Share on LinkedInTweet about this on TwitterShare on FacebookEmail this to someonePin on Pinterest
Read on Mobile

Putting the 8 Principles of Infrastructure Access into Practise


IT and security teams want to protect sensitive data and systems from online threats to preserve both the bottom line and their organisation’s reputation. This means securing access to cloud and on-prem infrastructure. But legacy techniques have largely failed users and IT administrators in this regard—it’s time for a modern approach.

Why have legacy tools failed?

As organisations adopt cloud IaaS to operate alongside traditional on-prem infrastructure, they need to establish secure identity and access management (IAM) for accessing critical infrastructure.

Traditional static credentials used to access servers fail because they are too easily lost or stolen. Since there’s no intrinsic link to user identity profiles, it’s difficult to manage at scale. And manual provisioning and deprovisioning and credential sharing across multiple systems exposes organisations to security risks.

Organisations are looking for a fresh approach that is purpose-built for modern cloud environments, and supports the automation of their DevOps practises. Okta changed the game by taking a fresh, Zero Trust approach to the infrastructure access use case with the introduction of Advanced Server Access (ASA).

Okta’s eight principles for infrastructure security success

To get infrastructure access security right, Okta recommends organisations follow eight key principles to solve the challenges in a more elegant way than traditional approaches.

Mailchimp is a great example of a modern, DevOps-centric organisation which has realised massive improvements by following this approach as a pathway to Zero Trust success. Jordan Conway from Mailchimp shared at Oktane19 how Okta has helped them achieve a more effective method of infrastructure security with Okta’s Advanced Server Access. To summarise, here is a breakdown of how Mailchimp executed upon these 8 principles with Okta.

1. Automation over Manual Operations

In an increasingly cloud-centric world, effective access controls should be fully automated — not traditional, manual processes. Everything from enrolment to provisioning and configuration should be automated to support the pace of the business.

For Mailchimp, Okta’s ability to automate the delivery of seamless identity and access controls across their server fleet added the most value right away. In one fell swoop, ASA removed manual key management processes and simplified onboarding and offboarding of server admins.

2. Ephemeral Credentials over Static Keys

With automated infrastructure, the practise of tracking and managing credentials breaks down at any level of scale. With the advent of Zero Trust, contextual access enables smarter decision making, yet must be backed by a tightly scoped credential mechanism. Okta built a revolutionary approach to the credential challenge that better mitigates risk.

At Mailchimp, developers stored static keys on their own laptops, creating trust and security challenges for the firm. By adopting ASA, Mailchimp streamlined the login process for server admins and developers, without the worry of who had keys to which servers.

3. User identities over Shared Accounts

Shared administrative accounts create security risks even when they are nominally well protected. This is because it’s difficult to attribute who accessed what and when, and to write policy for who should be able to access what and when. To adhere to organisational policies, all access should be directly attributed to individual user accounts.

Mailchimp realised a “huge bonus” from every user having their own identity when performing actions on a server. They now have an accurate audit record of all activity, which has enhanced accountability and eliminated risks stemming from shared credentials.

Read more…

Stage:We've split the research process into 3 tasks Requirements Building

Latest Additions

Get our Newsletter

Curated research and insights straight into your inbox.

(twice monthly)

We will collect, use and protect your data in accordance with our privacy policy