Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Organizations plan to address access management over the next 12 months, as the need to secure and streamline infrastructure-wide access controls serves as a prerequisite to other initiatives, like zero-trust.
This was one of the key findings of a survey of 600 DevOps professionals conducted by Pollfish and sponsored by strongDM. The report also found that legacy access processes created severe team inefficiencies.
These inefficiencies require intensive time and resources to fix and block agile development practices: Nearly nine in 10 organizations surveyed said they required two or more employees to review and approve access requests and that those could take days or weeks to fulfill.
The survey also indicated that organizations continue to use access management practices that are not secure and that make it difficult to track and audit users and permissions of critical business systems.
Tim Prendergast, CEO of strongDM, said as more jobs become technical, thereโs a bigger need to deliver access to more peopleโand that can have a severe impact on a company’s ability to remain secure. He explained that when 65% of organizations are reporting their teams used shared loginsโand over 40% used shared SSH keysโthereโs virtually no way for you to know who is in your infrastructure or the havoc they may be wreaking.
โThis makes it difficult to pinpoint any leakage or loss because you have 20 copies of your house key floating around,โ he said. โItโs an example of the trade-off most organizations make when it comes to speed and ease of access versus ensuring that access is secure.โ
Survey respondents said their biggest challenges were the time required to request and grant access (52%) and the task of assigning, rotating and tracking credentials (51%).
Hurry Up and Wait
โUsing current approaches to access means youโre hiring these high-paid, technical resources and telling them to hurry up and wait,โ Prendergast said.
Nearly half (47%) of respondents said they struggled with onboarding employees and contractors and Prendergast pointed out that one in four organizations said simply getting approval for access required a process that involved four people.
โThink about thatโin 25% of organizations, you have technical resources basically twiddling their thumbs while they wait to get access to this database or to that Kubernetes cluster,โ he said. โNow multiply that by however many databases, servers, employees and third-party vendors that you have. And thatโs not even counting when new technologies like Kubernetes are added to your infrastructure. Eventually, even just the frustration of your team as they wait for access becomes a liability.โ
2022: A Year of Convergence
Prendergast predicted 2022 will see DevOps and security converge beyond what weโve already seen with DevSecOps, where it has been heavily focused on shifting left and bringing security into the development cycle earlier.
โThis convergence will be marked by new workflows, technologies and solutions that not just improve security, but that also improve the development cycle,โ he said. โOne great example is optimizing infrastructure accessโwhen done right, you can improve your security posture with zero-trust methodologies while also making it easier for DevOps teams to access systems quickly and easily.โ
He added that two of the biggest workforce dynamics facing zero-trust are remote work and the Great Resignation.
โYou used to have this environment where youโd have to be physically present or on the VPN to have accessโremote work broke that,โ he explained. โAnd now you also have this large number of employees leaving their jobs. Do you know what systems they had access to? How do you know if all of that access has been turned off? What happens if they were using shared credentials?โ
Prendergast said thatโs why addressing access is critical to meeting this challenge and getting to modern securityโif you donโt know who has access to what or what they can do in each system, you can never get to zero-trust.
โOrganizations need to find a way to understand the relationship between each technologist and each technology and then be able to track and audit those relationships,โ he said. โUntil you do that, youโll have a really hard time getting to zero-trust. These are the table stakes for modern security.โ
