Security access trade-offs for DevSecOps teams


Thanks to the latest developments in access technology, everyone can apply identity-based authentication and authorization and zero-trust principles to their computing resources.

Engineering teams that build software are always under pressure to deliver new features, fix bugs, and improve performance. In order to move quickly, engineers need to access computing resources: servers, Kubernetes clusters, databases, logs, etc.

Granting access to these resources creates a large attack surface. Consider all attack vectors that exist in the database: the attacker can access the database machine via SSH, or via the Kubernetes API, or via a compromised web user interface, or even via the database’s own socket.

What is access?
Granting access to a modern computing environment is a multi-step process:

  1. Connectivity. First, an encrypted network connection must be established.
  2. verification. Only authenticated clients can connect.
  3. AuthorizationEven authenticated clients must restrict what they can do based on certain standards.
  4. audit. It is important to understand what happened and who is responsible.

Security overhead
What types of computing resources usually need to be accessed? Usual suspects may include SSH boxes, databases, internal dashboards, Kubernetes APIs, various middleware, etc. Each of these layers uses its own configuration syntax, listens on sockets, speaks its own protocol, and has its own concepts such as authentication or role-based access control (RBAC).

Configuring access permissions for each socket of each instance of each environment for optimal security is a daunting task. It requires a lot of expertise, because each resource type has its own unique security considerations. In addition to the ever-growing set of these endpoints, there are more and more engineers who need access.

It is very difficult to implement best practices for connection, authentication, authorization, and auditing for each socket of each resource type. Often compromises must be made.

Common trade-offs
To reduce security overhead, most organizations rely on a combination of these trade-offs:

Shared secretThe security team carefully configured each resource type for remote access, but limited to a few predefined users, such as “admin” and “app”. These credentials are usually shared.

restriction of visit. The engineer can never access certain resources. This will slow down the development speed.

Rely on surroundings. The fact that the private network itself can authenticate the client through a solution such as VPN. Personal resources are not protected.

There are many problems with these methods. Let us highlight a few:

Shared secret Can be stolen, because laptops can be stolen. They do not create useful audit logs that link operations to individuals.

Rely on perimeter security Cause a single point of failure. When an attacker accesses a private network, nothing can stop them from accessing all content.

restriction of visit It severely limits engineering productivity and creativity, and encourages engineering teams to build backdoors for themselves.

Emerging solutions
The buzzwords to note are: Identity, Zero trust, with Access plane.

Identity-based access means staying away from shared accounts. Each user must log in with their own account. It is impractical to configure each resource with the identity of all employees.In contrast, identity-based protocols like SAML rely on some kind of temporary Token, Used for authentication. However, existing standards are not compatible with resources that do not use HTTP, such as SSH servers or databases.

Zero trust
Zero-trust-based access means staying away from perimeter security. The principle of zero trust means that every resource operates as if it were on the public Internet, using encryption, performing authorization, and maintaining its own audit log.

Access plane
The access plane is built on identity and zero trust, and allows organizations to relax access restrictions. The access plane integrates access and:

Create a single point of access for all engineers and resource types in all environments.

Implement identity-based access to all resources and personnel. It uses certificate-based authentication and authorization, thereby acting as the organization’s certification authority.

Automatically create certificate-based connections for all resource types, even if they do not support it natively. This eliminates the overhead of having to configure each resource type separately.

Maintain a centralized audit log and create real-time and historical views of all events.

Implement authorization for each supported protocol.

advanced technology
Other improvements to security can be made.One suggestion is to implement Principle of Least Privilege, Which basically means eliminating permanent “root” type accounts and replacing them with on-demand access.

What if an engineer could create a “git pull request” to request temporary access to critical production infrastructure? The engineer’s colleagues will then review and approve such requests, granting temporary visits with reliable security and compliance guarantees.

Some security-conscious organizations have implemented a more advanced version of the access request called the “Four Eyes Strategy”, that is, access is granted only when the live session is streamed and viewed by others, ensuring that there are no less than two groups of human eyes Watching what Alice is doing.

in conclusion
Achieving connectivity, authentication, authorization, and audit logging for every socket in every cloud environment used to be an impossible task. The best technology companies in Silicon Valley hire the best people to build and maintain internal solutions dedicated to this task.

However, due to the latest developments in access technology, everyone can now use the concept of access plane to apply identity-based authentication and authorization and zero trust principles to their computing resources.

More advanced organizations can use techniques such as access requests or “four eyes” strategies to implement concepts such as the principle of least privilege and temporary elevation of privilege.

The end result is simple remote access, which makes engineers more efficient, does not compromise security, enforces compliance, and allows viewing of everyone’s behavior. Win-win.

As a trained engineer, Ev Kontsevoy launched Teleport in 2015 to provide solutions for other engineers, enabling them to quickly access and operate any computing resource anywhere on the planet without worrying about security and compliance issues .Serial Entrepreneur Ev… View full resume

Recommended reading:

More insights

Related Articles

Back to top button