What are some effective approaches to access provisioning?
Sort by:
In the old days, those permissions were hard-coded in the software. And if a contractor came in, I'd send them an email saying, "Here's three lines of code, just drop that into what you're doing and then you can always get to this environment, you'll never have a problem." It wasn't even regulated.
The challenge now is that you also need to manage the bots, just like you're managing your human access. If I am writing the code for the bot, I still want to know its baseline behavior. And if the bot goes rogue on me, I should be able to catch it. The new problem is not people going rogue, but the people making the bot go rogue on you.
There’s a startup using facial recognition technology to step up authentication during the software engineering process. There are certain permissions that are embedded in systems that'll give you access to different infrastructure or data assets, or even activities that happen within the software itself. You have an army of 200 developers working on this system and there are all these embedded secrets in the way the code is constructed. You want to make the permissions as ephemeral as possible. For example, I can give you a cookie so that you can go in and do stuff for the next hour, but you won’t have that permission for the rest of your life or until I fire you.
This startup is using the camera on the laptop to do a visual re-authentication of who you are before they allow you to exercise the permission that you've been given with respect to the secrets. They issue the cookie, you have it for some period of time, and then they re-authenticate you. And this is also very helpful when you have a lot of contractors, which is the case for many software companies. I wouldn't say it's a productionized capability yet, but it's a clever concept that flies in the face of all the bad press facial recognition gets. We're going to see a lot more uses for facial recognition. It reduces the friction in the customer experience by orders of magnitude and I find it hard to believe people don't get that.
Three years ago, we built something called Access Hero, which did on-demand access provisioning for a finite period of time. Nobody has perpetual access to the production environments, not even the database admins (DBAs) or production admins. We built a system in which you can request access and it automatically gets approved. We have user behavior analytics (UBA) hooked up behind the scenes so we can see patterns, and then your access is turned off. It was on a need basis for production environments, so that’s one way to prevent leakage in access control.