Why Access Management Is Step One for Zero Trust Security
The “Zero Trust” approach to security is getting lots of attention these days, but most organizations aren’t ready to adopt that set of practices yet, according to a new report. Instead, many will focus on access management over the coming months.
Nearly 80% of organizations that participated in a new survey by strongDM, an infrastructure access platform provider, reported that they plan to focus on access management over the next 12 months, compared to 30% that say Zero Trust will be a strategic focus for them over the same period.
Slow and unwieldy protocols for granting access to infrastructure have resulted in too many teams cutting corners in the name of productivity and efficiency, sharing passwords and SSH keys among too many people, the survey’s results indicate.
This issue, including the difficulties in keeping track of who has access to what, is making organizations less secure.
The problem is likely to get worse, with one in three respondents to strongDM’s survey of 600 DevOps professionals calling Kubernetes the most challenging technology they work with — and the era of Kubernetes adoption just beginning.
The findings point to a constant dilemma, according to Tim Prendergast, CEO of strongDM: Kubernetes offers workload mobility — a container can move easily between data centers — but many enterprises still rely on traditional network security tools like VPNs, which allow anyone with the right credentials access.
“It’s the traditional tug of war between security and productivity,” he said. “The traditional access solutions don’t work for Kubernetes.”
How Did Access Management Get Messy?
For pre-cloud companies, including most enterprises, access management is especially complex, Prendergast said. While startups are likely to be all-in on Kubernetes and cloud servers, enterprises are likely a hodgepodge of cloud and legacy systems, with an accompanying mix of identity- and role-based access protocols.
“It’s gotten more and more complicated and not easier over time, even as the technology’s gotten better, because they’ve never cut bait on legacy and moved on entirely to the new thing.”
This, he said, not only has an impact on the security of an enterprise’s systems, but also on its ability to attract IT talent in a world full of cloud native startups.
“If you would walk into virtually any large enterprise or giant company, you probably would turn around and walk right back out the door, as soon as people started talking to you about how they get access to stuff.”
Access management would seem to be a pretty straightforward idea: having a system for giving people only access to what they need to do their jobs.
The problem is, so many organizations have put up so many hoops for their users to jump through that all too many of those users instead resort to shortcuts and workarounds to simply get their jobs done.
More than half — 53% — of respondents to the strongDM survey said it can take anywhere from hours to weeks for them to be granted access to infrastructure. One in four survey participants said it requires at least four people to approve and grant access.
So many organizations have put up so many hoops for their users to jump through that all too many of those users instead resort to shortcuts and workarounds to simply get their jobs done.
As companies scale, the problem gets worse: 43% of survey respondents who work at enterprises (1,000 employees or more) said it takes at least four people to approve and grant access to infrastructure.
Making engineers and developers run what Prendergast called “a steeplechase” provides an incentive for creating workarounds. He summarizes the thinking: “There’s a shortcut to do this. So I might want to do that, because I have to get this job done. It has to be done today at 5 p.m., so skip the line and just get it done.
“And they’re not necessarily malicious actors. But there are people who are frustrated, and we’ve seen that become an increasing trend.”
These findings from the strongDM survey show how access is managed now, including the widespread use of workarounds:
Does Kubernetes Make Access Management Harder?
Kubernetes, which orchestrates containerized microservices, by itself introduces greater complexity to an enterprise’s systems. It’s not the most challenging technology participants in strongDM’s survey work with — twice as many respondents cited cloud providers and accounts.
But since the COVID-19 pandemic upended the way all organizations work, more enterprises have accelerated their digital transformations. As more enterprises start building new systems that run on Kubernetes, more will become acquainted with its challenges, including those regarding access management.
“Companies are going to go all in,” Prendergast said. “In order to do that, it really does require them to bridge the worlds and modernize access to be programmatically defined, to be personalized to each individual, because no two individuals necessarily will access the same infrastructure.”
The ephemeral nature of containers, and how Kubernetes orchestrates them, also makes access management — and observability — crucial, the CEO said.
“Those containers are coming up and down in minutes,” he said. “If someone logs in and does something malicious, and that container disappears, you may never know. But with a proper access solution, you will know who accessed what, when, and what they did.”
