Innovating Access Management in a Dynamic Way
Like most technologists, legacy tech has a special place in my heart. And while it’s fun to go back and play an 8-bit NES or drive a classic car, good luck trying to get a Switch cartridge or hook up to the AUX in each one, respectively.
That’s what it’s like trying to get Kubernetes to work with your legacy privileged access management tool. Newer technologies have fundamentally different access requirements than those supported by traditional privileged access management (PAM)-like scale: cloud, Kubernetes and support for complex access for hybrid, remote and on-premises workforces.
We need a modern approach. That’s where dynamic access management (DAM) comes in. It’s designed for today’s complex, cloud native environments. It’s about matching the speed and flexibility required by modern platforms such as Kubernetes and the admins that maintain those platforms.
What Is Dynamic Access Management?
Dynamic access management is the concept that access should only exist when it’s needed, for the duration required, and must be secure and auditable.
This approach is based on the concept of zero standing privileges and eliminates the risk posed by always-on credentials, and drives continuous verification and validation of identity, right to access and observability. Furthermore, once someone is authenticated, the tools and policies of DAM ensure that their authorizations stay up to date in real-time, driving change in behavior. DAM also provides the access observability that CISOs and technology leaders require to map against their business objectives.
What Does That Mean for Kubernetes?
Dynamic access management is characterized by four key attributes:
Just-in-Time Access Provisioning and Deprovisioning
How it helps: You can set up role-based access control (RBAC) policies and admission controllers to create temporary roles or service accounts when needed. This automates the provisioning and deprovisioning process, reducing security risks associated with lingering access permissions.
Eliminating Always On and Shared Accounts
How it helps: Credentials that live in perpetuity are eliminated, system passwords and tokens are completely hidden from the user and stored in vaults, and are used only at the time needed by the DAM system; and the organization no longer uses multipurpose, shared accounts.
Audit and Compliance Requirements Supported
How it helps: Audit logs track all cluster activities. Together with DAM and privilege escalation logs, these logs can create a comprehensive auditing and reporting landscape, easing the compliance process.
Access Management Extends to Full Tech Stack
How it helps: DAM allows you to manage and extend access policies across your entire tech stack, whether that’s databases, serverless functions or multicloud deployments. Helm charts and operators simplify the deployment and management of complex applications
How Is DAM Different from PAM and IAM?
Dynamic access management is the evolution of privileged access management (PAM). Where PAM is focused solely on the management of privileged accounts, identity access management (IAM) encompasses the broader view of managing identities and access. DAM extends PAM in the authorization and auditing parts of the identity life cycle, bringing those capabilities to all technical users, not just the privileged few. It also focuses on the overall user experience, making it possible to improve productivity for both users and administrators, even as it reduces the risk of security breaches.
DAM calls for a new approach to infrastructure access, offering agility to keep pace with modern, fast-changing environments. It represents the peak of the Secure Access Maturity Model.
How Do I Get to DAM? The Secure Access Maturity Model.
The Secure Access Maturity Model is a step-by-step progression for becoming more mature with your infrastructure access. Each stage contains critical pieces of access security that build on each other to ultimately enable dynamic access management, which gives users the ability to easily manage access to your entire stack in a safe, auditable and secure way.
The model consists of four key levels that guide your access management journey based on maturity (see image below).
Why DAM? It Addresses the Challenges of Modern Access
Access management has traditionally been a balancing act between security and productivity. Tightening security measures can lead to workarounds and shadow IT, increasing risk and compliance issues. When access control slows down workflows, employees may resort to less secure practices.
However, focusing solely on productivity can introduce risks, especially in high-trust environments. A mistake or misuse of access can have costly consequences, diverting teams from core tasks. Recognizing these challenges is the first step to mitigating them. Here are a few things to consider:
Managing multiple systems in large, dynamic environments makes it difficult to control access effectively.
Audit trails are crucial but hard to maintain, especially in regulated sectors, making compliance a challenge.
Your access solution needs to work seamlessly with other security tools like security information and event management tools (SIEMS) and log management.
Manual provisioning is error-prone and slows down scalability, burdening admins and delaying access for technical staff.
Solutions should support both on-premises and cloud, and bridge the gap between legacy and modern systems.
Remote access introduces the risk of attackers exploiting vulnerabilities to gain privileged access.
Dynamic access management arose to meet these challenges. With DAM:
- All users are considered privileged.
- Credentials are never shared or even seen by end users.
- Session tracking and review are available for all sessions.
- Access is provisioned and deprovisioned through just-in-time (JIT) and zero standing privileges (ZSP) principles.
- Processes exist to track, monitor and update roles on a consistent basis.
- Processes exist to track, monitor and update resources on a consistent basis.
- New users and systems are easy to manage.
- Deprovisioning access to resources is automated.
- Access is tied to corporate identity through an identity provider (IdP0 integration.
- Multifactor authentication (MFA) is adopted as standard practice.
OK, but How Does This Help Me as a Kubernetes Administrator?
Applying DAM principles to Kubernetes management addresses several key challenges for admins::
- Simplifies complexity: By treating all users as privileged, it streamlines RBAC configurations, making access control more manageable.
- Enhances visibility: Built-in session tracking and monitoring improve audit trails, aiding in compliance and incident response.
- Seamless integrations: DAM principles align well with existing Kubernetes security and logging solutions, and support for IdP and MFA integration adds another layer of security.
- Automates Workflows: Using just-in-time and zero standing privileges for resource access eliminates manual provisioning errors and minimizes security risks.
- Eases deployment and management: The automation of role and resource updates, as well as easy onboarding and offboarding of users, makes the administration of a Kubernetes environment more efficient.
In summary, applying DAM principles to Kubernetes enhances security, simplifies management and automates repetitive tasks, allowing administrators to focus on more strategic activities. With Kubernetes, you already have your new technology. Now you just need the modern tools that make it playable.