Today’s continuous integration and continuous development (CI/CD) reality is that development and cloud ops teams are working to build and maintain their pipeline in both on-premises and cloud (often multi-cloud) environments. To ensure that productivity is maintained, developers and cloud ops teams require real-time access to the infrastructure needed to complete their work. However, this access also creates security risks that must be managed and mitigated. These risks include broad access and excess privileges, both of which fight against just-in-time access and the principle of least privilege.
In this blog post, I will discuss the importance of maintaining productivity and security for developer and cloud ops infrastructure access, and some of the practical ways secure cloud access can be accomplished.
Which tradeoff do you make for cloud access – productivity or security?
In fast-paced environments, developers require quick and easy access to the infrastructure they need to write, test, and deploy code. Delays in accessing this infrastructure can lead to lost productivity, missed deadlines, and decreased customer satisfaction. When developers have frictionless access to systems, they work more efficiently and effectively, ultimately resulting in more successful business outcomes.
Likewise, cloud ops teams need quick and easy access to the infrastructure they manage. This allows them to monitor and maintain the infrastructure’s health, quickly identify and resolve issues, and respond to changes in demand. If cloud ops teams cannot access the infrastructure they manage, they cannot effectively perform their job duties, potentially leading to downtime and lost revenue.
Obviously, productivity is essential for developers and cloud ops personnel to accomplish their tasks, meet project deadlines, and to generally avoid frustrating these key resources. On the other hand, security is equally important to protect the infrastructure and data from unauthorized access, theft, and other malicious activities. These two aspects of infrastructure access are like two sides of the same coin – they are interconnected and interdependent.
Balancing productivity and security can be a challenge for organizations. Overemphasizing productivity at the expense of security can lead to vulnerabilities, and overemphasizing security can lead to unnecessary restrictions that create hurdles to getting work done and generate end-user frustration.
To address this challenge, organizations need to adopt a comprehensive approach that prioritizes productivity AND security.
Implementing best practices for secure cloud infrastructure access
BeyondTrust Privileged Remote Access (PRA) was built from the ground up to securely allow access to any system, anywhere in the world, without requiring a VPN. The product is used by IT Admins, third party vendors, Operational Technology (OT) groups, and developers and cloud ops to securely connect to critical systems. Privileged Remote Access includes Cloud Infrastructure Access Management, which implements the following best practices to satisfy the need for uncompromising security of backend infrastructure access, while enabling end users to work at top-speed.
Role-Based Access Controls
Role-based access controls (RBAC) allow organizations to control who can access what resources based on their roles and responsibilities. This ensures developers and cloud ops personnel have access to the resources they need to do their jobs, while restricting access to sensitive resources to only those who need them. Privileged Remote Access uses integrations to common identity providers to ensure that approved users have timely access to systems and users who should not have access don’t.
Strong authentication is increasingly important as bad actors increase their skills and leverage tools like Artificial Intelligence (AI) to do so. Extra layers of security make it harder for attackers to gain unauthorized access even if they have stolen a user's credentials. The BeyondTrust solution offers a plethora of authentication options, and included in 23.2 (the latest version) are Passwordless and SAML improvements that allow SAML group provisioning.
Bring Your Own Tools (BYOT)
Initially, BYOT might sound like the opposite of a best practice. In the “old world” of access solutions, you would be correct. However, BeyondTrust Privileged Remote Access allows users to leverage familiar local tools through an encrypted tunnel that’s brokered (using all outbound 443 traffic) between devices. This allows users to access a Linux server via their local SSH client (like PUTTY) or a database admin to connect to a SQL server and use their local copy of Azure Data Studio, all through a secure and auditable connection. This workflow gets directly at the dynamic of productivity and security, and actually allows equal measures of both. Additionally, because Privileged Remote Access is proxying the SQL traffic, the audit log and the level of detail is exceptionally valuable from an audit perspective.
Infrastructure as Code
Infrastructure as code is a reality of our modern cloud-first world. Simply put, this the ability to spin up and spin down cloud computing resources dynamically. These dynamic environments are often used by developers and cloud ops engineers as a part of the CI/CD pipeline. Privileged Remote Access allows users to use tools like Terraform scripts to dynamically create (or decommission) cloud resources and to automatically provision access via the BeyondTrust product. An example of this is a developer needing to replicate a customer’s environment to troubleshoot an issue. With a simple script, the developer can replicate (for example) a domain controller, a SQL server, a web server, and a few hosts. Not only will those devices spin up in the organization’s cloud provider, but the devices will automatically appear in the developers streamlined product console for access. Then, the reverse of that script will decommission the devices and remove them from the Privileged Remote Access environment. This experience is common in today’s world and the BeyondTrust solution is built to allow even these ephemeral scenarios. Yet, another way the BeyondTrust solution helps with the productivity and security dynamic that organizations face!
Robust Audit Trail
The need for secure cloud access is rarely decoupled from stringent audit and compliance requirements. Whether the requirements stem from industry specific mandates or something government related, no one wants to be scrambling to pull together reports. Fortunately, Privileged Remote Access captures an audit trail of all session interactions… even when the sessions occur from or with a third party. This type of reporting ability makes audit and compliance conversations much less stressful. Reports are also available via API to external systems like a change management workflow. These integrations are often seen as a best practice, particularly for larger organizations.
One-click access + secure backend infrastructure
In today's world of cloud computing and remote work, maintaining productivity and security for developer and cloud ops infrastructure access is essential. Achieving this balance requires a comprehensive approach that prioritizes both productivity and security, including implementing RBAC, strong authentication, BYOT, Infrastructure-as-code, and a robust audit trail. By adopting these best practices, organizations can ensure that their infrastructure remains secure while enabling their developers and cloud ops personnel to maintain productivity and meet project deadlines.
Adam White, Director, Technical Marketing
Adam White is the Director of Technical Marketing and has been with BeyondTrust for 19 years in a variety of technical and operations roles. Originally starting in support and spending over a decade in solutions engineering, Adam brings that technical lens to the BeyondTrust marketing team. He is a vintage electronics and hi-fi nerd (think vacuum tubes); collector of too many amplifiers, guitars, and effects pedals; husband; and father of three teenagers.