How Rackspace Leverages ScaleFT to Provide Secure Fanatical Support

Ivan Dwyer - April 13, 2017

Fanatical Support is more than a catchy tagline, it’s a core tenet of the Rackspace culture as a leading managed service provider. For many companies, migrating workloads to the cloud and adopting the inherent technologies requires the right partner to guide them along the way. Rackspace has continued to prove that they have the domain expertise and support structure to be that trusted advisor for companies of all kinds.

Rackspace offers a number of managed services & support options on top of the major public clouds – AWS, Azure, and Google Cloud (coming soon). With the Aviator package, which includes 24x7x365 operational support, members from the Rackspace Support Team provide a wide range of configuration and administrative functions directly within a customer’s cloud assets. Leveraging Rackspace’s expertise takes the burden of operations away, allowing companies to focus their efforts on their core business.

When being handed the keys to the kingdom, it is crucial to implement the right privileged access management to ensure a customer’s sensitive resources are carefully protected. To accomplish this in a way that wouldn’t hinder the support work that needs to be done, Rackspace collaborated with ScaleFT to create Passport - a tool that gives Rackers streamlined, on-demand access to a customer’s Windows and Linux instances at exceptional speed and flexibility without sacrificing security or control.

Unlike traditional PAM solutions, which often do little more than rotate static credentials, Passport leverages ScaleFT under the hood to make intelligent access decisions in real-time based on dynamic conditions that are more in line with today’s cloud environments. Following the principles of Zero Trust, the resulting workflow eliminates static credentials entirely, giving Rackspace customers the assurance that their resources are safe & secure.


The Passport Workflow

The Passport tool is strictly restricted to trained members of the Rackspace Support Team, and is directly integrated with the internal Rackspace Identity Provider for multi-factor authentication. Each access request is logged in the API and recorded in the customer portal. This audit trail helps customers with compliance needs and also help identify which Rackers are making changes to what and when.

To provide a personalized user experience, Rackspace and ScaleFT jointly developed a web-based system to manage access controls. When a member of the Support Team needs to access a customer resource, they click a button in the Passport Dashboard that creates a preauthorization request with ScaleFT. This grants that Support Team member access to a specific resource provided they are a member of the group associated with the customer. The Passport Dashboard then generates a connection string which is passed to the local ScaleFT client installed on the Support Team member’s workstation that directly opens an SSH or RDP session. The single click workflow enabled by the ScaleFT platform enables the Rackspace Support Team to move quickly without sacrificing any security measures.

Behind the scenes, the ScaleFT platform makes an attestation of trust with every request based on the Support Team member’s role, their connecting device, and the resource being accessed. When successfully authorized for the resource, ScaleFT issues a single-use client certificate via the platform’s built-in Certificate Authority that is used to initiate a secure session over SSH and RDP. ScaleFT proxies SSH and RDP sessions through multiple intermediary hosts (or bastions), delivering a streamlined workflow for the Rackspace Support Team member.

A secure connection to the customer resource is made by flowing the request through a Rackspace bastion, then to the customer’s registered bastion, and then to the target host. This allows members of the Rackspace Support Team to remotely connect to a customer’s infrastructure resources via bastions with a single click. Prior to Passport, this multi-hop scenario did not offer the most friendly user experience. The abstraction layers that ScaleFT provides enables Rackspace to preserve their advanced security controls without getting in the way.

“ScaleFT and the Passport tool have helped tremendously. We are now able to offer our engineers single click access to managed servers while maintaining proper security and auditability.” - Dugan Sheehan


Passport in Action with Fanatical Azure Support

We spoke with Dugan Sheehan, Principal Engineer with the Microsoft Cloud Team at Rackspace to hear about his experience working with ScaleFT as a key technology partner for Fanatical Azure Support. He shared three key benefits.

  • Just-In-Time Access - The ScaleFT platform ensures that the user account it only available and enabled once an authenticated request is received. This guarantees that the engineer has strict access to only the requested server and only for the required duration, greatly reducing the attack surface.

  • Multi-Hop-Connections - ScaleFT is able to tunnel RDP and SSH sessions through multiple intermediary hosts (bastions). This is extremely powerful as it allows us to funnel all our requests through known controlled bastions and can manage network rules in one place.

  • Identity federation - Through ScaleFT we are able to tie into our corporate IdP and take advantage of our existing identities and dual factor authentication.

When asked what excites him about our product roadmap, he said, “We are very excited for the potential release of Powershell Remoting capabilities. We would like to leverage the same secure multi-hop authentication framework that ScaleFT exposes today, to execute powershell commands. This would give us very robust auditing and post-deployment automation capabilities, with the same identities and security controls we enjoy currently.”

Dugan Sheehan is a principal engineer on Rackspace's Microsoft Cloud team. As a product architect, his role it to help shape the look and feel of Rackspace Fanatical Support for Microsoft Azure. He frequently engages in with Microsoft program managers to evaluate new technologies and is constantly looking for ways to evolve the offering and improve the customer experience. His responsibilities include scripting and design work, as well as consulting and implementation activities for complex customer environments.


Want to find out more about Fanatical Azure Support? Visit Rackspace to learn about the managed support offering and the opportunity to receive a $4,000 credit towards your Rackspace Azure infrastructure and a free strategy session with an Azure specialist.


Share this story