During SecTor Arsenal Canada 2023, Entitle CTO Avi Zetser announced the release of Entitle's Open Source Project, Beam -- a timely answer to the pressing demand for secure, user-friendly, and affordable access within the private landscapes of non-public VPC environments.
Four Layers of Infrastructure Exposure
To truly appreciate the essence of Beam, one must first understand the gradations of infrastructure exposure that have previously been on the table:
- Exposed infrastructure: At the basic level, infrastructures openly perched on the public cloud. The allure of zero cost is tempting. However, the compromise on security makes this method a high-risk venture with potential vulnerabilities.
- Jump server with SSH: One step up the ladder, we find infrastructures securely tucked behind a jump server, utilizing SSH. But this isn't without its challenges. Constant certificate rotations can be an operational hassle. And if one leans towards using mere usernames and passwords, the looming shadow of potential security breaches never really goes away.
- 3rd-party ZTNA or VPN: Then there are third-party ZTNA/VPNs. On the surface, they seem like the perfect solution to make infrastructures private. But, they come with a hefty price tag. Beyond the financial implications, these third-party tools can also introduce unforeseen vulnerabilities or downtimes.
- Native Proxy: More recently, native cloud solutions such as Google's Identity Aware Proxy, Azure Bastion, and AWS SSM port forwarding have entered the scene. Their innate integration within the cloud offerings means they are usually more reliable and cost-effective. However, the complexity of their setup processes often deters many from exploring them fully.
Enter Beam. Designed with the user in mind, it aims to bridge the gap, simplifying how developers can connect to AWS resources using the AWS SSM Session Manager.
Beam: The features and what they mean for users
Let's break down the capabilities Beam brings to the table:
- Direct and Secure Access: Through the AWS Systems Manager, Beam provides a straight path to private resources. Whether it's EKS clusters you want to access or RDS instances, Beam has got you covered.
- Built for the Dynamic World: Cloud environments are not static. They're perpetually evolving, shifting, and expanding. Beam is designed keeping this dynamic nature in mind, ensuring it remains efficient even when resources change or multi-tenancy requirements come into play.
- Simplified Configuration: One of the persistent challenges with setting up SSM access has been its complexity. Beam seeks to change this narrative. It's built to simplify, not complicate.
- A Glimpse into the Future: While Beam's current compatibility is primarily centered around AWS (SSM), the team behind it isn't resting on their laurels. There are active plans to integrate it with other platforms, such as Google's Identity-Aware Proxy (IAP).
For those curious about the prerequisites for Beam, the list is straightforward:
- AWS SSO with one or multiple accounts.
- Each environment should have its own VPC.
- Within the private subnet, you should have your infrastructure, be it Kubernetes or databases.
- And, of course, an active EC2 instance inside the private subnet with an SSM agent running is essential.
How to use Beam:
- Initiate with beam configure and follow the prompts.
- The configuration isn't restricted to one user; you can share it across your team.
- Execute beam run, allowing the software to scan your infrastructure and adjust configurations and ports as required, ensuring a seamless access experience.
Final Words
Infrastructure security is not a luxury; it's a necessity. While traditional methods have served us in the past, the evolving landscape necessitates more advanced and reliable tools. SSM, Azure Bastion, IAP, and now, Beam, offer robust solutions worth exploring. For a hands-on experience and a deeper dive into Beam, visit GitHub.
