In today’s perimeterless enterprise, security defense strategies based on firewalls and virtual fencing protections are no longer effective. As more organizations move to the cloud, digital identity and privilege management are now the first line of defense in protecting business applications, data stores and especially team-oriented resources such as the continuous integration / continuous development (CI/CD) pipeline. Not surprisingly, privileged identities and privileged access permissions have become prime targets for cybercriminals. In fact, Forrester Research estimates that 80% of cyber security breaches now involve privileged access abuse. A survey from Centrify backs this estimate, finding that 74% of respondents from organizations that have been breached acknowledge it involved access to a privileged account.
At Britive, we approach the challenges presented by perimeterless security through dynamic, Just-In-Time (JIT) permissioning, least privilege enforcement and Zero Standing Privileges (ZSP). These methodologies are proving highly effective at securing distributed teams and workflows by minimizing attack surfaces, centralizing management of human and machine IDs, and providing insight into high-risk privileges across multi-cloud environments. Indeed, we believe that the ZSP, zero trust approach and managing secrets on a JIT basis will become the standards for securing the CI/CD pipeline and cloud-based teams in the years ahead.
Single Sign On, Just-in-Time Permissioning and Zero Standing Privileges
We also believe that certain security technologies that have been proven effective over time can integrate with the JIT/ZSP approach, complementing these capabilities and contributing to a comprehensive and highly robust perimeterless security strategy. Foremost among these is Single Sign On (SSO). Organizations including OKTA and Ping Identity Corporation are all well known for their SSO solutions.
For many in the cybersecurity community, Single Sign On (SSO) is considered a commodity “table stakes” capability offered by dozens of players in the digital identity space. Even so, SSO’s unique user authentication and session management features that enable an individual to use one set of login credentials to access multiple services or applications make for a powerful combination.
In fact, Britive enables organizations to extend access governance, role-based access controls (RBAC) and Just in Time (JIT) permissioning to multi-cloud environments by integrating with existing enterprise Identity and Access Management (IAM) systems. This kind of integration can have a profound impact on the user experience for DevSecOps team members. For example, global automotive giant Toyota shortened the onboarding process for RBAC privileges from three days to around 30 minutes using Britive’s dynamic permissioning platform. It converted more than 100,000 AWS privileges and API keys from standing status to a JIT/ZSP model (AWS Console and CLI access).
How Automated Joiner / Mover / Leaver Processes Boost Security
Integrating Single Sign On (SSO) with an automated joiner / mover / leaver Human Resources (HR) process also makes it possible to better enforce security and manage the identity lifecycle. Consider, for example, if several people have access to a shared secret. If one of those individuals leaves the organization, that permission / privilege then becomes a potential vulnerability. Automated shared secret rotation that’s invoked by policy directly addresses this issue.
Finally, the ability to sign in once and have access to any number of applications to which a user has privileges can be especially useful in DevOps scenarios where a typical developer is likely to need to access any number of build tools, code repositories, container platforms and cloud consoles—often all at the same time. Pairing Single Sign On (SSO) with Multi Factor Authentication (MFA) would add another important security layer to the process, for instance, tying the user’s identity to their cellphone or other device. Importantly, the JIT approach and SSO’s single logout capabilities can be invoked to ensures that all access privileges are revoked at the end of a session, which is a highly effective way to minimize a DevOps team’s attack surface.
After all, the most secure privilege is one that doesn’t exist