Breaking Barriers: Scaling Infrastructure Identity with Advanced Server Access
Software powers your business. Infrastructure powers your software. To remain competitive in today’s fast-paced landscape, your applications need to be highly available and performant. To meet that demand, your systems need to be resilient and secure. When you add that up, it’s the Operations and Security teams that carry the responsibility of those four key traits. Remember them, and remember them well: availability, performance, resilience, and security.
Every company along their cloud journey reaches a critical point along the way where the complexities of scale rear their ugly head, risking the most important attribute of them all—customer delight. On the surface, access management may not seem like a barrier to scaling cloud adoption. But as those who carry the responsibility know too well, as environments scale, so do the pieces to configure and the surface area to protect. Without a clear identity and access management system in place, configuration drift and credential sprawl quickly become unmanageable.
The architects responsible for designing these systems must always consider scale, making decisions today that will work for many years to come. And the architects of today are thinking about cloud-native solutions for that future. As it stands, traditional infrastructure access management products were built for a different time, when environments were fixed and resources static. Back then it was possible to bolt on controls after everything was provisioned. But in the cloud, the environments are dynamic and the resources ephemeral, so your controls must be able to adapt to these changes—especially at scale.
It’s the recognition that cloud environments are dynamic that has driven so many Okta customers to Advanced Server Access, mitigating the risk of credential sprawl and relieving the pain points of configuration drift in a Zero Trust manner, purpose-built for cloud-scale.
From 1 million to 10 million SSH logins
Back in July, we wrote a blog post illustrating our elegant architecture along with the milestone of reaching 1 million SSH logins per month. Only half a year later, and we’re pleased to share that we’re now processing over 10 million SSH logins per month. This impressive milestone signifies a seamless end-user experience for hands-on practitioners who access infrastructure for their day-to-day jobs. But what makes it especially significant is the ease of administrative work to get there – all due to automation and the Shift Identity Left mentality of our deployment model.
Behind the scenes, our team performed a comprehensive series of infrastructure scale and stress tests and passed with flying colors. Scale matters to your business, and it matters to ours as well. You can trust that our services are battle-tested in production across all types of customer environments, both in the cloud and on-premises.
Expanding Advanced Server Access: added resources, enhanced features, stronger assurances
A key theme surrounding the growth of the Advanced Server Access product and Okta’s capabilities across the infrastructure landscape is the notion that customers want to do more with us. This is a welcomed request, and we’re pleased to share that today at Oktane21, we announced Okta Privileged Access, a new product that will become available early next year.
In the meantime, we’re also pleased to announce new Advanced Server Access capabilities that customers can take advantage of today.
Better Windows coverage by supporting Active Directory domain users
A key design consideration of Advanced Server Access is to manage local system accounts so that we can effectively automate their end-to-end lifecycle. This works perfectly well for Linux servers that only have a single account system, but Windows servers come in two flavors: local users and domain users. Domain users are sourced via Active Directory (AD), where permissions are modeled based on Global Policy Objects (GPOs). Local user accounts can’t interface with GPOs, so customers who have invested years in crafting policies within AD need to authenticate to Windows servers as domain users.
As a core value of Advanced Server Access is in replacing outdated, clunky identity and access management systems, supporting AD posed a challenge for us. And, since not all resources are headed to the cloud, there’s still a significant amount of on-prem Windows infrastructure out there that needs strong access management from Okta.
Our team took this challenge head-on, leveraging the gateway architecture built to support SSH Session Capture, now for Remote Desktop Protocol (RDP) sessions. With this new capability, Okta administrators will be able to link AD identities with an Okta identity, allowing end-users to log in to a Windows server using their domain credentials. Customers gain the strong authentication and compliance assurances of Okta, without sacrificing existing Active Directory investments—the best of both worlds!
Domain-Joined User Support will be available in Early Access in Q3 2021, with additional milestones for enhanced Windows support following up to the release of Okta Privileged Access.
Tighter integration with IaaS providers to enhance PolicySync
At Showcase20, we debuted PolicySync, a feature family that encompasses role, attribute, and time-based access controls to provide the most flexible model for applying and enforcing least privilege access controls. A key component of this feature family is the ability to label resources to apply more fine-grained controls.
Companies who have adopted Infrastructure as a Service (IaaS) best practices may have been tagging their cloud resources already, i.e., adding labels to servers subject to compliance, or assigning a cost center. Those who’ve invested the time want those tags aligned with the Advanced Server Access inventory, maintaining consistency without duplicating the effort.
We‘ve enhanced our native integrations with the top IaaS providers – Amazon Web Services (AWS) and Google Cloud Platform (GCP) – enabling strong multi-account authentication and synchronization. Customers can automatically enroll cloud instances to synced projects, and can automatically import resource tags to be applied to server inventory. This allows for more flexible and automated attribute-based access controls across large-scale multi-cloud server fleets.
IaaS Inventory Integration for AWS and GCP will be available in Early Access in Q2, complementing existing PolicySync capabilities.
Greater assurances with disconnected mode
High availability is our responsibility too, and we take it seriously. Trust is at the core of our company values, and we’ve continued to prove our excellence with our 99.99% uptime SLA. To power identity and access management for your critical infrastructure, you need reliability assurances.
While you don’t want to expect it, it never hurts to plan for downtime, especially for production systems. Because Advanced Server Access offloads PKI management in a just-in-time manner (as a function of our SaaS), your users would be prevented from accessing resources. This is in the off chance that your Okta service or ASA goes down—a scenario we hope will never come up, not unlike an insurance provider.
This posed a unique technical challenge: how can we deliver just-in-time access in an offline mode while continuing to mitigate the risk of credential misuse? As with all the features covered in this blog post, our new gateway service provides an answer. Customers will leverage the components of our Certificate Authority (CA) architecture within their own environments. This allows for the minting of client certificates on-demand, which can then be used to access servers in a seamless manner. This capability will only be active in a backup mode to ensure it’s only used in emergency cases.
Disconnected Mode is targeted to reach beta in mid-2021.
Get started with Advanced Server Access today
Once again, we know the importance of availability, resilience, performance, and security to your business, and we take your critical infrastructure as seriously as we take our own. And, as evidenced by our major product announcements today, and the new Advanced Server Access capabilities outlined here, you can rest assured that Okta is your identity partner for all of your infrastructure and privileged access needs.
To discover how Okta can help your DevOps team to shift identity left, check out the following resources or Request a Demo.
Advanced Server Access (Product)
Adapting to the Cloud Operating Model: Using Okta + HashiCorp to Automate Identity +
Infrastructure as Code (Blog)
SSH is Dead. Long Live SSH: One Million SSH Logins with Okta. Zero SSH Keys (Blog)
Automating Infrastructure Identity with Okta Advanced Server Access (Whitepaper)
Advanced Server Access & Your Journey to the Cloud Operating Model (Webinar)
Any unreleased products, features, or functionality referenced in this blog are not currently available and may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation, or promise to deliver any product, feature, or functionality, and you should not rely on them to make your purchase decisions.