Solving remote access productivity and security challenges for software engineering teams
Today, DevOps has a hard time providing easy, fast, and secure remote access to developer resources in hybrid and multi-cloud environments. In a post-COVID world, where work-from-anywhere and cloud is the norm rather than the exception, it’s crucial to provide quick access while ensuring productivity and security. Developers are adversely affected by the multiple logins required across heterogeneous environments, the risk created by the VPN’s over-privileged access grants and lack of device trust.
Challenging Day(s)-in-the-Life of DevOps
In talking with Banyan Security customers, we uncovered many challenges faced by DevOps teams. Let’s talk about Mike and his DevOps team who manage critical infrastructure including VMs, Kubernetes clusters, and databases as well as development resources like Jenkins and GitLab. They support different environments like dev, staging, pre-prod, and prod in their private data center or IaaS (e.g., AWS).
To access services, they use a traditional VPN in order to connect to the Bastion host(s) which in turn allows them to gain access to their infrastructure. For each hop, their IT team needs to configure inbound firewall ports and manage siloed authentication systems for each service such as web, SSH, and databases.
There are three main problems with this approach:
- Manageability – Teams need to configure and maintain IP whitelisting rules in their VPN, rely on static SSH keys in Bastion host(s), coordinate firewall rules with different teams, and document application-specific authentication. The coordination and execution of so many touch points for common actions including the onboarding of new team members, changing roles, or adding a new service invite mistakes that cause productivity issues and introduce unforeseen security holes.Every week, Mike’s team needs to on-board new employees, remove access from previous employees, and add/remove services. In this example, Mike has hired a new developer, Alice. He wants to give her a great user experience and make sure she can hit the ground running on day one with easy, fast access to hosted developer tools and staging environments. He wants to provision and automate access without needing to touch multiple systems or file multiple support tickets. Last but certainly not least, Mike wants to ensure each user and device connecting to their infrastructure adopts a zero trust approach following a principle of least privilege. For example, Alice needs access to development environments, but shouldn’t have access to production systems.For each employee or service to be added/removed, it takes 4 tasks across 4 different teams with each task having 4 actions (new ticket, provision/de-provision access, end-user setup and typically some troubleshooting). This typically takes days to weeks.
- User Experience – Developers have to go through multiple steps to get access to services they need. Get onto VPN. Get through Bastion. Authenticate with the service. Even worse, they often have no idea what corporate resources they have/need access to for different projects and these authentication systems.
- Security – VPNs and Bastions grant broad network access. In many cases there is no centralized audit log. Static credentials lead to an increased risk of leakage.
Better way with Banyan!
If you can relate to Mike’s challenges, Banyan Security has delivered a better way!
-
- Manageability – Mike simply deploys a Banyan Connector in his infrastructure network in a few minutes (no outbound firewall …….