Secure Velocity: New Advanced Server Access Compliance and Automation Capabilities

With the move to the cloud, more organizations are employing DevOps programs to streamline the delivery of software, bringing continuous innovation to customers in the form of new digital experiences. The pace of business demands velocity, so to better enable developer productivity and happiness, mature organizations must foster a culture of automation. This becomes increasingly important in a cloud-centric world, where infrastructure environments are dynamic, and elastic resources may only live for days, hours, even minutes.

The supporting casts to developer velocity are the security and operations teams who power the underlying infrastructure for availability, resilience, and performance. A key challenge, when speed is the name of the game, is not compromising on compliance requirements. In other words, how can we move fast without breaking things?

Okta Advanced Server Access was purpose-built to adapt to a constantly changing surface area by shifting identity left—making identity and access part of your automation, not an afterthought. We’ve enabled numerous customers to automate the end-to-end lifecycle of identity and access across hundreds, thousands, and even hundreds of thousands of elastic cloud instances.

In doing so, we’ve helped our customers solve hard PCI-DSS, SOC 2, and FedRAMP compliance guidelines related to server account and credential management with less pain and in less time. Our elegant approach and SaaS delivery model removes much of the burden by eliminating shared accounts and tying everything to identity. There are no keys to rotate because Advanced Server Access mints ephemeral credentials on-demand.

Our announcements today further enhance our compliance capabilities, keeping with the business driver of enabling velocity at scale. Security without impacting productivity—the best of both worlds!

What’s New

In helping our customers deploy Advanced Server Access across their infrastructure environments, we’ve learned where there are opportunities to do more to help. The key themes of the updates we’re announcing today are easier automation integrations and more expansive compliance capabilities. It’s everything you love at the application level and extending that to the server level.

Certified ASA HashiCorp Terraform Provider

Many Okta customers use HashiCorp Terraform to automate infrastructure provisioning across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. With the Okta ASA Terraform Provider, you can dynamically create and configure role-based access controls inline with your existing Infrastructure as Code (IaC).

For example, you can have Terraform code spin up new VPC environments, and create and configure new ASA Projects in parallel. Then as new EC2 instances are spun up, they can be enrolled with the respective ASA Project, and have the right users, groups, and entitlements “just there” at startup. All this without having to figure out how to apply access controls after the fact. This allows you to ensure consistent guard rails across your dynamic server fleets, both elegant and secure.

The Okta ASA Terraform Provider has been certified by HashiCorp, and is available on GitHub at: https://github.com/oktadeveloper/terraform-provider-oktaasa

Okta ASA Connector for Workflows

As business processes get more complicated and teams use more tools, stitching things together can be a constant pain. Okta Workflows extends the power of Lifecycle Management in a no-code manner, making it simple and intuitive to automate these processes. With the Okta ASA Connector for Workflows, you can automate time-based access controls to groups of servers based on event triggers.

For example, you can hook up Okta ASA to ServiceNow, so that any time a new ticket comes in and is assigned to a Support Engineer, that user’s access can be granted only for a specified time window, without the need to worry about cleanup. This allows you to be very precise about least privileged access, controlling who can access which servers, what they can do, and for how long.

The Okta ASA Connector for Workflows is available as an application in your Workflows console. Find documentation here: https://help.okta.com/en/prod/Content/Topics/Workflows/connector-reference/connector-reference.htm

PolicySync

When dealing with dynamic infrastructure, it’s a constant challenge to ensure that your least privileged access policies are being adhered to in practice. With PolicySync, you have a flexible model for applying coarse-grained and fine-grained access controls in a consistent manner. This feature family encapsulates role-based access controls to groups of servers by project or by label, and the commands they can execute via entitlements.

For example, only members of the DevOps team can access the servers in the CI/CD cluster, and only members of the Data team can access the servers in the Database cluster. Privileged commands can be restricted for the Data team, so they can only perform actions related to their job. Additionally, group assignments can be applied to labels, which can be configured or imported from AWS. For example, you may have a number of servers that handle payment processing, and are subject to PCI-DSS guidelines. These servers can be assigned fine-grained control, across all projects, based on a label name.

PolicySync is a class of features mostly available today, with new attribute-based access controls coming in Early Access by Q4 2020. Contact your Okta account team to have new capabilities turned on for your ASA team.

Session Capture for Linux

Many compliance guidelines, including SOC 2, PCI-DSS, and FedRAMP, require all administrative sessions be logged for audit purposes. With Session Capture for Linux, you can pass SSH traffic through an SSH Gateway service that captures the inputs and outputs of the interactive session as structured logs, and then have them delivered to a secure object storage location within your infrastructure environment.

Session Capture is an optional project configuration. For example, you can spin up a series of Gateway hosts with a “PCI” label, and assign that label to the projects with servers subject to PCI-DSS guidelines. Traffic to those servers will be logged at the keystroke level, which you can deliver to your auditors on a regular basis, with all activity directly attributed to an Okta user.

Session Capture for Linux is currently in Early Access. Contact your Okta account team to have the feature turned on for your ASA team.

Get started with Advanced Server Access today!

The value of each of these new capabilities compound at scale, and with more dynamic infrastructure spinning up and down, dealing with account and credential sprawl can be daunting. With Advanced Server Access, security is baked right into your infrastructure automation, allowing you to move fast without breaking things.

To discover how Okta can help your DevOps team to shift identity left, check out the following resources
or Request a Demo.

Advanced Server Access (Product)
Adapting to the Cloud Operating Model: Using Okta + HashiCorp to Automate Identity +
Infrastructure as Code (Blog)
SSH is Dead. Long Live SSH: One Million SSH Logins with Okta. Zero SSH Keys (Blog)
Automating Infrastructure Identity with Okta Advanced Server Access (Whitepaper)
Advanced Server Access & Your Journey to the Cloud Operating Model (Webinar)