Tur-Duck-En Security for IT and DevOpsAnirban Banerjee
Thanksgiving is a popular US tradition. Being an immigrant to this great country it has always been something I have looked forward to. I am excited to have my family and friends around the table, enjoy good food, catch up, laugh and have a great time.
I got thinking this year about Tur-duck-en. Why am I talking about Tur-duck-en when it comes to enterprise security? The reason is that as of now enterprise security in most companies is like a piece of M&M candy. How so you ask? Allow me to explain: In most enterprises the perimeter has now become fragile, it is no longer what things used to be. Employees bring in the smart phones, connect to corporate networks. They work from home and from various VPNs, endpoints – it’s a complex and ever changing world. What enterprises have done is to put in place static security mechanisms like VPNs. These are important but the model they are based on is old.
How is Enterprise security like an M&M
For most enterprise employees the first step to getting access to any corporate resource is to use some kind of software on their laptop/desktop and connect to a VPN. A VPN ensures that the data you are transferring from you machine to the corporate network is securely transferred and also provides a layer of authentication so the corporate network understands that you are who you claim to be.
Authentication for the VPNs can be accomplished in many ways: passwords, keys, tokens and more. The point though is that once you are on the corporate VPN – you are “in”. That is where the problem lies.
The concept of once you punch a hole through the corporate network, you can potentially try to login to Microsoft Sharepoint or Oracle DB or SAP or any other app or server for that matter. The ability of an employee to punch a hole through the crunchy candy layer of an M&M and then access anything within the gooey chocolate-y layer inside is where issues manifest themselves.
But we have Firewalls
Yes, and firewalls are an important part of the security landscape. Let us understand what is a firewall supposed to do. There are usually two kinds of flavors for firewalls: Network and Application.
Network based firewalls work off rules and try to understand who is trying to connect to whom. In this case the who is an IP address of a machine and the whom is another machine like an email server. Network based firewalls are effective at identifying and stopping scanning activity and persistent brute force attempts and more.
Application firewalls primarily placed in front of web applications (e.g. your corporate website) try and look at what the browser accessing the application is trying to fill into the application, say a form for a newsletter signup.
Firewalls do not help in protecting an enterprise from the threats posed by insiders or more importantly someone who has punched a hole through the crunchy candy layer and is now exploring the chocolate centre.
Consider the case where a disgruntled employee takes it upon himself to download all your salesforce contacts, the customers who are not happy, and ships himself and the data off to your competitor. Of course something like this could never happen at your organization now, could it? See how often this happens. We discussed the topic in a previous article on our blog: “Did John run rm –rf*? Why enterprises use session recording“.
In the above case no application or network firewall is going to protect your data. This is because the user has already authenticated, they already are inside the chocolate layer, they have access to their accounts and data and can do whatever they want.
How can Tur-Duck-En help
The Tur-Duck-En philosophy is not new. This approach ensures that authorization rights are earned not just blindly granted. This problem occurs because for most organizations the way that accounts are created and the lack of context about what exact role the employee if gong to perform allows for a loose envelope of rights for the employee account. Read “Help IT and DevOps: Simplify Account Creation“, to learn more about why employee account creation is a mess.
In an enterprise if access rights are automatically granted in a layered fashion, just like Tur-Duck-En, where in layer upon layer of different types of authentication and authorization make sure that an employee account cannot be used to do things that are harmful for the enterprise.
Consider the following case. Your enterprise uses Pipedrive or Salesforce as a CRM. You now have a new employee who has been on the job a coupled of months, they have access to the CRM. On most 3rd party applications (SaaS based) the account creation process is not very granular. More often IT and DevOps are under pressure to put out fires and hence do not have the luxury of spending a lot of time on account creation requests, they get the account created asap and that’s it. In this case it is trivial for your employee to login to the VPN, punch a hole through the candy layer, get to the chocolate, the CRM and do whatever they like.
If instead a Tur-duck-en approach for layered privileges management was used the employee despite of having punched a hole via a successful VPN login would not be able to do much to harm the company.
Why can’t 3rd party SaaS applications help?
This is a very good question. Most 3rd party SaaS apps do have some basic multi-user functionality built in. One of the reasons why these functionalities is lacking is that making authorization policies work seamlessly is very hard and very resource consuming. If you get it wrong you will be apologizing to customers for the next 60 days.
SaaS applications are trying to catch up with the curve. Companies are demanding much better controls and policy management on applications. This will take time, its not an overnight process. It is a major investment for a successful SaaS application to decide – we are going to support multi user, with fine grained access control etc. – this takes months to get right. Most SaaS vendors do not always have the opportunity to get this done.
What is a way forward?
The way forward is not quite simple – but here is what we have seen work inside organizations. 1 – invest in detailed employee account creation processes and 2 – work with your SaaS vendors to make sure that your needs for employee account and activity control are being met. This will be hard as not all your vendors will have the ability to satisfy your requirements, but pressing them during contract renewals will obviously help move this forward. Make sure to present the vendors with a standardized model like a flow/action diagram of sorts to show what an employee’s action pattern should look like and where in the chain should they be stopped from doing something or allowed to do something else. This is going to be time consuming so you will need to chalk out half a quarter for it. You will need to list out all the SaaS apps you are using and then go after each vendor to help you implement this. There have been a handful of companies who have been successful with this approach but they usually tend to be in the Fortune 500 list with a lot of clout.
An alternative is to use a solution that lets you control privileges on any SaaS web app and cloud server without the need for any conversation with the SaaS app/server vendor.