How to Secure & Manage Cloud Infrastructure Access

Infrastructure access has changed as IT perimeters shifted from on-premises to virtual, and now, largely, to the cloud. Amidst these changes and increased environmental complexity, a common challenge companies struggle with is how to ensure security for DevOps and CloudOps engineers without disrupting their workflows and impacting productivity. BeyondTrust solves the challenges of securing cloud infrastructure access, and in a way that users will want to adopt.

In this blog, we will answer the question “what is cloud infrastructure access” and look at the who, what, and how of accessing infrastructure. We will also look at how BeyondTrust Privileged Remote Access (PRA) delivers secure Cloud Infrastructure Access capabilities to boost user satisfaction, productivity, and security.

What is Cloud Infrastructure Access?

Before proceeding, let’s first define what we mean when we are discussing “cloud infrastructure access”.

The term “infrastructure” may conjure up images of a raised floor data center, tall towers of servers, miles of cable, and a lot of blinking lights. While this is an accurate depiction of infrastructure, in today’s world, physical systems and access to them are abstracted by software. Infrastructure can mean on-prem servers, cloud servers, containers, or a database that was just spun up via infrastructure-as-code (more on this later).

Just like the word infrastructure might conjure stodgy imagery, so might the words “cloud access”. Many organizations are still living in this old world of access—one that cobbles together VPN solutions (often many VPNs), a myriad of tools, and, when available at all, an unwieldy collection of audit logs and audit sources.

BeyondTrust Cloud Infrastructure Access is the modern and secure way to grant defined users least-privilege access to the critical systems and tools they need to do their jobs.

Who needs Infrastructure Access Management?

Privileged Access Management (PAM) solutions have traditionally focused on IT Admins and vendor access when it comes to protecting access to systems and guarding against over-privilege. Before we proceed, it’s important to emphasize that these users and their needs are just as important as ever. To a great degree, these users have moved on from VPNs for connectivity and the once-prevalent credential sprawl.

Developers and cloud ops users are working on some of the most cutting-edge technologies available (see the “what” section below), yet still rely on legacy connectivity methods, like VPNs. All too often, these workers leverage shadow IT because, right or wrong, when developers are trying to meet delivery deadlines, speed can trump security.

These users, who, day in and day out, march to the drum of agile, are stuck in a less-than-agile world as they strive to deliver on sprints and enable a modern cloud computing landscape. The modern world of developers and cloud ops engineers needs a solution that’s dynamic and on-demand, one that provides security—and not at the cost of productivity.

DevOps and other users are blurring lines and expanding the perimeter of traditional information technology, but they often fall outside of the normal channels of provisioning, deprovisioning, and privilege-rightsizing.

What is Cloud Infrastructure Access used for?

Developers and cloud ops users have different needs. In addition to on-premises systems, developers and cloud ops engineers are increasingly working in cloud platforms, like AWS, Azure, and GCP. These users leverage technologies like terraform, Kubernetes, putty, and TOAD (just to name a few) to perform their job functions.

These users need “just enough PAM”, or PAM lite. In this case, “lite” doesn’t mean fewer features or being stripped down in a negative way. It means purpose-built and easy to use.

What are the benefits of Cloud Infrastructure Access?

As we’ve mentioned, developers and cloud ops engineers are still utilizing legacy connectivity options, like VPNs, when connecting to infrastructure. These methodologies have not kept pace with the workflow needs of the users or the security requirements of organizations. These legacy technologies also can be a big roadblock for those organizations trying to embrace zero trust.

A common challenge is that a user must launch multiple VPN clients, all of which grant broad network access—counter to least privilege and zero trust principles—even when only a single device (or small subset of devices) is needed.

Additionally, traditional VPNs and other legacy access tools lack a centralized audit trail and a way to easily add/remove user access.

BeyondTrust’s Privileged Remote Access offers a purpose-built “Infrastructure Access Mode” that streamlines the interface for users and ensures that any connections made through PRA yield an audit trail of all activity.

