Data breaches have accelerated quickly in 2024. Google ‘data breach’ and you’re in for a whirlwind of high-profile names scattered across headlines of thousands, and sometimes millions, of customer and personal records exposed.
The headlines are reporting not only the compromise of sensitive data, but also the disruption of business operations as companies take systems offline to assess and contain the blast radius of compromised systems.
Not even Big Tech is safe from scrutiny. And it’s because DevOps and cloud infrastructure have grown very complex. The fragmentation of identity and access silos has created an environment that enables bad actors to breach and pivot across infrastructure by identifying a misconfiguration, or forcing human error through techniques such as social engineering. Case in point: roughly 85% of data breaches in 2023 involved servers.
There’s a way out of this breach nightmare, but it will require a new cybersecurity paradigm. This will require eliminating secrets, enforcing zero trust, enforcing the principle of least privilege, and hardening access with identity security and centralized policy governance.
Modern infrastructure is a lot more complex than it used to be
But first, how did we get here? Well, engineering infrastructure evolved. A few decades ago, you might have had a handful of layers in a company’s technology stack. It was easy enough to standardize the security model for each of those layers.
That’s not the case in today’s cloud-heavy environment of plentiful ephemeral resources. The modern-day ‘stack’ includes many disparate technology layers—from physical and virtual servers to containers, Kubernetes clusters, DevOps dashboards, IoT, mobile platforms, cloud provider accounts, and, more recently, large language models for GenAI.
This has created the perfect storm for threat actors, who are targeting the access and identity silos that significantly broaden the attack surface. The sheer volume of weekly breaches reported in the press underscores the importance of protecting the whole stack with Zero Trust principles. Too often, we see bad actors exploiting some long-lived, stale privilege that allows them to persist on a network and pivot to the part of a company’s infrastructure that houses the most sensitive data.
Zero Trust enforcement should now extend to applications and workloads
For a brief history lesson, the traditional security model before Zero Trust was about the perimeter – protecting internal applications and data with an external access point like a VPN. Authenticating via that VPN would grant access to whatever was inside, with no further authentication needed. From a malicious actor’s perspective, breaching this perimeter by exploiting a static credential or stale privilege would grant access to other resources on the network.
Zero Trust was the answer to creating a ‘perimeter-less’ environment where ‘everything requires authentication’ (i.e. ‘never trust, always verify’). Instead of authenticating to the network, you authenticate each time you access a resource.
Enter the pandemic, Zero Trust deployment heavily focused on solving network authentication. Most companies realized that VPNs weren’t designed for large numbers of remote workers. The question was, ‘How do we get our employees set up on the network if these VPNs only work within the office’? While plenty of companies have figured out how to authenticate users and enforce Zero Trust at the network level in the last few years, they haven’t done so at the application and workload layer. They, therefore, haven’t solved the more comprehensive challenge of enforcing a fully Zero Trust architecture for their cloud and data center operations.
To end rampant breaches, companies must now extend Zero Trust enforcement to applications and workloads. Companies need to transition to a mindset of constantly asking, “Does this person have appropriate authorization to access this particular resource in the specific context in which they’re to access it?”
The distinction between the corporate and public networks doesn’t matter in a Zero Trust security model. Zero trust applied in this way makes all resources location-independent.
The shift from role-based to attribute-based authentication
Companies can further harden their access control by ensuring that resource access is taking place in an appropriate context.
Attribute-based authentication is how we get there, effectively setting very granular requirements for when someone can access a resource.
For example, if you have a database table housing sensitive data, the first step might be to only grant access to employees with a specific job title – e.g., ‘role-based authentication,’ or RBAC. From here, companies can get more granular with attribute-based authentication, or ABAC. A few factors you might weigh for whether or not a user gains access include:
- Where are you? Are you in your ‘workplace’ (the office), or are you in Tahiti?
- What device are you using? Are you on a work laptop or something else, such as a personal phone or tablet?
- What time is it? e., do you want to permit access to a resource when it’s being used in production?
You can create a rule that says, “All senior programmers trying to access database table XYZ have to be in Kansas between 2pm and 4pm.” You’ve now shut access to anyone not meeting these conditions. If the employee is on vacation in Hawaii, if they’re not senior enough, or if the database is in production use, it’s locked by default.
Everyone should govern on attributes this way when granting access to users, as opposed to granting access to anyone inside ‘the network’. These attributes are key to organizations reducing the attack surface exposed to bad actors with nefarious intent.
Observability needs to be coupled with enforcement
Much investment is happening in the startup space across observability tools like identity security and policy governance. These are being layered on top of access technologies to add insight into how access is taking place. But they’re being handled in isolated buckets, making associating the actual human user with each action hard.
Zero Trust access for modern infrastructure benefits from being coupled with a unified access mechanism that acts as a front-end to all the disparate infrastructure access protocols – a single control point for authentication and authorization. This provides visibility, auditing, enforcement of policies, and compliance with regulations, all in one place.
These solutions already exist on the market, deployed by security-minded organizations. However, adoption is still in early days. This means that a simple access rule like ‘developers should never have access to production data’ remains an unenforceable concept for many. We can see the consequences of organizations falling behind on unified access control for authentication and authorization, like the Change Healthcare, a UnitedHealth Group subsidiary, ransomware attack back in February which disrupted prescription and physician services across the company as systems were taken offline to assess and contain the blast radius.
By unifying observability and enforcement, companies gain leverage in further hardening security, intervening in threat attacks, and reducing the blast radius. This means that if breaches occur, it may be possible to remediate efficiently without taking entire systems offline that disrupt operations and processes for companies and individuals.
Complexity is not going away
Although Zero Trust solutions are broadly deployed in network security, it is time for engineering leaders to extend these principles to modern infrastructure, while making life easier for employees who manage the resources and data driving their business. Modern DevOps infrastructure will only get more complex, dynamic, and ephemeral as time goes on. By investing in access solutions that improve user experience for engineers while hardening security, companies can protect against the riskiest part of their infrastructure: the human element that attackers are exploiting.
About the Author
Ev Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras. EV can be reached on LinkedIn and at https://www.goteleport.com/.
