PAM Challenges: Optimizing Security in DevOps
DevOps is not a fad; it is a constant trend being adopted by more and more organizations every day. DevOps allows dynamic companies to unify development and IT operations, providing great benefits for the whole organization. Usually, IT operation teams and development teams have frictions due to different security cultures. Using DevOps removes this friction but does not solve the security problem. Instead, it gets hidden until a problem appears.
?
IT operation departments make use of PAM solutions to some degree, but development departments do not. Why? Simply because PAM solutions were designed for IT operation teams, and these tools simply don’t fit in the development lifecycle.
When using a traditional PAM solution, user access to critical assets is monitored. Typical critical assets are operating systems, network devices, or databases. But DevOps has introduced a new type of critical assets: containers and secrets.
Developers can still use their common tools to configure containers. A typical workflow can be as follows:
领英推荐
This is the standard process, but when some problem arises, developers need access to the production containers. Giving them the credentials required to get access to the containers is dangerous and potentially harmful.
To avoid it, the best PAM solutions must provide a mechanism to get access to these containers using a shell-like session. In this case, the session should be recorded, and any keystroke or file transfer will be registered. The PAM solution will be able to detect risky or forbidden usages, like side movements or software installations.
Another aspect is the secrets. The PAM solution should be able to timely change the passwords required to access a relational database and reconfigure the applications that use them. In most cases, the application gathers the credential from the Kubernetes secrets. The PAM solution must be able to update Kubernetes secrets accordingly, in a transparent and secure way.
With PAM and IAM engines integrated into a Converged Identity Platform, we can leverage the IAM engine to provide the best PAM experience for any system architecture you have, including DevOps operations based on microcontainers. With our approach, you can get all the benefits of DevOps operations without sacrificing security or agility.
In my experience managing these challenges, the integration of PAM and IAM engines into the Converged Identity Platform enables leveraging the IAM engine, providing the best PAM experience for any system architecture, including DevOps operations based on microcontainers. This approach ensures all the benefits of DevOps operations without sacrificing security or agility.
Ingeniero informático. Jefe de Sección en Administración de la Comunidad Autónoma de las Illes Balears
1 年Artículo muy interesante y de lectura muy amena. Cómo CKAD me parece muy apropiado tratar, discutir y poner este tema encima de la mesa.