Q&A: How Auth0 Achieves Compliance and Secure Access Using Teleport
In the years since its inception in 2013, Auth0 has created a new category: a developer-first identity management platform that’s simple to implement and easy to extend. The platform — built for application builders and developers — allows authenticating and authorizing apps and APIs with any identity provider, running on any stack on any device or cloud. It helps customers find the right balance between user convenience, privacy and security for their login box.
“Auth0 is an easy-to-implement yet adaptable authentication and authorization platform. We make your login box awesome by following industry standards, like OAuth 2 and SAML, with a superb developer experience and simple-to-use interface; as well as SDKs and tools to get your application secure,” says Pablo Terradillos, Engineering Manager, Private Cloud at Auth0.
The Auth0 platform solves complex and large-scale identity use cases for global enterprises. By using it, developers can secure applications without having to become security experts. Yet Auth0 needed to standardize access to its Private Cloud customer environments in order to provide support to those customers. For that purpose, it chose Teleport — a unified access plane that provides secure and audited access to infrastructure.
Teleport enforces short-lived certificates, as opposed to using long-lived public-private keys or passwords. Its Trusted Clusters feature provides certificate authority and audit log for all access and activity on various hosts, plus allows Teleport admins to connect multiple customer clusters and establish trust between them. How does Auth0 use Teleport to achieve compliance and secure access for its customers’ private clouds? I chatted with Terradillos about Auth0’s security challenges and how they solved them. Here’s a condensed version of our conversation.
Your use case of Teleport is interesting — can you describe it?
Auth0 private cloud offering consists of isolated environments for the Auth0 products. Each of our customers gets a full dedicated Auth0 deployment. Most customers of the Auth0 private cloud are high-profile with very specific and sometimes unique regulatory concerns. We use Teleport to provide support to our customers’ environments. The Auth0 Private Cloud operators team interacts with our customers’ infrastructure. Teleport is a tool we use to allow them access to the built-on machines that are part of a particular Auth0 cluster.
You have Auth0 as a SaaS offering, but also as an on-prem solution for customers with very strict requirements. When you deploy Auth0 in their environments, what do you use Teleport for?
On a high level, we have two different offerings in private cloud, and those are divided into Auth0- managed ones and customer-hosted ones. We use Teleport to manage access of the Auth0 part of the team of Private Cloud operators to get SSH access, to each built-on machine that is part of this cluster — to be able to provide support, especially in unexpected scenarios. Via Teleport, we make sure that only the people that are supposed to access the environment have access.
When your engineers come in, do they go through your centralized cluster and access a given customer’s infrastructure?
Yep, exactly. Inside the Auth0 private network, we can access our main Teleport cluster which has access to every customer environment via trusted clusters. In some cases, customers are allowed to enable or disable the access connection implemented — via a firewall on their side or via a switch on their own interface. But for the most part, we manage the entire infrastructure.
How were you doing this before you used Teleport?
Before Teleport, we didn’t have a standardized way to access the environment. This became a nightmare of having a lot of ways to access environments — from ssh jumphosts to a remote sharing desktop session via a conference call, to using Putty to connect through shh. If you haven’t the pleasure of experiencing that, consider yourself lucky. It was a terrible nightmare. But most importantly, beyond that, the support experience was painful. Because let’s say you wake up at 3 a.m. with an unexpected issue and need access to the environment, you first need to learn how to access that environment for that particular customer. With Teleport, we standardized that. That is now our default and unique offering for access to the environments. We were able to gather all the different requirements we have, in terms of compliance, in a single tool. Now it’s extremely easy because if you don’t know the cluster you need to connect to, you can easily go to the web interface, get the list of clusters and the cluster name, and then connect via tsh [Teleport’s CLI client]. But in most cases, we have all that information stored. So if you need access to a particular customer, you just do the tsh command [that] you need to use to connect to it.
Do these end engineers accessing Teleport use Auth0 to do so?
Yes. We are heavy users of Auth0 for almost every need for authentication and authorization, and that includes Teleport. Teleport supports OpenID Connect [OIDC], and Auth0 happens to be an OIDC provider, so we just hook up Auth0 to Teleport. From there, on the Auth0 side, we are able to customize the authentication and authorization experience and requirements entirely from our side. This is part of the Auth0 feature — we can enable multifactor authentication just by clicking a button, adding our own rules to the authentication process. In this case, we have different roles, mostly mapped to the different regions where our customers are. When new employees onboard it and need to access these environments, inside the Auth0 interface, we assign these persons to a particular role. That role gets mapped into roles in the Teleport cluster, and from there, we manage the full authentication process.
What does that mean for onboarding of new customers or new employees?
For both, that’s extremely easy. For customers, we have all the setup of our environments automated via our own internal tooling. You can provide the different inputs that describe a customer environment — this will set up the full environment and a Teleport cluster as well. And it will issue a token that will be automatically stored in our secret management tool. We have a tool on the Teleport side that rates that with the token and the environment tool.
For employees, when you get onboarded on Auth0, one of the first items in your onboarding list is to require specific access to the team you are on. As part of that onboarding process, you will be added — via the Auth0 interface on our authorization offering — to the particular route that will give you access to the customers’ requirements.
How do you handle compliance issues, and how does Teleport help you navigate that process?
Every time we get a new customer, compliance is certainly a concern. Teleport has helped us, first, by providing us with a reproducible and well-detailed process for onboarding and offboarding employees that have access to the environment. It allows us to provide all the trails of everything you do on the nodes. Everything that happens in a Teleport session gets recorded in JSON format. You can also replay via tsh play. Sessions replays have been extremely helpful to understand what happened. When you wake up at 3 a.m. with a production issue, being able to understand how you got to that situation is extremely helpful.
Do you have advice for anyone considering Teleport?
Read the Teleport documentation carefully. It’s well-detailed and covers a lot of different scenarios with regard to how to implement the architecture and how to manage authentication.
What feedback does your team have regarding Teleport?
It’s really simple to use. Your command-line interface via SSH, and the web interface, complement each other very well. I can find information about the cluster, I have access via the web user interface, really quick. And then procedures in tsh, which most of the time is more reliable and enjoyable since once you are connected, the experience is pretty much the same as doing a plain SSH to an environment. So that’s certainly great. You don’t need to relearn how to do things when using Teleport.