Putting the 8 Principles of Infrastructure Access into Practice

IT and security teams want to protect sensitive data and systems from online threats to preserve both the bottom line and their organization’s reputation. This means securing access to cloud and on-prem infrastructure. But legacy techniques have largely failed users and IT administrators in this regard—it’s time for a modern approach.

Why have legacy tools failed?

As organizations adopt cloud IaaS to operate alongside traditional on-prem infrastructure, they need to establish secure identity and access management (IAM) for accessing critical infrastructure.

Traditional static credentials used to access servers fail because they are too easily lost or stolen. Since there’s no intrinsic link to user identity profiles, it’s difficult to manage at scale. And manual provisioning and deprovisioning and credential sharing across multiple systems exposes organizations to security risks.

Organizations are looking for a fresh approach that is purpose-built for modern cloud environments, and supports the automation of their DevOps practices. Okta changed the game by taking a fresh, Zero Trust approach to the infrastructure access use case with the introduction of Advanced Server Access (ASA).

Okta’s eight principles for infrastructure security success

To get infrastructure access security right, Okta recommends organizations follow eight key principles to solve the challenges in a more elegant way than traditional approaches.

Mailchimp is a great example of a modern, DevOps-centric organization which has realized massive improvements by following this approach as a pathway to Zero Trust success. Jordan Conway from Mailchimp shared at Oktane19 how Okta has helped them achieve a more effective method of infrastructure security with Okta’s Advanced Server Access. To summarize, here is a breakdown of how Mailchimp executed upon these 8 principles with Okta.

1. Automation over Manual Operations

In an increasingly cloud-centric world, effective access controls should be fully automated — not traditional, manual processes. Everything from enrollment to provisioning and configuration should be automated to support the pace of the business.

For Mailchimp, Okta’s ability to automate the delivery of seamless identity and access controls across their server fleet added the most value right away. In one fell swoop, ASA removed manual key management processes and simplified onboarding and offboarding of server admins.

2. Ephemeral Credentials over Static Keys

With automated infrastructure, the practice of tracking and managing credentials breaks down at any level of scale. With the advent of Zero Trust, contextual access enables smarter decision making, yet must be backed by a tightly scoped credential mechanism. Okta built a revolutionary approach to the credential challenge that better mitigates risk.

At Mailchimp, developers stored static keys on their own laptops, creating trust and security challenges for the firm. By adopting ASA, Mailchimp streamlined the login process for server admins and developers, without the worry of who had keys to which servers.

3. User identities over Shared Accounts

Shared administrative accounts create security risks even when they are nominally well protected. This is because it’s difficult to attribute who accessed what and when, and to write policy for who should be able to access what and when. To adhere to organizational policies, all access should be directly attributed to individual user accounts.

Mailchimp realized a “huge bonus” from every user having their own identity when performing actions on a server. They now have an accurate audit record of all activity, which has enhanced accountability and eliminated risks stemming from shared credentials.

4. Local Accounts over Directory Interfaces

Directory interfaces like LDAP create major administrative headaches for firms operating at scale, especially with establishing a connection to their system of record. Okta now offers the ability to eliminate the need for an intermediary interface, provisioning local machine accounts directly from the system of record.

For decades, organizations tried to figure out how to sync up server users with their system of record. Okta solved this in a very elegant way, which reduces admin overhead and pain. Mailchimp has seen the benefits of this approach through reduced admin overhead and improved overall security.

5. Single Sign-On over Checkout Processes

Traditional tools and practices force painful, out-of-band checkout processes on sysadmins not keen on workflows that slow them down. Single sign-on (SSO) removes the pain by implementing the same user-friendly experience employees enjoy when they access business apps to the infrastructure space.

At Mailchimp, the firm’s engineers were initially hesitant to make the switch to a new workflow as they were used to working manually with their own keys. As soon as they started using ASA, they realized the security benefits, and recognized that the workflows didn’t interrupt their daily work.

6. Role-Based Access over Privilege Escalation

Traditionally, organizations delegate privileges from shared accounts to users for specific tasks, thereby enforcing least privilege access. This method can be open to abuse as it’s difficult to know if a specific user should be granted privileged access or not. Identity-based access controls grant permissions explicitly linked to the user’s role.

For Mailchimp, this new approach provides “the right role and right access to the right developers,” thereby enhancing security. This is important as the organization grows and expands specialisms within its engineering departments.

7. Bastions over VPNs

The traditional network perimeter no longer exists, making VPNs obsolete. Instead, “Bastion” hosts provide users with an authentication gateway to reach private infrastructure, driving more seamless log-ins.

Although Mailchimp still uses VPNs, they acknowledge their shortcomings. When network equipment or a new office/location is added, there are significant costs to reconfigure the VPN and associated access. For a fast-growing company like Mailchimp, this is a major headache. Transitioning off VPNs will remove the risk of IP-based configuration mistakes and simplify the user experience.

8. Structured Logs over Session Recordings

Most compliance requirements specify a need to record admin activity for playback in the future. For improved clarity, this is best done via structured logs rather than session recordings.

Mailchimp’s experience exemplifies this. They now have an easily indexable and searchable system—instead of hard-to-read audit logs. This provides digestible insight into what’s going on and to which endpoints users are connecting.

Want to learn more?

To find out more about Okta’s Advanced Server Access solution, check out our recent ASA product announcement. You can also read more about The 8 Principles of Modern Infrastructure Access, or watch the full video of the Oktane19 session, Bringing Modern Identity to Infrastructure Access, below.