How BeyondTrust secures and manages Infrastructure Access

Granular Access

BeyondTrust Privileged Remote Access integrates with Identity Providers (IDPs) to make the onboarding and offboarding of users simple and error-free. Not only can an IDP integration (available out-of-the-box) streamline the user lifecycle, but it also couples with the ability to assign approvers for access and set time windows for access. These functions combine to offer admins incredible granularity without getting in the way of user workflows.

Roll-based user provisioning is another benefit of IDP integration. The role a user plays determines the specific systems they should have access to, when that access is permitted, and what they should be able to do when engaged with infrastructure.

Additionally, our Privileged Remote Access product and our Password Safe product complement each other in ways that further simplify security and administration around infrastructure. Password Safe, an enterprise privileged password management product, can integrate with Privileged Remote Acess to inject credentials and secrets directly into sessions in the context of a user’s interaction with infrastructure. This ability to tie the who, what, and when of access to user-friendly credential management is a huge step forward in both user productivity and security.

Connect to anything, anywhere

Privileged Remote Access provides a number of capabilities to securely support a “bring your own tools” (BYOT) approach. Privileged Remote Access users can create a protocol-based connection to a remote system and then use their local tools (like Putty or Azure Data Studio) for connectivity. Privileged Remote Access is able to tunnel TCP protocols, and this ability to use local tools helps users maintain existing workflows and makes it more likely that you will see high user adoption.

In addition, API cookbooks provide working examples on how to provision ephemeral assets in PRA as part of your infrastructure-as-code pipelines (more on this below).

Infrastructure-As-Code

Terraform and similar tools are often used across DevOps to provision and deprovision systems in real time.

For example, let’s say a developer wants to replicate a customer’s environment to do some troubleshooting. A terraform script could provisions five servers (perhaps of different kinds) in AWS. Now, with the addition of our CLI tool in Privileged Remote Access, these servers will not only populate in AWS, but they will also become available to those Privileged Remote Access users that the script defines. While this requires minimal user effort, it has an outsized impact on productivity and security.

Benefits of a comprehensive secure access solution

• Privileged Remote Access empowers organizations with a comprehensive solution that meets identity and access needs across the whole of the business.

• IT admins and third-party vendors can use the product to access systems in their role as “fixers” of the business. Developers and cloud ops engineers can use the BeyondTrust solution as they do their work “building”.

• Privileged Remote Access offers a single control plane to secure all access. Plus, the consolidation of the audit trail alone is worth the price of admission for most companies.

Privileged Remote Access has changed the game for secure access—and we don’t make that claim lightly.

Prior to the BeyondTrust solution, it was hard to allow disparate teams to use the same access solution. Now, many different types of users, with very different objectives, can leverage a single solution to power their effectiveness. Prior to Privileged Remote Access, organizations lacked a way to create a reasonably comprehensive audit trail around remote access—when logs were available at all. Now, requests from audit and compliance can be met with high satisfaction. The product logs all session activity across all access methodologies.

Additionally, handy APIs make the BeyondTrust solution’s integration into external systems (like a change management system) a breeze.

Next steps: Start solving your Cloud Infrastructure Access challenges

Below are a few of the cloud infrastructure access outcomes Privileged Remote Access can start delivering for your organization immediately:

• Easy provisioning and deprovisioning of cloud access so you always know who can connect to what and when.

• Streamlined UI provides an easy-to-use, easy-to-adopt cloud access experience for devs and cloud ops users.

• Allows users to maintain existing workflows using familiar tools (like Putty and Azure Data Studio) when connecting to critical infrastructure. Productivity and security combined.

• Infrastructure as Code allows you to provision/deprovision infrastructure and access (via Privileged Remote Access) in real time.

Click here to learn more about BeyondTrust’s Cloud Infrastructure Access capabilities, and please don’t hesitate to contact us for more information and a demo.