Commissioned by SSH.COM
1 Introduction
Today's organizations need to deliver new services and applications as they modernize operations and upgrade IT infrastructure. Unlike in previous generations, the process of updates is almost constant and deployments across different departments often take place several times a day. The process is mirrored in the creation and improvements made to commercial and third-party software.
The pressure on organizations to develop their IT infrastructures and projects within an automated Continuous Integration and Continuous Delivery framework (CI/CD) is increasing. The directive is from senior management who wish to see improvements in competitiveness through better infrastructure, and IT team leaders looking for boosts in software productivity and efficiency to meet the requirements of senior management. Modern organizations are now an unwieldy mixture of interconnected code and applications including microservices, APIs, desktop apps and mobile apps and to keep all these up to speed requires a constant stream of updates and patches – and the roll out of brand new software projects and products.
One catalyst for this change was the DevOps IT team culture which emerged around 10 years ago to break down the traditional Engineering and Operations silos that existed previously, and which often stalled software development and deployment and introduced errors. It was found that co-operation between the teams helped facilitate the desired continuous development framework as developers became used to agile turnaround and rapid software delivery times and operations also worked more efficiently.
At the same time the same pace of developments is expected of other teams within the organization and some of the same techniques used by DevOps are being applied to other areas – most notable the use of cloud and multi-cloud environments spun up from the use of Cloud Service Providers (CSP) including AWS, Azure, Google and other smaller cloud operators. Many organizations now find themselves wittingly or unwittingly using clouds from different providers - each with different sets of standards for handling authentication to access privileged accounts.
However, organisations focusing only on providing solutions faster and more efficiently by applying the agile approach without having strong security principles baked into their overall software development and operations processes are sooner or later, but inevitably, destined to run into information security problems. For more detail on DevOps and its importance to modern application development see Matthias Reinwarth’s Advisory Note on DevOps, referenced in Further Reading.
Why does this matter?
It matters because those working in these agile, fast turnaround environments, increasingly need privileged access to specific data sources, applications and other resources that are classified as confidential, and must be kept secure. Today, this will include individual pieces of code, containers, APIs as well as discrete data that may relate to confidential company plans or individuals.
With the pressure to deliver results increasing, those in agile environments may be tempted to take shortcuts and work around less than stringent privileged access controls if they can. They may store locally or share credentials to privileged systems and data or embed them within an application or project files they are working on. The challenge is finding a PAM solution that can work at the pressure and speed that agile people already work to keep secrets secure. It must not get in the way.