 Hi everyone, welcome to Secure Servers with Okta without requiring keys. My name is Frederico and in the series of tutorials, we're going to cover how you can use an Okta developer account plus advanced server access to secure access to servers without requiring server keys. This series is made of four tutorials, starting with how you can secure servers with Okta, moving over to how to add multi-factor authentication to users, to how to set up granular privileges and access controls, ending up how to scale to DevOps tools so you can actually have the security running on many servers automatically. I guess for context, it's worth explaining why I'm creating this tutorial or series in the first place. The reason why is that I have a friend who works in security who is a software reliability engineer and part of his work is to make sure that the right people have access to the right servers. In his company, they do this using keys and this is the default configuration in most of the IES solutions you have like AWS, GCP or Azure. The challenge for this friend of mine is that these keys, as soon as they get lost or disclosed by any reason, he needs to rotate those. He also needs to do those because of compliance reasons. These keys, the way they work is before accessing the system, someone will go and provision a server on the IES provider or on a hypervisor and they will get a server key without any expiration or with a long expiration, which are later used by the administrators to access the servers. The challenge for this friend of mine is that actually most recently he had to rotate these keys three times for different reasons. The first one was because he had the regular rotation he had to do every quarter because of compliance. The second reason is after he did that, one of the keys actually got accidentally posted on the GitHub when doing a comment. So he ran a solution called TruffleHot, which is available from GitHub. It's amazing. It's GPL licensed. And what he does, it basically allows you to track your repos and find secrets that accidentally were disclosed with the code. He could be a hard coded key or API secret. So he found one of the server keys there for security reasons. He decided to rotate all the server keys. After that, one of his developers that work in production actually got his laptop stolen, which was actually containing one of those privileged keys, private keys he had to rotate once again. So the way we can solve this issue is by basically using Okta and using temporary keys. The way this works out is something like this. Instead of having the administrator before getting that permanent key and later taking care of rotating that, instead he would install a lightweight agent that can be done automatically using DevOps tools or through Bash in the server. Also there's more agent in the user device, which I'm going to show you how to install it as well. So when the user needs to access the server, the user never holds a secret key. Actually the user enters the SSH command and is routed to log into Okta, maybe with MFA or just with his credentials. After that authentication is done, the user gets a temporary key handoff by the agent with a tightly scoped time for issue and for use, which then is used automatically through the agent in the computer to establish that SSH connection or even RDP connection with the server. Because that key is short scoped, it's provisioned to this user at run time. In its interface securely by the agent, you have a lot of security over here and the keys no longer get away off being disclosed with a long time to expire and the requirement for rotating keys. On the server side, the server agent, in addition to establish these connections, it orbits the server activity that can be later used for auditing without you having to go straight to the machine and pull those logs together. So yeah, this is a quick introduction on why you would like to do this, why it might be an interesting option. What we're going to do in the upcoming videos are first set up all of that using the Octa developer plan. We're going to secure one server from scratch, so you're going to see all the commands I'll be releasing. I'm going to make those available for you as well in the links down below. Then we're going to move over adding additional security all the way to a point where we're going to automate that if you're using solutions like Ansible, Chaff or Terraform. So see you up in the next video. Have a good one.