How to Keep Privileged IT Access Secure in the Era of Remote Work
May 04, 2020

Markku Rossi
SSH.COM

Amid the current public health crisis, a vast majority of IT system administrators, DevOps teams and software engineers are forced to work remotely. Some companies have had to bring in new collaboration and network tools, like Zoom and Slack, to make communication easier for their teams. Others have had to take a harder look at their corporate VPNs to ensure remote teams have access to the data and resources they need to get work done.

It's a new way of working for many businesses, introducing sudden and widespread change to conventional workflows, processes, team collaboration and more. It's also creating security risks, opening new attack vectors while significantly expanding current ones. For instance, it's becoming harder for employees distinguish valid information from spam and targeted cyber-attacks, especially as cybercriminals capitalize on COVID-19 as their lure.

These challenges reinforce the need for common-sense IT security best practices: automatic security updates, regular data backup, and multifactor authentication (MFA).

But it doesn't stop there. To effectively do their jobs from home, DevOps teams still need ongoing remote access to business-critical corporate databases and IT infrastructure. The typical developer workflow still emphasizes speed, agility and elasticity, but with developers now working outside of the office and away from secure corporate networks, there's an even bigger need to ensure that DevOps teams are following security policy and avoiding bad habits that create risk.

Now, more than ever, privileged IT access must be fast and convenient without adding operational obstacles or risking security. Here's how organizations can effectively support and secure remote access for their DevOps staff during this unique time.

Simplify Secure Access to Improve Policy Adherence

Security bypassing is a typical IT risk. It happens because many corporate security policies are too complex or cumbersome to follow, which encourages developers to seek workarounds.

For example, the process of manually inputting security credentials breaks up the typical developer workflow. In some organizations, a privileged access management (PAM) solution is used to create a central vault that stores all the company's credentials, each of which grants access to an IT resource on a per-host and per-user basis.

That means developers need to log into the vault to access and authenticate their credentials every time they need to work with a new IT resource. It's a lot of steps, and the temptation is high to bypass PAM altogether and spin up rogue SSH keys instead. Those keys exist outside of the PAM solution, meaning they are untracked and unmanaged.

This can be avoided with single sign-on access through ephemeral certificates, a modern form of secure access that are temporary, time-based and automatically expire. Ephemeral certificates are inherently simple to use because they don't require manual input or the need for a password vault. In this scenario, simplicity leads to better security, because developers will not be tempted to bypass corporate policy.

Eliminate Credentials and Provide Access on an As-Needed Basis

To limit the number of attack vectors and entry points into their IT network, businesses need to win the battle against excessive access. That means ensuring that no user account has unlimited, unfettered, "always on" access to their complete IT infrastructure – also known as standing privileges.

User accounts that have standing privileges are a significant security risk during the best times, because if they fall into the wrong hands, they provide full access to the entire environment. These types of accounts are even more risky at a time when remote workers are logging into corporate IT from home, where internet connections may not be as secure as corporate networks.

The solution is to adopt a policy of granting privileged access on an as-needed basis. Privileges can be assigned role-by-role, ensuring user accounts can only access exactly the resources needed to complete the job, and nothing more. You can further reduce attack vectors by shortening the window of time in which those accounts can access the network. As Gartner explains, ephemeral certificates support the principle of "just-in-time" access, because access credentials are automatically created on-demand and require no installation, configuration or updating.

On top of that, replacing typical IT credentials with automatically expiring certificates means that there are no passwords to lose, have stolen, or share. This eliminates bad habits like password sharing, while also ensuring that hackers can't get their hands on credentials that have access to critical IT resources.

Instead of Domain Isolation, Manage All New Tools Through IAM

Companies are onboarding new SaaS tools to make remote work easier for their employees. As they do so, they should take steps to ensure they are intelligently managing service accounts, as each new SaaS software offers its own user, role, and access management domains.

For example, consider a company that adds new video conferencing software. Normally, each employee would be required to register their own user account on that platform. The same holds true for IT tools, like a company that keeps its cloud servers and computation nodes on Amazon Web Services, Microsoft Azure, or Google Cloud. Each of those clouds has its own unique identity and access management (IAM) domain.

The end result of this model is that employees might have several user accounts across different services with separate authentication credentials. Now, when employees change roles or leave the company, how will the organization track down all these external SaaS services and deactivate those user accounts?

Instead, it's better for businesses to integrate new SaaS solutions within their existing, overarching IAM framework. Almost all modern software services and tools support IAM integration and single sign-on via standard protocols like Active Directory (AD), OpenID Connect and SAML. In this integrated model, all employee user accounts are defined within a single centralized solution, making it easier to manage user attributes, roles, and AD groups. And all access rules can be derived from this system-of-record.

When an employee leaves the organization, IT simply disables their user account from the IAM system, and all linked access is automatically terminated. When this model is combined with ephemeral just-in-time access, there are no credentials left to remove from the company's infrastructure.

Remote work may be a new reality for some DevOps teams, but it doesn't have to mean sacrificing security for productivity or vice versa. Businesses can empower their developers to work the way they want from the safety of their homes, while still keeping corporate IT secure, too.

Markku Rossi is CTO at SSH.COM
Share this

Industry News

April 18, 2024

SmartBear announced a new version of its API design and documentation tool, SwaggerHub, integrating Stoplight’s API open source tools.

April 18, 2024

Red Hat announced updates to Red Hat Trusted Software Supply Chain.

April 18, 2024

Tricentis announced the latest update to the company’s AI offerings with the launch of Tricentis Copilot, a suite of solutions leveraging generative AI to enhance productivity throughout the entire testing lifecycle.

April 17, 2024

CIQ launched fully supported, upstream stable kernels for Rocky Linux via the CIQ Enterprise Linux Platform, providing enhanced performance, hardware compatibility and security.

April 17, 2024

Redgate launched an enterprise version of its database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

April 17, 2024

Snyk announced the expansion of its current partnership with Google Cloud to advance secure code generated by Google Cloud’s generative-AI-powered collaborator service, Gemini Code Assist.

April 16, 2024

Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).

April 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

April 16, 2024

Sylabs announces the launch of a new certification focusing on the Singularity container platform.

April 15, 2024

OpenText™ announced Cloud Editions (CE) 24.2, including OpenText DevOps Cloud and OpenText™ DevOps Aviator.

April 15, 2024

Postman announced its acquisition of Orbit, the community growth platform for developer companies.

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.