How to Keep Privileged IT Access Secure in the Era of Remote Work
May 04, 2020

Markku Rossi
SSH.COM

Amid the current public health crisis, a vast majority of IT system administrators, DevOps teams and software engineers are forced to work remotely. Some companies have had to bring in new collaboration and network tools, like Zoom and Slack, to make communication easier for their teams. Others have had to take a harder look at their corporate VPNs to ensure remote teams have access to the data and resources they need to get work done.

It's a new way of working for many businesses, introducing sudden and widespread change to conventional workflows, processes, team collaboration and more. It's also creating security risks, opening new attack vectors while significantly expanding current ones. For instance, it's becoming harder for employees distinguish valid information from spam and targeted cyber-attacks, especially as cybercriminals capitalize on COVID-19 as their lure.

These challenges reinforce the need for common-sense IT security best practices: automatic security updates, regular data backup, and multifactor authentication (MFA).

But it doesn't stop there. To effectively do their jobs from home, DevOps teams still need ongoing remote access to business-critical corporate databases and IT infrastructure. The typical developer workflow still emphasizes speed, agility and elasticity, but with developers now working outside of the office and away from secure corporate networks, there's an even bigger need to ensure that DevOps teams are following security policy and avoiding bad habits that create risk.

Now, more than ever, privileged IT access must be fast and convenient without adding operational obstacles or risking security. Here's how organizations can effectively support and secure remote access for their DevOps staff during this unique time.

Simplify Secure Access to Improve Policy Adherence

Security bypassing is a typical IT risk. It happens because many corporate security policies are too complex or cumbersome to follow, which encourages developers to seek workarounds.

For example, the process of manually inputting security credentials breaks up the typical developer workflow. In some organizations, a privileged access management (PAM) solution is used to create a central vault that stores all the company's credentials, each of which grants access to an IT resource on a per-host and per-user basis.

That means developers need to log into the vault to access and authenticate their credentials every time they need to work with a new IT resource. It's a lot of steps, and the temptation is high to bypass PAM altogether and spin up rogue SSH keys instead. Those keys exist outside of the PAM solution, meaning they are untracked and unmanaged.

This can be avoided with single sign-on access through ephemeral certificates, a modern form of secure access that are temporary, time-based and automatically expire. Ephemeral certificates are inherently simple to use because they don't require manual input or the need for a password vault. In this scenario, simplicity leads to better security, because developers will not be tempted to bypass corporate policy.

Eliminate Credentials and Provide Access on an As-Needed Basis

To limit the number of attack vectors and entry points into their IT network, businesses need to win the battle against excessive access. That means ensuring that no user account has unlimited, unfettered, "always on" access to their complete IT infrastructure – also known as standing privileges.

User accounts that have standing privileges are a significant security risk during the best times, because if they fall into the wrong hands, they provide full access to the entire environment. These types of accounts are even more risky at a time when remote workers are logging into corporate IT from home, where internet connections may not be as secure as corporate networks.

The solution is to adopt a policy of granting privileged access on an as-needed basis. Privileges can be assigned role-by-role, ensuring user accounts can only access exactly the resources needed to complete the job, and nothing more. You can further reduce attack vectors by shortening the window of time in which those accounts can access the network. As Gartner explains, ephemeral certificates support the principle of "just-in-time" access, because access credentials are automatically created on-demand and require no installation, configuration or updating.

On top of that, replacing typical IT credentials with automatically expiring certificates means that there are no passwords to lose, have stolen, or share. This eliminates bad habits like password sharing, while also ensuring that hackers can't get their hands on credentials that have access to critical IT resources.

Instead of Domain Isolation, Manage All New Tools Through IAM

Companies are onboarding new SaaS tools to make remote work easier for their employees. As they do so, they should take steps to ensure they are intelligently managing service accounts, as each new SaaS software offers its own user, role, and access management domains.

For example, consider a company that adds new video conferencing software. Normally, each employee would be required to register their own user account on that platform. The same holds true for IT tools, like a company that keeps its cloud servers and computation nodes on Amazon Web Services, Microsoft Azure, or Google Cloud. Each of those clouds has its own unique identity and access management (IAM) domain.

The end result of this model is that employees might have several user accounts across different services with separate authentication credentials. Now, when employees change roles or leave the company, how will the organization track down all these external SaaS services and deactivate those user accounts?

Instead, it's better for businesses to integrate new SaaS solutions within their existing, overarching IAM framework. Almost all modern software services and tools support IAM integration and single sign-on via standard protocols like Active Directory (AD), OpenID Connect and SAML. In this integrated model, all employee user accounts are defined within a single centralized solution, making it easier to manage user attributes, roles, and AD groups. And all access rules can be derived from this system-of-record.

When an employee leaves the organization, IT simply disables their user account from the IAM system, and all linked access is automatically terminated. When this model is combined with ephemeral just-in-time access, there are no credentials left to remove from the company's infrastructure.

Remote work may be a new reality for some DevOps teams, but it doesn't have to mean sacrificing security for productivity or vice versa. Businesses can empower their developers to work the way they want from the safety of their homes, while still keeping corporate IT secure, too.

Markku Rossi is CTO at SSH.COM
Share this

Industry News

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.

July 30, 2020

New Relic delivered strategic updates to New Relic One.

July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.