information from Teleport can help an organization realize a $7,500 savings in preparation costs, based on a conservatively estimate of a 15% cost reduction.
Takeaway: Teleport’s detailed audit capability provides insight into the access behavior of engineers, making it easier to pass audits, saving an estimated 15% on the cost of audit compliance. The ability to provide both detailed audit activity and session recording also greatly assists troubleshooting and helps further increase security.
5. Analyst’s Take
It is clear from our analysis that for those with significant development and support engineering resources, traditional methods of ensuring secure access, whether to internal platforms or those of customers, are struggling to cope with the scale and demands of modern development models.
With this in mind, the enterprise must review its current approach and understand whether it delivers on the key areas we describe in this report. While numerous enterprises have invested in secure remote access, many of these approaches come from the amalgamation of multiple solutions. And, although each provides a level of security and control, there are gaps in this approach. These gaps introduce significant risk, especially when they offer access at the privileged level required by engineers.
It is therefore appropriate that the enterprise asks itself whether these approaches meet its needs. It cannot be just “good enough,” because the impact of a security breach or outage caused by poor practices or security platforms that are no longer effective is expensive and damaging.
Whether Teleport is the answer for an enterprise depends on many factors. However, there is a significant reduction in complexity, improvement in efficiency of development teams, and a strong improvement in security posture. This alone makes a strong case for Teleport’s secure access solution for any organization and certainly presents an opportunity to greatly improve on any “good enough” approach it currently has.
6. About Paul Stringfellow
Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.
Paul hosts his own enterprise technology webcast and writes regularly on his blog.
7. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
8. Copyright
© Knowingly, Inc. 2022 "The Business Value of Teleport" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.