Justin McCarthy is the co-founder and CTO of strongDM. He developed empathy for Operations as a founding member of many ops and data teams.
As many of us who’ve been to the doctor know, a simple “itch” may mask more concerning issues. Access management is one such example of this. According to a recent study my company conducted, 80% of DevOps professionals name access management as a top strategic initiative in 2022—but is this an itch, or a broader issue?
Often, the “crown jewels” (think source code, sensitive personally identifiable information, protected health information and the like) sit in databases, servers and other critical infrastructure. Remote work, the Great Resignation and “all things cloud” are causing organizations to rethink how they manage access to those crown jewels against the overarching strategic mandates on innovation, security and compliance. In fact, in a recent podcast, Gartner named identity and access as the critical starting points for adopting zero-trust methodologies.
And this all starts and ends with people. It’s people who access the systems and tools that house the crown jewels, propel the business forward and form the backbone of any organization. Too often, people can’t do their jobs because obstacles stand in their way.
The complexity of today’s stack presents challenges.
With the pervasiveness of cloud technologies, organizations have had to deal with a mix of legacy systems and newer resources, such as infrastructure-as-a-service (IaaS) platforms, containers and clusters, that add to the complexity of managing access to a now-diverse stack. Traditional access management solutions have struggled to keep pace as the majority were designed for legacy, on-premises systems and have had to pivot or rejigger their solutions to support these modern resources, such as AWS and Azure platforms, Kubernetes clusters or MySQL databases.
The numbers bear it out. According to my company’s survey:
• Sixty percent of organizations have access problems with cloud providers.
• Fifty-seven percent have problems accessing databases and servers.
The burden of managing access permissions (e.g., onboarding new employees, shutting off access to employees on the way out, assigning folks to new projects) typically falls on the shoulders of managers who have to approve access and the admins or help desk associates who have to do the actual provisioning of access.
• Fifty-three percent take “hours or weeks” to grant access to infrastructure.
• Eighty-eight percent require two or more people to grant approval.
• Twenty-five percent require four or more people to approve an access request.
At the end of the day, when folks can’t get to what they need, frustration builds, productivity nosedives and security risks intensify.
Legacy tools fall short on the security and compliance fronts.
The irony in all of this is that by implementing so many “checkpoints” in the name of tightening up security, the opposite actually emerges: People take shortcuts to get what they need, but in doing so expose the company to even more security and compliance risks.
To avoid the pain of sitting around and waiting for access, many employees resort to using shared logins or shared SSH keys as workarounds, alarming those responsible for the company’s security and compliance postures. What happens if someone leaves a company but still has access to valid credentials? Is there an audit trail for everything that happens on a particular database or server in case you need to look into a security incident, respond to an audit or figure out why the website went down?
Unfortunately, by taking the above shortcuts, the company is actually at higher risk for data breaches or non-compliance with applicable regulations or corporate governance requirements.
Access management is more than an itch.
Access management is ripe for disruption. That much should be clear. Here are some points to consider as you evaluate your access management options:
• What’s the user experience like—from both the administrator and end-user standpoints?
• Can the solution integrate with what you’ve already got? Does it scale easily?
• Does the solution natively support modern protocols?
• Will the solution accelerate your ability to respond to auditors’ questions, identify root causes or analyze security incidents?
• Can the solution help you in your zero-trust journey, if that’s one of your objectives?
• How is it deployed? Is it complex?
Investing the time to properly design and implement an access management solution has unquestionable benefits. Admins and end users will appreciate their time back and happily get to work on projects that matter the most to them. Executives will feel more at ease knowing their security and compliance postures are in a better place. And perhaps most importantly, “access” will not be viewed with suspicion, but rather as an enabler of productivity and positive thoughts.