Security, Agility, and Accountability: A Balancing Act
February 24, 2016 | DevOps | Andrew Racine
Many experts in the IT field believe that the battle inside the enterprise between developers, security, and compliance officers will de-escalate. However, at Conjur, we believe this issue is a complex one and is beyond the solution of simply finding common ground. The challenge is discovering the balance between accountability and agility, and the security tools that can enable and sustain that balance.
An effective model for cross-functional governance, risk management, and compliance must span not only to IT automation tools like Puppet and Chef but also to cloud services, such as AWS and Azure, in order to extend across the software delivery pipeline. In practical terms, this involves specific capabilities like managed access by developers to the AWS Administrator Console to assign resources for code moving into production, as well as programmatic integration of protected secrets into source control workflows for IT automation. Too many times, enterprises are stuck in an “all or nothing” predicament, where either developer velocity wins out or security becomes the bottleneck.
Into the Unknown
The challenge that security and compliance teams face is not just expanding the scope of controls and visibility to new infrastructure in the form or IT automation and cloud services but also how to apply security principles, notably authorization, to processes that break new ground. Addressing security for IT Automation requires security to rethink how they can facilitate new software delivery processes in a risk-driven, repeatable model.
As the name implies, DevOps models compel developers and IT operations to cooperate seamlessly and operate in sync. Platforms and tools like Puppet enable this type of tighter symbiosis through capabilities like source control, and drive mutual benefit through patterns like ‘infrastructure as code’. Folding security into the mix is critical to high-performing DevOps teams, according to Puppet Labs report on the State of DevOps in 2015. However, it’s one of the reasons that many larger enterprises are hesitant to embrace IT automation – it implies a change in process and cross-functional cooperation.
From an operational perspective, then, security and developer teams are looking for ways to establish a consensus on risk and compliance; and then, implement the consensus in a repeatable, transparent model – rather than cobble together multiple components with varying degrees of support and institutional knowledge.
Trust, But Validate
Conjur’s approach is to use a tiered authorization model specifically to facilitate a consensual process for balancing access, risk management, compliance, and agility based on enterprise business needs. Through a transparent and easily edited policy framework, the Conjur role-based authorization platform is designed to enable enterprises to centrally define policies on who – or what in the case of IT automation workflows- gets access to what, and with what permissions.
Leveraging existing identity stores, Conjur uses a tiered authorization model that can facilitate a transparent process for balancing access, risk management, compliance and agility. For instance, the Conjur platform can act as a bastion host that extends the AWS delegation model to grant developer access to the AWS Console, tying access to a specific identity and removing a critical operational bottleneck. The Conjur authorization service can be used to restrict access to only those secrets and SSH keys that developers are authorized to use, with policies based on roles. Developers must authenticate through a set of unique credentials, rather than through a shared password.
For security teams, whose mandate is first and foremost defense, finding their way to enablement for cross-functional processes can be a rocky road. The Conjur approach is to smooth the path through abstracted authorization and well-defined roles for new processes and infrastructure.