Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Counterbalancing Complexity in Modern Cloud Environments
By Ev Kontsevoy, Co-Founder and CEO,
Teleport
Cloud computing continues to become more complex every year,
specifically the "tech stacks" of cloud-native applications. As we enter 2021,
most developers, in addition to mastering the runtime of their programming
language and the operating system, will have to navigate APIs of multiple
databases, cloud providers, Docker containers, orchestration platforms like
Kubernetes and other freshly-invented abstraction layers.
As the complexity
of modern cloud environments is, sadly, rising, let's focus our attention on
something positive: what are the trends that will be counterbalancing the
growing complexity?
The Rise of DevSecOps
Back in the good
ole days developers had to rely on system administrators to provision their
servers. As the complexity of Internet applications grew, this prevented
engineering teams from iterating and scaling rapidly. Cloud APIs enabled
developers to treat infrastructure as code, fusing applications and the
underlying hardware into a purely software-defined artifact.
Something similar
has been happening with the cloud security space, as developers have been
increasingly frustrated with security and compliance concerns, enforced by
dedicated security teams. We expect this trend to accelerate in 2021, as the
new generation of access solutions are targeting developers as their users, not
security professionals:
- New generation of access solutions
like a unified access plane instead of relying on static declarative policy
engines come equipped with robust APIs, allowing developers to implement any
access workflow they desire using the programming language they are already
familiar with.
- Access to cloud infrastructure
like servers, Kubernetes clusters, databases and other resources can now be
controlled via a unified access plane, making it easier to implement security
and enforce compliance in one place without having to build in-house security
expertise for every layer of ever-growing dev stacks.
- The best forward-looking security
teams are diversifying their skill sets and becoming more comfortable with
programming to transition to fulfilling DevSecOps roles.
We do not know if
"security as code" is a trend yet, but "access as code" will definitely gain
momentum in 2021.
Decline of Secrets Management
Engineering
organizations have been gradually scaling back their reliance on shared
secrets.
In the web
application space, this trend started some time ago with the transition to
identity-based access and the raise of common protocols like SAML or OpenID
Connect. We expect identity-based access to extend to cloud infrastructure and
machine-to-machine communications. Consider the following two popular examples
of shared secrets that are now considered an anti-pattern:
- SSH keys. Organizations that adopt and deploy
key management systems with key rotation or key encryption must realize that an
SSH key is nothing but a very long password. Technologies like SSH certificates
issued by an identity-aware CA have now matured to the degree that implementing
them in production is not only easier, but also delivers a superior user
experience.
- API keys. API keys, also not different from a
very long password, are even more challenging to manage properly because
there's no commonly adopted standard for API authentication. This leads to
additional level of complexity, like API key injection, to be layered on top of
already complex stacks. Meanwhile, the technology to deploy private CAs capable
of issuing x.509 certificates for API clients and servers is now entering
mainstream, making all communications trusted by default eliminating the need
for API keys.
We expect
certificate-based authentication and authorization to finally start replacing
legacy solutions based on shared secrets in the infrastructure space in 2021.
This trend is accelerated by increased levels of automation in the identity and
access space fueled by the rise of DevSecOps.
Fusion of Humans and Machines
The remote access
and identity space has always been split between humans and machines. Humans
and robots have used different authentication methods. The identity-based
access was first implemented for humans accessing their email, not for
microservices accessing a database. Why would anyone have the need for
"security for microservices?" What's so different about granting or denying
access to a robot or a human?
Historically,
secure access was implemented in silos. It was not uncommon for database
administrators to have their own individual database accounts not synchronized
with the corporate identity storage, yet the code written by developers to
access the database would use another account stored in a configuration file.
Secrets for SSH access would be managed separately. All of these credentials
were siloed not only based on a computing resource type (database, SSH server,
Kubernetes cluster) but also based on human-vs-machine separation.
In 2021 this will
begin to change, as modern access solutions make no distinction between humans
and machines. The new approach embraced by the "access as code" movement is to
have identities and roles defined for both humans and machines, and have a
unified access plane and unified audit log for both. Not only does this greatly
simplify managing access, but also enables unprecedented visibility into access
and behavior.
Location-Independent Computing
Drastically
furthered by the onset of COVID-19, organizations will continue to shift away
from on-premise computing towards cloud. But another transformation is also
underway: the dramatic shift to work-from-home culture.
This presents new
productivity challenges for engineers working from home and also introduces
additional complexity for the security teams. As cloud environments continue to
get more complicated, and grow in numbers, organizations must also embrace
employees using their own devices to get the work done. VPNs were never meant
to bridge the gap between dozens of cloud environments and thousands of
employees working from home. We expect the trend towards endpoint-based access
via a unified access plane to accelerate in 2021. An engineer expects to login
once using their own machine at home, and get access to computing resources
such as servers, Kubernetes clusters, databases or web applications on a VPC
behind NAT, with a single login. They also expect to automatically lose access
at the end of the day when their certificate expires. The unified, identity-based
access for everything is going to become essential for work-from-home
organizations.
Conclusion
As complexity of
cloud environments continues to grow, and their numbers multiply, we expect
several positive trends to accelerate in 2021, namely around simplicity of
accessing these environments and better security and compliance.
The DevSecOps
movement opens a new chapter in the degree of automation in the access and
identity space. The unification of machine and human access will allow us to
tie access to identity which, in turn, will drive the elimination of shared
secrets from cloud-native environments. And finally, working from home will
become easier as a result of the industry's response to COVID-19 and the
emergence of Unified Access Plane concept, which borrows heavily from
BeyondCorp.
In other words,
life will get easier in 2021 which is, of course, what we should expect from
technical progress.
##
About the
Author
Ev Kontsevoy is Co-Founder and CEO of Teleport. An
engineer by training, Kontsevoy launched Teleport in 2015 to provide other
engineers solutions that allow them to quickly access and run any computing
resource anywhere on the planet without having to worry about security and
compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun,
which he successfully sold to Rackspace. Prior to Mailgun, Ev has had a variety
of engineering roles. He holds a BS degree in Mathematics from Siberian Federal
University, and has a passion for trains and vintage-film cameras.