Modern DevOps and cloud infrastructure has exploded in complexity, and with that complexity comes a big access problem. Today’s computing infrastructure has evolved so fast that it’s the main attack target, with roughly 85% of data breaches in 2023 involving servers.
Unfortunately, cybersecurity approaches to managing secure access have not scaled in lockstep with modern infrastructure. What works for traditional IT – perimeter security with VPNs, shared secrets, Privileged Access Management (PAM), IGA, etc. – is incompatible with modern infrastructure, where the ever-changing, ephemeral nature of resources and multiple cloud solutions have vanquished the static network perimeter.
Nothing is static in modern infrastructure. Everything is defined by code. Every access is a privileged access, meaning an attacker gaining access to a DevOps credential can breach and pivot to other infrastructure resources and sensitive corporate data. In the absence of new strategies, the blast radius can include the deployment pipelines or other sensitive privileges held by the engineers who build and maintain the infrastructure-as-code pipeline.
To stop data breaches, enterprises must enforce Zero Trust at the application and workload layer, not just the network level (where Zero Trust has already played a material role in securing perimeter-less environments).
Achieving this, however, will require enterprises to embrace a new cybersecurity paradigm that enables unified access control and is based on cryptographic identity, rather than built on unified access controls and cryptographic identity rather than credentials.
Bad actors exploit complexity to move laterally across infrastructure
Let’s first put things into perspective. The amount of computing resources needing protection today is immense: physical servers, virtual servers, cloud provider accounts, containers, Kubernetes clusters, CI/CD pipelines, DevOps dashboard, IoT, mobile platforms, and now Generative AI, too.
These have all expanded enterprises’ capabilities greatly, but with a big asterisk. Every resource has its own remote access protocol, its own need for encryption, its own identities with credentials, policies, and need for auditing. If you need bespoke domain expertise to secure and manage every single resource, that places significant operational stress on IT teams. The explosion of resources means an immeasurable number of credentials lie distributed among numerous identity silos, and crucially, access policy silos, which expand attack surfaces.
This makes fertile ground for social engineering attacks. Indeed, software vulnerabilities are not the root cause of data breaches (they’re only 5% of breaches). Human error is the real problem. It’s why roughly half of breaches involve credentials.
A typical identity attack follows a pattern of leveraging identification and authentication failures (e.g. phishing, weak passwords, ineffective or missing MFA, credential stuffing), followed by lateral movement. In other words, attackers don’t just directly attack a single target – they navigate through various interconnected systems using the compromised credentials to gain access to different resources. That’s how attackers access sensitive data or systems that might otherwise be protected. How can enterprises stop this from happening? This is where zero trust access comes into play.
Access protocols aren’t nearly unified enough
The goal of zero trust access is to stop attackers from moving laterally, effectively stopping them at a single compromised resource, reducing the blast radius. You can expose every resource to public network access, removing the distinction between the corporate network and public networks, bypassing and eliminating the need for firewalls and VPNs.
But to achieve zero trust access, enterprises must either remove insecure access protocols or provide a secure wrapper (tunnel) around those protocols. What most enterprises are missing is a unified access mechanism that acts as a front-end to all the disparate infrastructure access protocols. In practice, organizations should only ever be granting access based on tasks, and they should only be granted the minimum required privileges to finish said task. Not every engineer needs root access, and if they do, they don’t need it all the time. Unified access with automation plays a big role in provisioning access with short-term privileges that expire when a task is completed.
Unfortunately, many organizations are still behind on adopting unified access control for authentication and authorization. Visibility is poor, too, as the cybersecurity sector learned recently through the mistaken assignment of dangerous GKE permissions to the ‘system: authenticated’ user group. It’s a telling reminder that software teams often have no idea who has access to which applications or workloads across their infrastructure. This, sadly, is a symptom of access management having become far too complicated and fragmented across silos.
‘Developers should never have access to production data’ is a rule every tech company should be able to easily enforce across all protocol and resource types. Yet, for most cybersecurity professionals today, that’s a sci-fi concept, and that could mean potentially dire consequences if, after a data breach, engineers are unable to trace all access relationships attributed to a user or resource.
A new paradigm for modernizing secure access to infrastructure
Unified access control, paired with zero trust, is the foundation for modernizing secure access, though there are other considerations. To make infrastructure immune to human error, every enterprise needs to make phishing-resistant passwordless (cryptographic) authentication mandatory. While traditionally, strong authentication applies to human users, organizations should also authenticate every system and resource in the infrastructure to be able to grant the appropriate privileges. This also prevents attackers from deploying their own rogue malicious systems.
But how do you implement cryptographic authentication for non-human systems and accounts? You assign a unique identity to every system or resource that’s able to be cryptographically authenticated using public key infrastructure (PKI) with hardware security modules (HSM) and trusted platform modules (TPM). Granted, this can be challenging to implement manually in dynamic, ephemeral environments such as Kubernetes, where systems are automatically instantiated as needed. Thus, automating processes here is critical.
This isn’t just a new paradigm for a select few organizations to embrace. Any enterprise with operations governing business applications and customer data should see themselves as having a vested interest in properly enforcing zero trust, along with eliminating credentials and standing privileges. After all, modern infrastructure isn’t getting any less complex in the next few years, and nobody wants to be in a position where nobody knows who’s got access to their data.
About the Author
Ev Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras. Follow Ev Kontsevoy on LinkedIn and Teleport at https://goteleport.com/.
