You have a growing number of targets
Your number of targets has grown, and it may be so large that you need to build individual systems to maintain access to them. Different types of targets need different access system—you can’t use the same system for server, DBs, and k8s access. But maintaining and building separate systems can be painful. You may have too many targets, making the task even more daunting.
We offer remote access strategy services to make this process less painful.
You have a growing number of accounts
Having different access systems for different targets is a lot to manage, and multiplying that in a matrix by your cloud accounts makes it even harder. It can also be painful if you don't have a cloud-agnostic approach. An option could be to offload that load onto a third-party service such as BastionZero’s **insert name for how BastionZero installs this in a multi-cloud way**.
You lack auditability
Most people we talk to don’t have a cloud-agnostic solution for access—instead, they use AWS-specific tools or GCP-specific tools. However, these tools lack audibility: they don’t allow you to see who has keys and credentials to access specific targets nor who is logged in and made changes to what. The lack of visibility makes it difficult to tell what’s going on with access in your infrastructure, especially since remote access tends to have different systems built by people working asynchronously.
You have “privilege creep”
You had an employee who needed access to fix a bug. They eventually got their needed access, but it was never taken away. However, this may not have been the first time this has happened and now, security has no idea who has access to what.
Having strong credentials spread out across many individuals makes your infrastructure vulnerable. If just one of them gets hacked, it’ll cause a significate impact on your systems. It also creates a big headache from a compliance perspective, which can impact revenue and business relationships if you have no idea who has what access. An engineer could look at all the access and try to develop audit logs. However, this can be time-consuming. It's also not necessarily the best use of time for your security engineers.
You rely too much on perimeter-based defenses
Nowadays, most people are moving away from relying on VPNs for deciding on target access; however, a different kind of perimeter-based defense isn’t the answer. With perimeter-based defense, after an adversary gains access to the outer line of defense, they can gain access to your entire system. Implementing a more zero trust-based line of defense can make your strategy more secure.
You are managing long-lived credentials
You may be providing long-lived keys that users store on their laptops. However, having long-lived credentials is a maintenance and productivity issue. You must build a system to know which servers can be accessed with which keys with long-lived keys. However, these systems are challenging to build and manage. Additionally, if your security team refuses to provide access to new hires or on-call people, this can reduce productivity.
However, long-lived credentials can also become a security issue. If a laptop gets compromised, the adversary can use the key to attack your system later. This same event happened in the Fluffy Bunny Attack, where an attacker created a malicious SSH client that was able to steal SSH keys. Using these keys, they could log into systems—sometimes even six months later—because the stolen SSH keys were still usable.
You could secure these long-lived credentials, but your system is still vulnerable if you have unused keys. If an adversary finds a credential that no one is using, they can still enter and compromise your infrastructure.
You have many disparate systems for access
When there's been an organic development of remote access systems, systems develop differently. But disparate systems aren’t a maintainable situation. You have to worry if a system has a leak and needs patching, impacting availability. Suppose you can’t access your system if something goes wrong. In that case, you’re defenseless while an adversary gets through your remote access system.
Your engineering team is growing
Your engineering team has grown. Growth is typical and not necessarily a problem. However, ten engineers sharing one key has evolved to a hundred engineers sharing it. You can’t trust all these people with access: it’s become a risk issue.
From an efficiency standpoint, offboarding has also been affected. You may have an engineer who left the company with several SSH keys. If you don't have auditability or a system that tracks their SSH keys, it can make the offboarding process extremely painful.
Take the Next Step: Try BastionZero Free Today
At BastionZero, we make it easy for cloud teams to securely control access to their infrastructure (servers, containers, clusters, databases) in any cloud or on-prem data center.
Talk to our experts about how to future-proof your cloud security strategy. They’ll help you schedule a demo and learn more about simplifying your remote access processes and fortifying your security.