The distributed systems that run in the cloud and on Kubernetes have also rendered certain previous security tools, such as privileged access management (PAM), inadequate, Prendergast said.
PAMs are dependent on database administrators, with access limited to few people in an organization. “But the reality is, infrastructure got democratized pretty heavily,” he said.
As a result, more people need access to more things on a regular basis: “You have data scientists, you have engineers doing quality verification, and checking out new features or populating data correctly. You have DevOps teams doing backups and maintenance. And now they all need access all the time to it.”
By contrast to PAMs, Prendergast said, “A programmatic access solution says, ‘OK, we elevate your access, now you can see the database, you can log in, you can do your maintenance, and that entire maintenance session is recorded. And then, when you log out, the access goes away.’”
How Can You Improve Access Management?
Access management is not often an area that gets sufficient attention or funding within an organization, Prendergast noted. But it’s crucial to not only an organization’s overall security but its ability to retain IT talent.
If it takes 45 minutes to gain access to a database to run a 10-second query, that sort of daily obstacle feeds worker frustration, he said. And if such inefficient access management makes it difficult to do your job, you may not want to do it anymore.
“Sometimes access is like, ‘Don’t worry, we’ll fix that later,’” he said. “And everybody’s got that house project that you say, ‘I’ll just do that this weekend instead of last weekend,’ and it’s always, kick the can down the road. There’s always something else on fire.”
If a Zero Trust approach remains your organization’s ultimate goal, the first step toward that is sorting out access management. And that, Prendergast said, starts with taking an “honest inventory.” And that, he acknowledges, isn’t easy for many companies, as their workloads run in so many different environments.
The questions they should ask themselves: “How does your technology define what your infrastructure looks like? And then, what’s the lowest common denominator to support that?”
Prendergast’s company, strongDM, was started by founders who worked at a company with permissive access management in a complex, distributed environment — until it experienced a major security incident.
As a result, Prendergast said, strongDM strives to put itself in the shoes of the user. It tackles the access-management challenge with a platform that automates the provisioning of users and their access to infrastructure, giving them just-in-time access.
“Sometimes access is like, ‘Don’t worry, we’ll fix that later.’ And everybody’s got that house project that you say, ‘I’ll just do that this weekend instead of last weekend,’ and it’s always, kick the can down the road. There’s always something else on fire.”
—Tim Prendergast, CEO, strongDM
For instance, a new hire at a company that uses strongDM’s solution, he said, “would show up Day One Minute One with access to all the things you need. You wouldn’t need to go through an eight-hour onboarding process of trying to get access to all the systems.”
This automated system is programmatic and supports legacy data center technology as well as cutting-edge cloud native data centers, Kubernetes, command-line tools, and more. ”We remove the need for any of those users at the company to actually have any of the credentials to log into stuff.”
Regulatory pressure, especially for those organizations that handle personal or health data, is ever-increasing. In May, President Joe Biden signed an executive order requiring that the federal government and cloud service providers adopt Zero Trust security policies and adhere to Zero Trust principles and frameworks, guidelines have emerged.
The National Institute of Standards and Technology (NIST) released a document setting standards for Zero Trust, including identity and access management.
As you move toward the ultimate goal of a Zero Trust approach, start by thinking through what you want your access management policies to achieve, suggested John Watts, senior director and analyst at Gartner, on his company’s ThinkCast podcast in October.
“My advice would be don’t start with a project,” Watts said. “You want to start with a strategy. First thing to do is talk about what you want to do with Zero Trust. Come up with a strategy; that strategy would lay a foundation. And that foundation of Zero Trust is going to be built on identities.”
Once a strategy of access management and accompanying technology and infrastructure is in place. A Zero Trust Network Access project aimed at replacing “the wide-open, vulnerable” VPNs, is “fairly low-hanging fruit for most organizations,” and would make a good first project.
But in order to get to Zero Trust, access management must be the first priority, Prendergast emphasized: “All the sophistication in the world won’t fix foundational issues that you have. You can build a really awesome mansion. But if you build it on sand, it’s going to collapse.
“We all have to go back and fix that pain. And we’ve lived with it for a long time.”