The 3 Security Trends Impacting Engineering Workflows

    There are a variety of new and upcoming security trends that will have a direct impact on software engineering workflows in 2022. In this article we’ll look at three emerging security approaches, and how new technologies–such as strongDM– can potentially help organizations become more secure. 

1. Zero Trust

The Zero Trust model was created by John Kindervag, vice president and principal analyst for market research company Forrester Research. It is based on the idea that trust of everything and everyone inside an organization’s network is a vulnerability. Zero Trust is an attractive security model in an era when employees are often working remotely and using multiple devices and increasingly sophisticated attacks are often aimed at locations separate from the point of infiltration. 

Barriers to Implementing a Zero Trust Model

While a Zero Trust model may seem attractive, there are several barriers to its adoption. Modern organizations have highly complex and distributed infrastructures, and it’s often challenging to configure legacy or third-party applications with Zero Trust without having to rebuild them. Furthermore, many organizations have complex configurations that require a combination of several tools to support a Zero Trust model. And finally, building a Zero Trust framework touches nearly everyone in an organization, so requires an organization-wide mindset shift. 

Zero Trust architectures 

A well-implemented Zero Trust model not only provides security but also enables businesses to operate more effectively, with secure and granular access for everyone, based on their roles and needs. strongDM supports Zero Trust by integrating out-of-the-box with any identity provider via OpenID Connect (OIDC) protocols, and delivering secure and easy access to backend infrastructure. strongDM’s architecture creates a software-defined network (SDN) that proxies client traffic through a centralized gateway to manage access to resources. Admins can easily create and define roles to defined groups of users as well as audit usage. 

strongDM architecture creates a software-defined network (SDN) that proxies client traffic through a centralized gateway to monitor and manage access to resources

2. Access Management

Identity and access management (IAM) strategies dictate how general access to resources such as devices, applications, network files, and environments are managed. IAM sees the end of shared accounts and requires each individual user to have their own digital identity, such as a username and password. Within IAM lies privileged access management (PAM), giving privileged users the authority to make changes to a network, device or application. 

Often, IAM and PAM approaches have a major gap–automating access to backend infrastructure. Similar to internal and web applications, sensitive data and critical infrastructure must also be accounted for when addressing access management, including observability, automation, and fine-grained authentication and authorization.

Tracking User Access 

Identity Governance and Administration (IGA) provides the ability to monitor and audit access to data, increasing visibility and helping organizations meet their compliance requirements. IGA tracks user access and helps ensure that IAM protocols are properly implemented. 

IAM Cloud Misconfigurations

Access solutions are facing an ever-increasing complexity of needs. They must be flexible enough to handle the adoption of new technology, the changing nature of cloud infrastructure, as well as potentially rapid scaling of organizations. While cloud-managed access management solutions offer answers to many of these challenges, organizations must avoid falling into common pitfalls of misconfigurations, such as not using the full functionality of tools such as role-based access controls (RBAC) and multi-factor authentication. 

Principle of Least Privilege

 

Another common mistake that admins make is to default to setting access controls to the most permissive settings. This eases friction with colleagues and can be seen as a time-saving decision, as overly restricted access can be cumbersome. The challenge, however, is they are sacrificing security for convenience.

Understanding the principle of least privilege is important here. Organizations must find a compromise between ease and security. If access is too restrictive, employees won’t be able to do their jobs. Too lax, and the door to attack is open. Using the right level of restriction can — perhaps counter-intuitively — improve operational performance: it improves workforce productivity, bolsters system stability, and enhances fault tolerance. It reduces system downtime that might otherwise occur as a result of a breach, malware spread, or incompatibility issues between applications. 

Applying the principle of least privilege means that admins grant both machines (applications, networks, databases, and so on) and humans only the required level of access, nothing more. It counteracts privilege creep, where rights that are only required temporarily are never revoked, and are instead accumulated over time. It also reduces the likelihood of a successful phishing attack, as fewer employees have access to superuser privileges. 

Privileged Access Management

Privileged access management strategies enforce the principle of least privilege, restricting access of each user to the minimal level required for them to do their job. This helps prevent the spread of malware, decreases cyber attack surface, improves workforce productivity, and helps demonstrate compliance.

Even under PAM, the highest-level users connect with non-privileged access most of the time, when carrying out day-to-day activities such as word processing or accessing SaaS tools for communication and project management. They only use privileged accounts to adjust permissions, change critical data, or perform other critical actions. 

Privileged accounts occur in both human and machine categories. Privileged human accounts may include root accounts with the ability to execute commands to make changes to a system, or privileged business users who require access to sensitive information in finance, marketing, or human resources. Privileged machine accounts may include application accounts which access databases or run batch scripts and SSH keys. 

3. Secure Access Service Edge (SASE)

As organizations have an increasing need for remote users to have uninterrupted and continuous access to their networks, more SaaS applications, and data moving from the data center to cloud services, they require a new approach to network security. Secure access service edge (SASE, pronounced “sassy”) is a cloud architecture model that combines network and security-as-a-service functions to deliver them as a single cloud-based service. SASE sees a move away from perimeter-based security, to enforcing security at user and application endpoints.

Characteristics of SASE

The main characteristics of SASE include:

  • Combined SD-WAN and security functions
  • Cloud-native architecture that is scalable, agile, and self-healing
  • Globally distributed fabric of PoPs to ensure advanced WAN and security capabilities wherever users are located
  • Identity-driven services that drive real-time context impacting security policy
  • Equal edge-to-edge support

SASE Benefits

Gartner predicts that by 2025 at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch, and edge access. This is because the benefits of the approach are numerous, including centralized RBAC which restricts a user’s access depending on their role, straightforward audit trail and reporting mechanisms, and a reduced cost thanks to the elimination of disjointed physical and virtual appliances from multiple vendors.

strongDM

StrongDM’s product is a tool that manages and audits access to servers, databases, data centers, and more. It gives your technical staff frictionless and auditable access to everything they need across your entire stack, in a single place. 

For a demo, visit strongdm.com

Sian Page

Sian Williams Page is a freelance science and technology writer based in Edinburgh, UK.

Software Daily

Software Daily

 
Subscribe to Software Daily, a curated newsletter featuring the best and newest from the software engineering community.