How to Keep Privileged IT Access Secure in the Era of Remote Work
May 04, 2020

Markku Rossi
SSH.COM

Amid the current public health crisis, a vast majority of IT system administrators, DevOps teams and software engineers are forced to work remotely. Some companies have had to bring in new collaboration and network tools, like Zoom and Slack, to make communication easier for their teams. Others have had to take a harder look at their corporate VPNs to ensure remote teams have access to the data and resources they need to get work done.

It's a new way of working for many businesses, introducing sudden and widespread change to conventional workflows, processes, team collaboration and more. It's also creating security risks, opening new attack vectors while significantly expanding current ones. For instance, it's becoming harder for employees distinguish valid information from spam and targeted cyber-attacks, especially as cybercriminals capitalize on COVID-19 as their lure.

These challenges reinforce the need for common-sense IT security best practices: automatic security updates, regular data backup, and multifactor authentication (MFA).

But it doesn't stop there. To effectively do their jobs from home, DevOps teams still need ongoing remote access to business-critical corporate databases and IT infrastructure. The typical developer workflow still emphasizes speed, agility and elasticity, but with developers now working outside of the office and away from secure corporate networks, there's an even bigger need to ensure that DevOps teams are following security policy and avoiding bad habits that create risk.

Now, more than ever, privileged IT access must be fast and convenient without adding operational obstacles or risking security. Here's how organizations can effectively support and secure remote access for their DevOps staff during this unique time.

Simplify Secure Access to Improve Policy Adherence

Security bypassing is a typical IT risk. It happens because many corporate security policies are too complex or cumbersome to follow, which encourages developers to seek workarounds.

For example, the process of manually inputting security credentials breaks up the typical developer workflow. In some organizations, a privileged access management (PAM) solution is used to create a central vault that stores all the company's credentials, each of which grants access to an IT resource on a per-host and per-user basis.

That means developers need to log into the vault to access and authenticate their credentials every time they need to work with a new IT resource. It's a lot of steps, and the temptation is high to bypass PAM altogether and spin up rogue SSH keys instead. Those keys exist outside of the PAM solution, meaning they are untracked and unmanaged.

This can be avoided with single sign-on access through ephemeral certificates, a modern form of secure access that are temporary, time-based and automatically expire. Ephemeral certificates are inherently simple to use because they don't require manual input or the need for a password vault. In this scenario, simplicity leads to better security, because developers will not be tempted to bypass corporate policy.

Eliminate Credentials and Provide Access on an As-Needed Basis

To limit the number of attack vectors and entry points into their IT network, businesses need to win the battle against excessive access. That means ensuring that no user account has unlimited, unfettered, "always on" access to their complete IT infrastructure – also known as standing privileges.

User accounts that have standing privileges are a significant security risk during the best times, because if they fall into the wrong hands, they provide full access to the entire environment. These types of accounts are even more risky at a time when remote workers are logging into corporate IT from home, where internet connections may not be as secure as corporate networks.

The solution is to adopt a policy of granting privileged access on an as-needed basis. Privileges can be assigned role-by-role, ensuring user accounts can only access exactly the resources needed to complete the job, and nothing more. You can further reduce attack vectors by shortening the window of time in which those accounts can access the network. As Gartner explains, ephemeral certificates support the principle of "just-in-time" access, because access credentials are automatically created on-demand and require no installation, configuration or updating.

On top of that, replacing typical IT credentials with automatically expiring certificates means that there are no passwords to lose, have stolen, or share. This eliminates bad habits like password sharing, while also ensuring that hackers can't get their hands on credentials that have access to critical IT resources.

Instead of Domain Isolation, Manage All New Tools Through IAM

Companies are onboarding new SaaS tools to make remote work easier for their employees. As they do so, they should take steps to ensure they are intelligently managing service accounts, as each new SaaS software offers its own user, role, and access management domains.

For example, consider a company that adds new video conferencing software. Normally, each employee would be required to register their own user account on that platform. The same holds true for IT tools, like a company that keeps its cloud servers and computation nodes on Amazon Web Services, Microsoft Azure, or Google Cloud. Each of those clouds has its own unique identity and access management (IAM) domain.

The end result of this model is that employees might have several user accounts across different services with separate authentication credentials. Now, when employees change roles or leave the company, how will the organization track down all these external SaaS services and deactivate those user accounts?

Instead, it's better for businesses to integrate new SaaS solutions within their existing, overarching IAM framework. Almost all modern software services and tools support IAM integration and single sign-on via standard protocols like Active Directory (AD), OpenID Connect and SAML. In this integrated model, all employee user accounts are defined within a single centralized solution, making it easier to manage user attributes, roles, and AD groups. And all access rules can be derived from this system-of-record.

When an employee leaves the organization, IT simply disables their user account from the IAM system, and all linked access is automatically terminated. When this model is combined with ephemeral just-in-time access, there are no credentials left to remove from the company's infrastructure.

Remote work may be a new reality for some DevOps teams, but it doesn't have to mean sacrificing security for productivity or vice versa. Businesses can empower their developers to work the way they want from the safety of their homes, while still keeping corporate IT secure, too.

Markku Rossi is CTO at SSH.COM
Share this

Industry News

June 04, 2020

Exadel announced Appery.io, its low code development platform, now offers new subscription tiers.

June 04, 2020

NetApp has entered into a definitive agreement to acquire Spot, a provider of compute management and cost optimization on the public clouds, to establish leadership in Application Driven Infrastructure.

June 04, 2020

Fluree announced the release of the Fluree JavaScript Library, a feature included in Fluree V0.13.0 that enables developers to launch a version of Fluree as an in-memory, code-resident data source for front-end applications, enabling sub-millisecond data delivery.

June 03, 2020

Netcracker Technology announced the launch of its Netcracker 2020 portfolio to help service providers focus on their customer’s digital lifestyle.

June 03, 2020

Navisite announced its acquisition of Privo, a Premier Consulting Partner in the Amazon Web Services (AWS) Partner Network (APN).

June 03, 2020

Grafana Labs released Grafana 7.0 with significant enhancements to simplify the development of custom plugins and drastically increase the power, speed and flexibility of visualization.

June 02, 2020

Chef announced a number of new products designed to enable coded enterprises to work across silos to build competitive advantage through automation.

June 02, 2020

Rancher Labs announced the general availability of Longhorn, an enterprise-grade, cloud-native container storage solution.

June 02, 2020

Checkmarx announced the launch of Checkmarx SCA (CxSCA), the company’s new, SaaS-based software composition analysis solution.

June 01, 2020

IT Revolution announced a full conference agenda for DevOps Enterprise Summit London, June 23-25, 2020.

June 01, 2020

Caltech CTME announced that Simplilearn, a global provider of digital skills training, will collaborate with CTME (Caltech's Center for Technology and Management Education) to offer a specialized Post Graduate Program in DevOps software engineering.

June 01, 2020

DevOps Institute, a global member-based association for advancing the human elements of DevOps, announced the introduction of its SKILup Playbook Library, a dynamic collective body of knowledge (cBok) that aligns thought leadership from industry experts with a set of dynamic, orchestrated artifacts, research and assets.

May 28, 2020

Docker has extended its strategic collaboration with Microsoft to simplify code to cloud application development for developers and development teams by more closely integrating with Azure Container Instances (ACI).

May 28, 2020

Eggplant announced updates to its Digital Automation Intelligence (DAI) platform.

May 28, 2020

Aptum launched its Managed DevOps Service in partnership with CloudOps, a cloud consulting and professional services company specializing in DevOps.