Compliance / Security / Sponsored / Contributed

Zero-Trust Security for Developer Workstations

12 Apr 2022 7:46am, by

Jan Van Bruggen
Jan leads developer relations for itopia Spaces, which he architected and co-developed with itopia's distributed engineering team. As a software enthusiast, he enjoys optimizing his setup and teaching what he learns. He's developed DevOps tools for a variety of organizations, including Google, NASA, startups and open source projects, but he's most proud of the code he's deleted by finding a simpler solution.

The norm for remote enterprise software development teams is to ship a laptop to each developer, who will then:

  • Download most of their project’s source code to their laptop’s hard drive.
  • Install unreviewed third-party software.
  • Browse the public internet.
  • Bring the laptop in taxis, to cafes and through airports.

Off-site hardware is inherently risky, as it can be compromised both physically and digitally. So does the company really need to buy, configure, ship and administer laptops?

This system significantly increases the risk of a code exfiltration event with every “trusted” laptop shipped, but an enterprise can mitigate that risk by upgrading to a zero-trust system.

Zero-trust security is a recent trend that involves verifying access at every step of a process — a data analytics pipeline executing, a compromised network device communicating or a developer browsing a project’s source code. It’s fundamentally incompatible with a system of decentralized hard drives that contain downloaded copies of everything that an employee had permission to access in the past. Let’s examine the risks and overhead of such a system, along with some zero-trust solutions that are easy to adopt.

Risks

Trusted laptops can be physically compromised. When a laptop is lost or stolen, all intellectual property stored on its hard drives is at risk of misuse. To mitigate this risk, administrators can set up hard drive encryption and remote wipe functionality, but these measures are not infallible.

Trusted laptops can also be digitally compromised. By simply visiting a tainted website, installing malicious software, allowing project environments to overlap or uploading the wrong file to a server, any developer can mistakenly expose intellectual property to third parties. To mitigate this risk, administrators can set up network monitoring, app vetting and firewalls, but to some extent developers will always be individually responsible for protecting the contents of trusted laptops from digital leaks.

Overhead

The physical cost of administering laptops includes shipping costs and liabilities; replacements, repairs and upgrades; and recovering (most) of the devices when employees leave. Meanwhile, logistical overhead includes ordering, tracking, guiding new employees through device setup steps during onboarding and revoking their permissions during offboarding.

A hidden cost in this process is unproductive time — time that developers spend waiting for hardware to arrive, managing updates and debugging their devices’ quirks. These delays are expensive and demoralizing.

Solutions

There are various solutions to these systemic problems, and they all employ cloud computing for a zero-trust approach to source code access.

Despite their legacy baggage, virtual desktop infrastructure (VDI) and desktop as a service (DaaS) solutions address the above security risks. Such a migration protects against physical code exfiltration via lost or stolen laptops, since physical security of hard drives is delegated to your cloud provider’s data center. Additionally, most clouds implement encryption at rest, which secures persisted data against rare breaches. Citrix and VMWare are classic VDI/DaaS providers, while some cloud providers are introducing semi-managed first-party solutions like AWS Workspaces.

Once workstations are in the cloud, it’s relatively easy to reduce digital risks via image management and network controls. Administrators can preinstall developer tools into their images, which reduces the need for developers to securely assess or install third-party applications. Meanwhile, the cloud infrastructure services that are hosting the VDI sessions will be subject to any network policy customizations, so administrators can filter out unwanted or unexpected outbound traffic.

Migrating to the cloud reduces security risk, but it’s not always true that it also reduces administrative overhead. The gap between raw VDI and developer productivity is significant, including preinstalling dev tools, configuring integrated development environments (IDEs) and ensuring that manual security updates of the OS or dependencies don’t break everything.

COVID-19 recently pushed many companies to rapidly implement VDI for their remote developers, and their developer experience usually suffered as a result of administrative difficulties with overcoming these burdens.

An orchestration layer can reduce a lot of that overhead by automating administrative tasks like onboarding or offboarding developers, simplifying the process of updating images and generally tailoring the environments for IDE productivity. If you want to self-host and administer IDEs in the cloud, Coder is a higher-level proprietary Kubernetes control plane, and Selkies is a lower-level open source Kubernetes operator.

Alternatively, a fully-managed service like itopia Spaces simplifies administration further by also absorbing the labor of infrastructure management, so that your team doesn’t need to become Kubernetes experts. Notable features include copy/paste protection, an IDE catalog and hourly pricing that can serverlessly autoscale to zero.

As for the hidden cost of unproductive time, all of these solutions can eliminate that. New developers will be relieved to skip the laptop waiting/configuring period and instead jump straight into a configured dev environment on Day 1. On Day 100, developers will feel safe in deleting any environments that are acting strangely because when critical configuration is defined declaratively in an environment’s base image, all critical tools will be automatically preconfigured in a fresh environment.

Regardless of which solution you choose, it will enable a bring-your-own-device policy that eliminates the costs of shipping and administering laptops. Developer muscle memory doesn’t need to change significantly, but hard drives containing source code need to move behind authentication and authorization gates to achieve zero-trust security.

With effective endpoint isolation, project source code might never touch a laptop hard drive again. However, it’s still a good idea to double-check that you have all of your stuff before leaving a taxi!

Feature image by @WOCInTech at Nappy.