How Can IT Admins Maintain a Grip on Secure Access?

Source:-devops.com

Today’s IT environment is evolving at a rapid pace, requiring production environments to be highly scalable and elastic and requiring faster software release cycles and cloud adoption.

As a result, there’s a broad move toward Docker containers to make software deployment faster, easier and more consistent across computing environments. Bundling an application and its supporting code, libraries, settings and assets into a single container enables the speed and flexibility that today’s business environment demands.

At the same time, many large enterprises are also experimenting with creating internal startups, or labs, that are given latitude to innovate, housed under the company umbrella and resources. Similarly, some companies are hosting startup-like “innovation incubators,” where developers are empowered to think and work like startups, within the relative safety of the corporate environment. They can quickly test new ideas, using the “fail fast, succeed fast” startup mentality, without incurring the usual risks of an independent startup.

It’s a new agile way of working that companies, in the race to innovate, are widely embracing. In fact, more than half of Fortune 500 companies have some version of these startup-like efforts housed within at least one business unit.

Replicating the unstructured movement of a small–say, six-person–startup is difficult to do within an enterprise environment. Nevertheless, the rapid pace, combined with the flexibility to innovate, is what the vast majority of developers desire today. But, it does mean that enterprises’ IT environments have to be ready to adapt.

IT Administrators Under Pressure
Developers on these innovation teams are often given the freedom to select the tools they’d like to work with. That can–and often does–include Docker containers, which adds to the complexity of the IT environment.

The environment that fuels developer innovation also creates additional concerns for the IT administrators supporting them. Developers can work so rapidly–creating hundreds of new servers each day–but often only do the bare minimum in terms of security. How can IT admins maintain secure access in the face of these changes? How can they keep track of who has access to what application and what data, when those applications and data are constantly changing? That’s a massive issue when it comes to compliance.

As containers make enterprise IT environments even more complex, IT admins are under pressure to carefully manage access without slowing down development. The more complex the environment becomes, the more important it will be to have a holistic view of all of their underlying infrastructure, including the hybrid or multi-cloud environments that support platforms such as Docker and Kubernetes.

Meanwhile, the enterprise executive team, often the CISO, overseeing both the development and IT departments is hard at work trying to satisfy the requirements of both groups. Of course, it’s in the business’s best interest to innovate and explore. But, all that innovation means nothing if the business is no longer secure and open to compliance concerns.

Below are three steps executives should follow in order to keep their developers and IT admins happy.

Consider the Developer Experience for Secure Access
Off-the-shelf single sign-on solutions (SSO) may be good enough for business employees who need to access Outlook or Salesforce, but they aren’t robust enough for privileged IT users, like developers, who need to access secure environments.

Privileged access management (PAM) software sprung up to serve IT users, but even this isn’t a perfect solution, because traditional PAM tools are often too clunky to use, nonintuitive, or hard to configure. A bad user experience simply encourages developers to bypass PAM however they can, which is a compliance risk.

Businesses need a way to deploy secure access very quickly, so they can holistically manage access to critical IT resources without slowing down development. That means choosing secure access solutions that are built with the developer’s needs in mind.

Lean PAM solutions prioritize automated, instant access to secure IT environments with the click of a button, combining the convenience of modern SSO solutions with the security and fit of a PAM solution. If sysadmins have a great PAM user experience, they’re more likely to play by the rules.

Opt for Role-Based, Time-Bound Access
To maintain the highest levels of security, access must be controlled on a role-by-role basis. Your rock-star in-house developers should be able to quickly spin up access to core IT infrastructure whenever they need it, while a third-party development contractor should only have limited access to those same resources for the time in which they are working in your environment–and no longer than that.

This is where we begin to see time-limited, credential-less secure access, enabled by ephemeral certificates, start to play a role in privileged access management. Ephemeral certificates are short-lived access tokens that are automatically generated and automatically expire–so access is granted only for as long as it is needed to authenticate and authorize privileged connections.

In other words, privileged access is able to move toward a just-in-time model, eliminating the need for passwords and clumsy credential management. IT users no longer need to authenticate using credentials at all–instead, based on predefined roles and security policies, they are granted access to resources only as and when required.

Ultimately, ephemeral certificates help streamline access processes, ensuring that IT admins don’t have to worry about revoking access when access roles or needs change.

Make It Easy on the IT Admin, Too
Speaking of IT admins, it’s important to consider their experience, too.

Admins want to give staff the best tools for the job without compromising corporate security. The friction between admins and developers begins when the developers feel that the tools admins force them to use are slowing down their work. In reaction, admins become frustrated when more unmanaged, unmonitored tools enter the corporate network, requiring more of their time to implement, configure or remediate if something has gone wrong.

The right technology solutions make life easier for IT admins, too. That means secure access solutions that can be installed and deployed within a single day–not weeks–and that introduce automated routines and maintenance to eliminate manual work in the access management process. Accountability, in the form of session monitoring and logging, is also important.

Ultimately, it’s about giving IT admins some distance. They can retain the oversight they need to feel comfortable about organizational security, without needing to be on top of every single secure access decision in the organization. At the same time, developers retain the autonomy they need to work quickly without feeling like they’ve got someone looking over their shoulder.

By enabling rapid development, while keeping a watchful eye on enterprise security, enterprises can satisfy both their developers and IT admins, and ultimately, the business’s bottom line.