How to Keep Privileged IT Access Secure in the Era of Remote Work
May 04, 2020

Markku Rossi
SSH.COM

Amid the current public health crisis, a vast majority of IT system administrators, DevOps teams and software engineers are forced to work remotely. Some companies have had to bring in new collaboration and network tools, like Zoom and Slack, to make communication easier for their teams. Others have had to take a harder look at their corporate VPNs to ensure remote teams have access to the data and resources they need to get work done.

It's a new way of working for many businesses, introducing sudden and widespread change to conventional workflows, processes, team collaboration and more. It's also creating security risks, opening new attack vectors while significantly expanding current ones. For instance, it's becoming harder for employees distinguish valid information from spam and targeted cyber-attacks, especially as cybercriminals capitalize on COVID-19 as their lure.

These challenges reinforce the need for common-sense IT security best practices: automatic security updates, regular data backup, and multifactor authentication (MFA).

But it doesn't stop there. To effectively do their jobs from home, DevOps teams still need ongoing remote access to business-critical corporate databases and IT infrastructure. The typical developer workflow still emphasizes speed, agility and elasticity, but with developers now working outside of the office and away from secure corporate networks, there's an even bigger need to ensure that DevOps teams are following security policy and avoiding bad habits that create risk.

Now, more than ever, privileged IT access must be fast and convenient without adding operational obstacles or risking security. Here's how organizations can effectively support and secure remote access for their DevOps staff during this unique time.

Simplify Secure Access to Improve Policy Adherence

Security bypassing is a typical IT risk. It happens because many corporate security policies are too complex or cumbersome to follow, which encourages developers to seek workarounds.

For example, the process of manually inputting security credentials breaks up the typical developer workflow. In some organizations, a privileged access management (PAM) solution is used to create a central vault that stores all the company's credentials, each of which grants access to an IT resource on a per-host and per-user basis.

That means developers need to log into the vault to access and authenticate their credentials every time they need to work with a new IT resource. It's a lot of steps, and the temptation is high to bypass PAM altogether and spin up rogue SSH keys instead. Those keys exist outside of the PAM solution, meaning they are untracked and unmanaged.

This can be avoided with single sign-on access through ephemeral certificates, a modern form of secure access that are temporary, time-based and automatically expire. Ephemeral certificates are inherently simple to use because they don't require manual input or the need for a password vault. In this scenario, simplicity leads to better security, because developers will not be tempted to bypass corporate policy.

Eliminate Credentials and Provide Access on an As-Needed Basis

To limit the number of attack vectors and entry points into their IT network, businesses need to win the battle against excessive access. That means ensuring that no user account has unlimited, unfettered, "always on" access to their complete IT infrastructure – also known as standing privileges.

User accounts that have standing privileges are a significant security risk during the best times, because if they fall into the wrong hands, they provide full access to the entire environment. These types of accounts are even more risky at a time when remote workers are logging into corporate IT from home, where internet connections may not be as secure as corporate networks.

The solution is to adopt a policy of granting privileged access on an as-needed basis. Privileges can be assigned role-by-role, ensuring user accounts can only access exactly the resources needed to complete the job, and nothing more. You can further reduce attack vectors by shortening the window of time in which those accounts can access the network. As Gartner explains, ephemeral certificates support the principle of "just-in-time" access, because access credentials are automatically created on-demand and require no installation, configuration or updating.

On top of that, replacing typical IT credentials with automatically expiring certificates means that there are no passwords to lose, have stolen, or share. This eliminates bad habits like password sharing, while also ensuring that hackers can't get their hands on credentials that have access to critical IT resources.

Instead of Domain Isolation, Manage All New Tools Through IAM

Companies are onboarding new SaaS tools to make remote work easier for their employees. As they do so, they should take steps to ensure they are intelligently managing service accounts, as each new SaaS software offers its own user, role, and access management domains.

For example, consider a company that adds new video conferencing software. Normally, each employee would be required to register their own user account on that platform. The same holds true for IT tools, like a company that keeps its cloud servers and computation nodes on Amazon Web Services, Microsoft Azure, or Google Cloud. Each of those clouds has its own unique identity and access management (IAM) domain.

The end result of this model is that employees might have several user accounts across different services with separate authentication credentials. Now, when employees change roles or leave the company, how will the organization track down all these external SaaS services and deactivate those user accounts?

Instead, it's better for businesses to integrate new SaaS solutions within their existing, overarching IAM framework. Almost all modern software services and tools support IAM integration and single sign-on via standard protocols like Active Directory (AD), OpenID Connect and SAML. In this integrated model, all employee user accounts are defined within a single centralized solution, making it easier to manage user attributes, roles, and AD groups. And all access rules can be derived from this system-of-record.

When an employee leaves the organization, IT simply disables their user account from the IAM system, and all linked access is automatically terminated. When this model is combined with ephemeral just-in-time access, there are no credentials left to remove from the company's infrastructure.

Remote work may be a new reality for some DevOps teams, but it doesn't have to mean sacrificing security for productivity or vice versa. Businesses can empower their developers to work the way they want from the safety of their homes, while still keeping corporate IT secure, too.

Markku Rossi is CTO at SSH.COM
Share this

Industry News

July 29, 2021

Couchbase announced the general availability of Couchbase Server 7.

July 29, 2021

Cycloid has unveiled Infra Import, a tool that automatically reverse engineers Terraform Infra-as-Code (IaC) from manually deployed infrastructure.

July 29, 2021

Launchable closed a $9.5 million Series A investment.

July 29, 2021

Rafay Systems announced automation and monitoring enhancements to its flagship Kubernetes Management Cloud (KMC).

July 28, 2021

Progress announced the R2 2021 release of Progress Telerik Test Studio, the enterprise UI test automation platform.

July 28, 2021

Synopsys announced the availability of new Rapid Scan capabilities within the company's Coverity static application security testing (SAST) and Black Duck software composition analysis (SCA) solutions.

July 28, 2021

Bitdefender announced GravityZone Security for Containers, expanding its cloud workload security (CWS) offering with run-time support for containers and Linux kernel independence.

July 28, 2021

Armory announced Armory Enterprise on AWS Quick Starts, automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners.

July 27, 2021

Katalon introduced Katalon TestOps, an open and comprehensive test orchestration platform designed to help enterprises scale test automation and streamline DevOps pipelines.

July 27, 2021

Digital.ai achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status for an Enterprise Agile Planning (EAP) tool.

July 27, 2021

Aqua Security rolls out the availability of its new Aqua Platform, with a unified console to ease the journey from scanning and visibility to workload protection in cloud native environments.

July 26, 2021

Parallel Agile announced a new version of CodeBot, a low-code MERN stack application generator.

July 26, 2021

Appian unveiled its new Appian Japan regional office.

July 26, 2021

CloudTruth raised $5.25 million in seed funding led by Glasswing Ventures and Gutbrain Ventures, with additional funding from Stage 1 Ventures and York IE.

July 22, 2021

Postman successfully obtained the System and Organization Controls (SOC) 2 Type 2 and SOC 3 Type 2 reports for the Postman API platform, meeting critical industry standards relative to the Trust Services Criteria for security, availability, and confidentiality.