DEVOPSdigest

Amid the current public health crisis, a vast majority of IT system administrators, DevOps teams and software engineers are forced to work remotely. Some companies have had to bring in new collaboration and network tools, like Zoom and Slack, to make communication easier for their teams. Others have had to take a harder look at their corporate VPNs to ensure remote teams have access to the data and resources they need to get work done.

It's a new way of working for many businesses, introducing sudden and widespread change to conventional workflows, processes, team collaboration and more. It's also creating security risks, opening new attack vectors while significantly expanding current ones. For instance, it's becoming harder for employees distinguish valid information from spam and targeted cyber-attacks, especially as cybercriminals capitalize on COVID-19 as their lure.

These challenges reinforce the need for common-sense IT security best practices: automatic security updates, regular data backup, and multifactor authentication (MFA).

But it doesn't stop there. To effectively do their jobs from home, DevOps teams still need ongoing remote access to business-critical corporate databases and IT infrastructure. The typical developer workflow still emphasizes speed, agility and elasticity, but with developers now working outside of the office and away from secure corporate networks, there's an even bigger need to ensure that DevOps teams are following security policy and avoiding bad habits that create risk.

Now, more than ever, privileged IT access must be fast and convenient without adding operational obstacles or risking security. Here's how organizations can effectively support and secure remote access for their DevOps staff during this unique time.

Simplify Secure Access to Improve Policy Adherence

Security bypassing is a typical IT risk. It happens because many corporate security policies are too complex or cumbersome to follow, which encourages developers to seek workarounds.

For example, the process of manually inputting security credentials breaks up the typical developer workflow. In some organizations, a privileged access management (PAM) solution is used to create a central vault that stores all the company's credentials, each of which grants access to an IT resource on a per-host and per-user basis.

That means developers need to log into the vault to access and authenticate their credentials every time they need to work with a new IT resource. It's a lot of steps, and the temptation is high to bypass PAM altogether and spin up rogue SSH keys instead. Those keys exist outside of the PAM solution, meaning they are untracked and unmanaged.

This can be avoided with single sign-on access through ephemeral certificates, a modern form of secure access that are temporary, time-based and automatically expire. Ephemeral certificates are inherently simple to use because they don't require manual input or the need for a password vault. In this scenario, simplicity leads to better security, because developers will not be tempted to bypass corporate policy.

Eliminate Credentials and Provide Access on an As-Needed Basis

To limit the number of attack vectors and entry points into their IT network, businesses need to win the battle against excessive access. That means ensuring that no user account has unlimited, unfettered, "always on" access to their complete IT infrastructure – also known as standing privileges.

User accounts that have standing privileges are a significant security risk during the best times, because if they fall into the wrong hands, they provide full access to the entire environment. These types of accounts are even more risky at a time when remote workers are logging into corporate IT from home, where internet connections may not be as secure as corporate networks.

The solution is to adopt a policy of granting privileged access on an as-needed basis. Privileges can be assigned role-by-role, ensuring user accounts can only access exactly the resources needed to complete the job, and nothing more. You can further reduce attack vectors by shortening the window of time in which those accounts can access the network. As Gartner explains, ephemeral certificates support the principle of "just-in-time" access, because access credentials are automatically created on-demand and require no installation, configuration or updating.

On top of that, replacing typical IT credentials with automatically expiring certificates means that there are no passwords to lose, have stolen, or share. This eliminates bad habits like password sharing, while also ensuring that hackers can't get their hands on credentials that have access to critical IT resources.

Instead of Domain Isolation, Manage All New Tools Through IAM

Companies are onboarding new SaaS tools to make remote work easier for their employees. As they do so, they should take steps to ensure they are intelligently managing service accounts, as each new SaaS software offers its own user, role, and access management domains.

For example, consider a company that adds new video conferencing software. Normally, each employee would be required to register their own user account on that platform. The same holds true for IT tools, like a company that keeps its cloud servers and computation nodes on Amazon Web Services, Microsoft Azure, or Google Cloud. Each of those clouds has its own unique identity and access management (IAM) domain.

The end result of this model is that employees might have several user accounts across different services with separate authentication credentials. Now, when employees change roles or leave the company, how will the organization track down all these external SaaS services and deactivate those user accounts?

Instead, it's better for businesses to integrate new SaaS solutions within their existing, overarching IAM framework. Almost all modern software services and tools support IAM integration and single sign-on via standard protocols like Active Directory (AD), OpenID Connect and SAML. In this integrated model, all employee user accounts are defined within a single centralized solution, making it easier to manage user attributes, roles, and AD groups. And all access rules can be derived from this system-of-record.

When an employee leaves the organization, IT simply disables their user account from the IAM system, and all linked access is automatically terminated. When this model is combined with ephemeral just-in-time access, there are no credentials left to remove from the company's infrastructure.

Remote work may be a new reality for some DevOps teams, but it doesn't have to mean sacrificing security for productivity or vice versa. Businesses can empower their developers to work the way they want from the safety of their homes, while still keeping corporate IT secure, too.