Organizations plan to address access management over the next 12 months, as the need to secure and simplify access controls at the infrastructure level is a prerequisite for other initiatives, such as the lack of trust.
This was one of the main findings of a survey of 600 DevOps professionals conducted by Pollfish and sponsored by strongDM. The report also found that outdated accesses created severe shortcomings in the team.
These shortcomings require extensive time and resources to fix and block agile development practices: Nearly nine out of 10 organizations surveyed said they require one or more employees to review and approve access requests, and that those requests can take days or weeks to fulfill.
The survey also indicated that organizations continue to use insecure access management practices that make it difficult to track and review users and permissions of critical business systems.
Tim Prendergast, CEO of strongDM, said that as more jobs become technology, there is a greater need to provide access to more people — and that could have a severe impact on the company’s ability to stay secure. Point out that when 65% of organizations report that their teams use shared logins – and more than 40% use shared SSH keys – there’s almost no way to know who’s on your infrastructure or what havoc they might cause.
“This makes it difficult to identify any leaks or losses because you have 20 copies of your home key floating around,” he said. “It’s an example of the trade-off that most organizations make when it comes to speed and ease of access versus ensuring that access is secure.”
Survey respondents said their biggest challenges were the time required to request and grant access (52%) and the task of setting, rotating, and tracking credentials (51%).
Hurry up and wait
“Using existing methods of access means you are hiring these highly paid technical resources and telling them to hurry and wait,” Prendergast said.
Nearly half (47%) of respondents said they had experienced onboarding staff and contractors, and Prendergast noted that one in four organizations said just getting approved for access required a four-person process.
“Think about it — in 25% of organizations, you have tech resources twiddling their thumbs while they wait for access to that database or to a Kubernetes cluster,” he said. “Now multiply that by your many databases, servers, employees, and external vendors. And that doesn’t even count when you add new technologies like Kubernetes to your infrastructure. Ultimately, even just frustrating your team while they wait for them to arrive becomes a burden.”
2022: The year of convergence
Prendergast predicted that 2022 would see DevOps and security converge beyond what we’ve already seen with DevSecOps, focusing heavily on shifting to the left and bringing security into the development cycle earlier.
“This convergence will be characterized by new workflows, technologies, and solutions that not only improve security, but also improve the development cycle,” he said. “One great example is improving access to infrastructure – when done right, you can improve your security posture using distrust methodologies while making it easier for DevOps teams to access systems quickly and easily.”
He added that two of the biggest workforce dynamics facing mistrust are telecommuting and the great resignation.
“You used to have this environment where you had to be physically located or on a VPN to be able to access – remote working broke that,” he explained. “And now you also have this many employees leaving their jobs. Do you know what systems they have access to? How do you know if all that access is turned off? What happens if they use shared credentials?”
That’s why addressing access is critical to meeting this challenge and accessing modern security — if you don’t know who has access to what or what they can do in each system, Prendergast said, you can never reach mistrust.
“Organizations need to find a way to understand the relationship between every technology and every technology and then be able to track and scrutinize those relationships,” he said. “Until you do that, you’re going to have a really hard time with distrust. These are the bets on the table for modern security.”