Today’s development environments have evolved greatly, with a high dependence on cloud-deployed SaaS tools. However, most organizations are still running in hybrid mode with applications and servers running on-premises and in the cloud.
Organizations are also continuing to use on-premises servers for authentication, primarily Active Directory (AD), even when using directory synchronization to sync up to cloud-based services such as Entra ID (formerly Azure Active Directory). AD has mainly been used to authenticate users and devices, and it can now be further leveraged to authenticate workloads between services.
Aembit is pleased to announce that we have released a Kerberos Trust Provider that enables the attestation of client workloads running in virtual machine environments joined to AD. This attestation method is specifically designed for on-premises deployments where alternative attestation methods, such as AWS or Azure metadata service trust providers, are not available.
Aembit is proud to be one of the only vendors that is unifying workload IAM for both on-prem and off-prem, and continues to add trust providers to our long list of AWS, Azure, and Kubernetes support.
Why Kerberos?
Kerberos is a network authentication protocol that allows entities to securely prove their identity over a non-secure network. It operates on the basis of tickets issued by a trusted key distribution center (KDC), eliminating the need to transmit passwords over the network. These tickets are used by users and services to authenticate themselves to each other.
As for its usage, Kerberos remains widely adopted in enterprise environments and is utilized by numerous companies around the world for securing their network infrastructure and services. It is a foundational technology in security architectures, especially in sectors such as finance, health care, education, and government. Many major technology providers and platforms also integrate support for Kerberos authentication, further extending its use across different industries. Overall, Kerberos continues to be a prevalent choice for ensuring strong authentication and security in networked environments.
To learn more about Kerberos, check out these resources from the inventor, MIT, and one of the major implementers, Microsoft.
How Aembit Kerberos Trust Provider Helps
The Aembit Kerberos Trust Provider is unique because it relies on attestation provided by an Aembit component, rather than attestation from a third-party system. In this scenario, the Aembit Agent Controller acts as the attesting system. It authenticates a client (specifically, agent proxy) via Kerberos and attests to the client’s identity. The client’s identity information is then signed by the agent controller and validated by Aembit Cloud as part of the access policy evaluation.
Implementing Aembit Kerberos Trust Provider
To give you a better idea of how to implement the Kerberos Trust Provider, here are the major steps:
1) Domain-join the client workload and Aembit Agent Controller virtual machines to AD.
2) Create an agent controller user in AD. No special permissions are needed.
3) Ensure that the client workload virtual machine has network connectivity to the AD server to acquire tickets.
4) Optional but recommended: Configure TLS and high availability (HA) for the agent controllers to ensure the most secure and available connectivity.
The time needed to add the Aembit Kerberos Trust Provider to your existing deployment is just a few minutes.
To learn more, visit our docs hub or schedule a demo today.
The Workload IAM Company
Manage Access, Not Secrets
Boost Productivity, Slash DevSecOps Time
No-Code, Centralized Access Management
