We have been busy this summer working on a number of security- and governance-related features for our Enterprise Edition customers, who are typically large organizations that have well-defined internal user identity and compliance structures. With the latest RightScale release, we have improved or added on to the following features:
- Managed SSH Login
- Single Sign-On with SAML
- API-Based Authentication with OAuth 2.0
The combination of the three features gives our customers a set of security tools that are second to none when used to manage and govern their cloud assets. It's worth noting that although the requirements of our customers in larger enterprises drove these feature enhancements, all RightScale users benefit from the advances. The exception is single sign-on with SAML, which is available only to our Enterprise Edition customers. We support OpenID for users of our other RightScale Editions.
Managed SSH Login
The changes to managed SSH login are primarily focused on the Linux flavors of instances we manage. With RightLink 5.8, users with appropriate permissions (i.e., server_login role) will now have a unique user ID on each instance they log into. One key aspect of this is that the username and UID will be consistent within an account. RightLink manages the dynamic provisioning of the unique users on instances within the account.
As with the current RightLink managed SSH login, the changes to user roles are reflected on the instances in real time, which means that if you remove a user who left your company, SSH keys are instantly revoked from all machines. In addition, users now must perform any root actions as logged sudo commands, which is a requirement for PCI and other compliance specifications.
Single Sign-On with SAML
Our customers have been asking for the ability to use their own identity provider, so we made that happen by partnering with Ping Identity and Okta to help them leverage their specific identity providers with RightScale.
Many large organizations have tried-and-true processes around the governance of users within their enterprises. Moving to SaaS services has created a subsequent need, and accompanying burden, to incorporate provisioning and deprovisioning of users for those services. Single sign-on (SSO) with SAML is one step in the process of alleviating the burden in that it provides the ability of a service such as RightScale to leverage the user attestation for an organization.
“RightScale single sign-on puts cloud identity management squarely within the organization's control.”<Tweet This
A provisioning mechanism is the second step. Provisioning and SSO allows the governance of users to be maintained in a manner consistent with an organization's policies. For example, with SAML and SSO, an organization can:
- Require two-factor authentication
- Enforce geo-location restrictions
- Send authentication logs to IDS
Security Features in Action: What It Looks Like
Here is a scenario that will give you a detailed "story" of user actions when all the new RightScale security features are used together. Let's take as an example a user in your organization who will launch an instance and then log in to the instance and use a secure file transfer to copy files. Using the new functionality, you would get events/audit entries for:
- Step 0 - The user joins your organization and obtains an Active Directory (or other IdP) account. A system service on your side notices the new user and makes provisioning API calls to create a corresponding user in the RightScale dashboard, pre-linking to the SAML identity of that user as asserted by your IdP.
- Step 1 - As provisioning API requests are processed, all running instances receive real-time updates telling them to authorize SSH login by the new user.
- Step 2 - As the user logs in with SSO to your IdP, there is an audit of the login (your IdP will have the logs).
- Step 3 - The user launches a server, and an audit is created in RightScale that can then be consumed via the API.
- Step 4 - The user logs into the server using the console icon in the RightScale dashboard (i.e., Managed Login) and logs on the local machine, and a RightScale Audit entry is created.
- Step 5 - The user then copies files to/from server using scp, and an audit trail is created for the action.
- Step 6 - Finally, the user runs "sudo" and you get an audit trail in the instance logs.
So when you need to do forensics on user actions, the data is there.
Multi-Cloud Identity Management
The latest RightScale security features give organizations true multi-cloud identity management: Tie your IdP into RightScale, and governance becomes simple. By using all of the features together, you get seamless identity management across the RightScale dashboard, your cloud instances, and your enterprise directory. If you'd like to give this a try with no commitment, sign up for a RightScale Free Edition. If your organization would like to evaluate single sign-on with SAML, request a RightScale Enterprise Edition demo.