ProficientNowTechRFCs
Platform RFCs/RFC-PAM-0001: Privileged Access Management Architecture

13. Evolution

RFC-PAM-0001                                                   Section 13
Category: Standards Track                                      Evolution

13. Evolution

← Previous: Rationale | Index | Next: Appendix A →

13.1 Anticipated Extensions

13.1.1 Additional Resource Types

The architecture is designed to extend to additional resource types:

Resource TypeProtocolAnticipated Support
Windows RDPRDPNear-term (Teleport native)
Web applicationsHTTPSNear-term (Teleport App Access)
Cloud consolesHTTPSMedium-term (AWS, Azure, GCP)
CI/CD systemsVariousMedium-term
Git repositoriesSSH/HTTPSFuture consideration
Message queuesVariousFuture consideration

13.1.2 Windows RDP Access

Windows server access follows similar patterns:

ComponentImplementation
AgentTeleport Windows Desktop Service
AuthenticationTeleport certificates → AD integration
RecordingScreen capture
RBACLabel-based, similar to SSH

13.1.3 Web Application Access

Internal web applications can be proxied:

BenefitDescription
SSOApplication doesn't need OIDC integration
Session recordingHTTP request logging
Access controlTeleport RBAC for application access
AuditCentralized access logs

13.1.4 Cloud Console Access

Future capability for cloud provider console access:

ProviderMethod
AWSAssume role via Teleport
AzureAzure AD app integration
GCPWorkload identity federation

13.2 Scalability Considerations

13.2.1 Teleport Cluster Scaling

As usage grows, Teleport components scale:

ComponentScaling MethodConsideration
Proxy ServiceHorizontal scalingLoad balancer required
Auth ServiceHorizontal with shared stateBackend database sizing
Recording storageObject storage scalingS3/GCS auto-scales
AgentsPer-resource deploymentManagement automation

13.2.2 High Availability

Production deployment requires HA:

ComponentHA Strategy
Auth ServiceMultiple replicas, shared backend
Proxy ServiceMultiple replicas, load balanced
Backend databasePostgreSQL cluster or etcd cluster
Recording storageMulti-AZ object storage

13.2.3 Multi-Region Deployment

For global organizations:

Regional proxies reduce latency while maintaining centralized control.

13.2.4 Performance Considerations

MetricTargetScaling Factor
Concurrent sessions10,000+Proxy replicas
Authentication latency<500msAuth replicas, caching
Recording write throughput100MB/s+Storage backend
Audit query performance<1s for recent eventsIndex optimization

13.3 Migration Pathways

13.3.1 Phased Adoption

Organizations can adopt incrementally:

Phase 1: SSH Access

  • Deploy Teleport for SSH
  • Enroll critical servers first
  • Maintain bastion as fallback

Phase 2: Certificate Migration

  • Enable Vault SSH CA
  • Migrate from SSH keys to certificates
  • Disable direct key authentication

Phase 3: Database Access

  • Add database agents
  • Configure Vault database engines
  • Migrate from static credentials

Phase 4: Kubernetes Access

  • Deploy Kubernetes agents
  • Configure exec/attach policies
  • Enable eBPF recording

Phase 5: JIT Access

  • Enable access request workflows
  • Configure approval policies
  • Remove standing elevated access

13.3.2 Legacy System Coexistence

Some systems may not migrate:

ScenarioApproach
Legacy SSH systemMaintain separate access (documented exception)
Unsupported databaseService account with static credentials (RFC-WORKLOAD-IDENTITY)
Third-party SaaSNative SaaS access controls

13.3.3 Fallback Procedures

During transition, maintain fallback:

FallbackUse CaseSunset Criteria
Bastion hostTeleport unavailableTeleport HA verified
Static DB credentialsVault unavailableVault HA verified
Direct kubectlTeleport unavailableTeleport HA verified

Fallbacks should be time-limited and eventually removed.

13.4 Feature Roadmap Alignment

13.4.1 Teleport Roadmap

Monitor Teleport releases for:

FeaturePotential Benefit
Improved Vault integrationNative SSH CA support
Enhanced eBPF capabilitiesBroader session capture
SCIM supportAutomated user provisioning
Policy as codeEnhanced GitOps for policies

13.4.2 Vault Roadmap

Monitor Vault releases for:

FeaturePotential Benefit
Database engine enhancementsNew database support
SSH engine improvementsBetter certificate handling
Kubernetes auth improvementsSimplified integration

13.4.3 Integration Improvements

Future integration enhancements:

IntegrationEnhancement
Teleport ↔ VaultDeeper native integration
Teleport ↔ KeycloakSCIM for user sync
Backstage ↔ TeleportSelf-service access requests

13.5 Deprecation Considerations

13.5.1 Component Deprecation

If components need replacement:

ComponentDeprecation Path
TeleportEvaluate alternatives, migration plan, parallel operation
Vault SSH engineAlternative CA, certificate migration
Vault DB engineAlternative credential management

13.5.2 Protocol Evolution

As protocols evolve:

ChangeImpactMitigation
SSH protocol updatesAgent updatesMaintain agent currency
Database protocol changesAgent updatesMonitor database releases
Kubernetes API changesAgent updatesTrack Kubernetes releases

13.5.3 Organizational Change

The architecture accommodates organizational evolution:

ChangeAccommodation
Team restructuringUpdate Keycloak/Teleport role mappings
New business unitsAdd roles, extend RBAC
Mergers/acquisitionsFederate identity, extend access
Compliance changesAdjust recording retention, policies

Document Navigation

PreviousIndexNext
← 12. RationaleTable of ContentsAppendix A: Glossary →

End of Section 13

Next

12. Rationale

Next

Appendix A: Glossary

On this page