The Banyan Security Blog

Fernando Montenegro

Principal Research Analyst, S&P Global Market Intelligence
@fsmontenegro
 

 

It’s now been over slightly over 18 months since the WHO officially declared COVID-19 a pandemic. As organizations raced to respond to the new safety needs, information security emerged as one of the most active areas for accelerated or new initiatives. For many organizations, rethinking remote access – once reserved for back-end IT workers, ‘road warriors’ or the occasional work-from-home (WFH) need, but suddenly affecting a much larger share of employees, particularly ‘knowledge workers’ – shot up as a high priority.

The nuance, though, is that not every knowledge worker has the same needs. Developers or IT engineers, for example, have very distinct work patterns compared to those in sales, marketing, finance, research, legal, etc. Your typical modern developer will be accessing multiple disparate systems, often each with different security postures and requirements. Typical developer access may include application-level access to a source code repository, with the complexity hidden away by a client application; access to an integration system front-end via a web interface; shell access to a variety of development or test systems to investigate application behavior; or even administrative-level access to production systems for occasional troubleshooting of urgent production issues. All of which are likely located in a mixture of datacenter, on-premises, hybrid- and multi-cloud locations.

It goes without saying that all this activity needs to be properly secured. One of the interesting aspects of modern security is that this does not need to be an adversarial relationship: our research indicates that there is broad agreement that security is a top-level requirement and that there is increased usage of security tooling – be it application security, network security, data security, and others – throughout the development lifecycles. The key challenges in deploying security controls are doing so in a way that doesn’t overtly impact developer/engineer productivity and that does so in a way that addresses the inherently siloed nature of each application or system being used.

Some may wonder: “Is it really necessary to rethink this? What’s the worst that can happen if we stick with what we have?” Well, consequences will vary. If nothing else, managing the different needs of developers and engineers the same way as traditional remote workers introduces friction and likely lowers productivity as those professionals need to keep details of diverse login information for different systems and platforms. If, as an alternative to this, access is just left open, there’s evidence of numerous incidents where public interfaces for managing cloud-native information were abused, followed by cryptomining and other unwanted actions. Lastly, there’s also evidence that attackers have been pursuing victims that have legacy remote access (VPN) infrastructure, both because of vulnerabilities in those products or because typical misconfiguration issues often use poor authentication options and use policies that are too permissive.

This last point highlights something critical: it’s not just about the experience for the end user, be they a developer or not, but about the administrative experience as well. If the platform makes it complicated for a team to enforce more rigorous or granular policies, there is a higher likelihood that either mistakes may be made, or policies may be left with more permissions than what is appropriate.

Looking ahead, it is safe to assume that much of the disruption caused by the pandemic will continue to dictate remote access and connectivity needs to knowledge workers across most if not all industries: be it headquarters, remote branches, homes, or mobile usage, users will require access to resources and applications themselves hosted in different environments. Developers and engineers will also continue to require differentiated access given their usage patterns.

As organizations consider how to address remote access needs, particularly for user profiles such as developers/engineers, it will be important to support the different requirements including connections to multiple systems and applications, complex identity, and access management requirements, and more, all the while supporting strong security design principles such as Zero Trust, resilience, and proper security hygiene.