Using just-in-time credentials to minimize access-based DevOps security risks
While the rapid adoption of DevOps processes has helped companies assume an agile product position in the market, security has lagged. Specifically, DevOps's prioritization of tools and automation has led to an explosion of machine identities that traditional waterfall-based security mechanisms cannot keep pace with.
Verizon's 2021 Data Breach Investigations report highlighted the extent of the problem by revealing that 61 percent of data breaches involved misused credentials data. These breaches are rarely incidents of a malicious actor stealing a human entity's password. Instead, hackers leverage expired or unused machine identities, also known as workload identities, to penetrate networks. As a result, some 92 percent of respondents to a recent Enterprise Strategy Group (ESG) survey indicated that they see workload identities as "critical" or "very important" risks.
Modern organizations need agile security to protect agile pipelines, and just-in-time (JIT) security practices might just be the cure. Here’s why.
The rise of containerization
The modern development pipeline is a maze of microservices and cloud containers accessing data and manipulating it to produce output. This maze is incompatible with a waterfall-based security system that checks in at pre-ordained times in the development cycle.
For instance, some organizations task their security teams with validating code after a sprint, just before each production release. However, before security finishes its code review, the dev team has moved on to the next sprint and changed the code base significantly. The result is more work for the security team, delays in the CI/CD pipeline, and all-around frustration.
Agile organizations have embraced DevSecOps and embedded security within their sprint teams. However, container and tool sprawl remain major issues. How can an embedded security team execute its tasks if developers grant access within code to several systems, and change access every sprint?
"If you control access, you control compromise," said Dr. Chase Cunningham, a leading Zero Trust security expert, at a recent event hosted by secrets management platform Akeyless. "A very, very simple premise of Zero Trust is that everything will be compromised at some point. In reality, it’s everything is compromised until proven otherwise."
JIT credentials mesh well with Zero Trust security standards, because JIT credentials offer access based on need and duration. For instance, a microservice that needs to access a container for a few minutes every three hours does not need constant access. Conferring this type of access leaves a network vulnerable to penetration if developers change configuration settings.
Due to the rapid pace of code changes, configuration errors occur regularly between sprint cycles. In such situations, old credentials lie unused because of changing needs.
For instance, an older version of your app, hosted in a cloud service provider (CSP) container, might stop needing data provided by a third-party microservice. However, the credential remains active. Given the pace with which developers work, access keys are often hardcoded to prevent performance lags or security hiccups. As a result, that ghost credential retains access to the entire network, giving malicious actors a perfect entry point.
Jess Burn, Senior Analyst at Forrester Research, explained the depth of the problem. "So many security and IT teams struggle to maintain much-needed visibility into an increasingly complex and distributed IT environment,” she wrote, "because so much of an organization’s estate is unknown or undiscovered due to shadow IT, M&A, and third party/partner activity."
JIT credentials solve this problem without increasing security workloads. These credentials expire at prescribed times and renew when a service needs access. The current hardcoded access method makes enforcing security impossible, because enterprises have too many systems in play. This sprawl of secrets needs an automated solution, based on Zero Trust principles.
Note that JIT by itself will not solve the issues caused by sprawl. Enforcing JIT access via siloed security solutions in different parts of a network simply turns secrets sprawl into secrets management sprawl. Instead, the best way of dealing with the issue is to use a centralized, API-based solution that detects, automates, and enforces JIT access throughout.
This way, no matter how widely spread a network is, preventing breaches becomes simple for security teams.
Governance is often the difference between a robust security program and a less-than-effective one. For instance, an enterprise with state-of-the-art tools will struggle to contain breaches if security teams and developers cannot agree to implement basic standards in code.
JIT credentials offer a potential solution, because it allows security admins to limit access more effectively and pay more attention to more urgently problematic areas of their network. For instance, instead of spending time creating, authorizing, and verifying credentials, admins can focus on usage statistics and monitor logs for unnatural activity.
The right tools need proper governance, which involves communicating standards throughout the application chain, bringing all stakeholders on the same page. James Turnbull, VP of Engineering at Timber, believes governance also involves effective communication throughout the DevSecOps pipeline.
"We have a policy or we have a process, or we have information we need from you that bubbles up and allows us to do our jobs," he said on a recent episode of The Secure Developer podcast. "If we give you that information upfront before you build the things or before you deploy them, then hopefully that reduces the friction or reduces the last-minute conversations."
JIT access enforces and frees up admin time which results in better governance throughout the pipeline. As communication and coding standards improve, companies can become even more agile in both security and development.
JIT is the way forward
As automation and secrets continue to sprawl, companies need novel ways of building agility in their DevOps pipelines. DevSecOps is a good starting point, but it needs backing from philosophies like Zero Trust.
JIT access is firmly in line with organizational needs, combining automated access control with Zero Trust principles. It might be the ideal solution for organizations struggling with agile security implementation.
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.