Teleport Access Platform
Description
The Teleport Access Platform provides secure remote administrative access to the Scheol Lab infrastructure. It consolidates SSH and TLS access for all infrastructure components via a bastion host, enforcing authentication, authorization, and session auditing policies.
Asset Identification
| Attribute | Value |
|---|---|
| Asset ID | PLT-BST-01 |
| CI Type | Platform |
| Asset Name | Teleport Access Platform |
| Asset Category | Remote Access / Bastion |
| Owner | Security Role (Sec) |
| Status | Planned |
| Location | Proxmox VM |
| Primary Function | Centralized and secure administrative access to infrastructure components |
Asset Dependencies
| Dependency Type | Asset | Status |
|---|---|---|
| Platform | Proxmox Virtualization Platform | Planned |
| Platform | Network Security Platform | Planned |
| Information | Identity & Access Data | Planned |
Relationships
| Relationship | Target CI |
|---|---|
| Provides secure access | Administrative servers and internal platforms |
| Consumes | Identity & Access Data |
| Supports | Security monitoring and auditing |
| Protected by | Network Security Platform |
Asset Classification
| Criteria | Level |
|---|---|
| Confidentiality | 🟥 High |
| Integrity | 🟨 Medium |
| Availability | 🟨 Medium |
Criticality score: 🟥 High
Rationale:
- Confidentiality is critical because compromise could grant unauthorized access to all infrastructure assets.
- Integrity is medium: session logging and access policies must be reliable but do not directly store sensitive data.
- Availability is medium: downtime would temporarily block administrative access but does not directly impact service users.
Responsibilities
| Role | Responsibility |
|---|---|
| Security Role (Sec) | Platform hardening, access policies, monitoring, risk assessment |
| Operations Role (Ops) | Deployment, patching, maintenance of bastion host |
| Development Role (Dev) | Integration with CI/CD pipelines if needed |
Security Controls (High-Level)
- Centralized authentication and authorization via Teleport
- Role-based access control with least privilege
- Multi-factor authentication for all administrative sessions
- Session recording and audit logging
- Network segmentation and firewalling around bastion host
Security Considerations
Main risks associated with this asset include:
- Unauthorized administrative access
- Misconfigured roles or access policies
- Compromise of MFA devices or credentials
- Bastion host downtime impacting operations
Mitigation measures may include:
- Strict RBAC and MFA enforcement
- Regular review of access logs and policies
- Redundant bastion deployment or failover strategies
- Integration with SIEM for anomaly detection
Methodological References:
- ISO 27001 - Control 8.2 Privileged access rights ; Control 8.3 Information access restriction ; Control 8.15 Logging ; Control 8.16 Monitoring activities.
- NIST CSF - PR.AC Identity Management and Access Control ; DE.CM Continuous Monitoring.
- EBIOS RM - Secure access management platforms as critical security infrastructure assets.