Documentation
Solutions Guide

Zero Trust Security

Implement zero trust architecture with TigerAccess. This guide covers continuous verification, least privilege access, and eliminating static credentials.

Estimated time: 30 minutes

Zero Trust Principles

Never Trust, Always Verify

Every access request is authenticated and authorized, regardless of network location.

Least Privilege Access

Users receive only the minimum permissions needed for their role.

Continuous Verification

Identity and authorization are verified continuously, not just at login.

Short-Lived Certificates

Replace static credentials with certificates that expire in hours, not months.

Implementation Steps

1

Deploy TigerAccess Auth Service

Start the auth service which acts as your certificate authority.

$ tigeraccess start --roles=auth --config=/etc/tigeraccess/config.yaml
2

Configure Identity Provider

Connect your OIDC or SAML identity provider for SSO.

$ tacctl sso configure oidc \
  --issuer=https://login.company.com \
  --client-id=tigeraccess \
  --client-secret=${OIDC_SECRET}
3

Define Access Policies

Create role-based access control policies for your resources.

$ tacctl create -f - <<EOF
kind: role
metadata:
  name: developer
spec:
  allow:
    node_labels:
      env: [dev, staging]
    logins: [ubuntu, ec2-user]
EOF
4

Deploy Proxy Service

Start the proxy service to handle all access requests.

$ tigeraccess start --roles=proxy --auth-server=auth.company.com:3025
5

Register Resources

Deploy agents or register resources with the proxy.

$ # On each server
tigeraccess start --roles=agent \
  --auth-server=auth.company.com:3025 \
  --proxy-server=proxy.company.com:3024

Configuration Reference

Example Configuration

# /etc/tigeraccess/config.yaml
version: v3
teleport:
  nodename: auth.company.com
  data_dir: /var/lib/tigeraccess

auth_service:
  enabled: true
  cluster_name: company-cluster

  authentication:
    type: oidc
    second_factor: webauthn

  # Certificate TTL settings
  session_ttl: 8h
  max_session_ttl: 12h

  # AI agent settings
  ai_agent_ttl: 1h
  ai_agent_max_actions: 1000

proxy_service:
  enabled: true
  public_addr: access.company.com:443

  # Enable all protocols
  ssh_public_addr: ssh.company.com:3023
  kube_public_addr: kube.company.com:3026
  mysql_public_addr: mysql.company.com:3036

Zero Trust Implemented

Once configured, all access to your infrastructure flows through TigerAccess with:

  • Certificate-based authentication (no passwords or SSH keys)
  • Role-based access control with least privilege
  • Complete audit logging of all access
  • Session recording for compliance

Related Guides

Just-in-Time Access

Eliminate standing privileges

Multi-Factor Authentication

Configure strong authentication

Session Recording

Audit and compliance