Virtualization Technology News and Information
Article
RSS
Teleport 2021 Predictions: Counterbalancing Complexity in Modern Cloud Environments

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual VMblog.com series exclusive.

Counterbalancing Complexity in Modern Cloud Environments

By Ev Kontsevoy, Co-Founder and CEO, Teleport

Cloud computing continues to become more complex every year, specifically the "tech stacks" of cloud-native applications. As we enter 2021, most developers, in addition to mastering the runtime of their programming language and the operating system, will have to navigate APIs of multiple databases, cloud providers, Docker containers, orchestration platforms like Kubernetes and other freshly-invented abstraction layers.

As the complexity of modern cloud environments is, sadly, rising, let's focus our attention on something positive: what are the trends that will be counterbalancing the growing complexity?

The Rise of DevSecOps

Back in the good ole days developers had to rely on system administrators to provision their servers. As the complexity of Internet applications grew, this prevented engineering teams from iterating and scaling rapidly. Cloud APIs enabled developers to treat infrastructure as code, fusing applications and the underlying hardware into a purely software-defined artifact.

Something similar has been happening with the cloud security space, as developers have been increasingly frustrated with security and compliance concerns, enforced by dedicated security teams. We expect this trend to accelerate in 2021, as the new generation of access solutions are targeting developers as their users, not security professionals:

  • New generation of access solutions like a unified access plane instead of relying on static declarative policy engines come equipped with robust APIs, allowing developers to implement any access workflow they desire using the programming language they are already familiar with.
  • Access to cloud infrastructure like servers, Kubernetes clusters, databases and other resources can now be controlled via a unified access plane, making it easier to implement security and enforce compliance in one place without having to build in-house security expertise for every layer of ever-growing dev stacks.
  • The best forward-looking security teams are diversifying their skill sets and becoming more comfortable with programming to transition to fulfilling DevSecOps roles.

We do not know if "security as code" is a trend yet, but "access as code" will definitely gain momentum in 2021.

Decline of Secrets Management

Engineering organizations have been gradually scaling back their reliance on shared secrets.

In the web application space, this trend started some time ago with the transition to identity-based access and the raise of common protocols like SAML or OpenID Connect. We expect identity-based access to extend to cloud infrastructure and machine-to-machine communications. Consider the following two popular examples of shared secrets that are now considered an anti-pattern:

  • SSH keys. Organizations that adopt and deploy key management systems with key rotation or key encryption must realize that an SSH key is nothing but a very long password. Technologies like SSH certificates issued by an identity-aware CA have now matured to the degree that implementing them in production is not only easier, but also delivers a superior user experience.
  • API keys. API keys, also not different from a very long password, are even more challenging to manage properly because there's no commonly adopted standard for API authentication. This leads to additional level of complexity, like API key injection, to be layered on top of already complex stacks. Meanwhile, the technology to deploy private CAs capable of issuing x.509 certificates for API clients and servers is now entering mainstream, making all communications trusted by default eliminating the need for API keys.

We expect certificate-based authentication and authorization to finally start replacing legacy solutions based on shared secrets in the infrastructure space in 2021. This trend is accelerated by increased levels of automation in the identity and access space fueled by the rise of DevSecOps.

Fusion of Humans and Machines

The remote access and identity space has always been split between humans and machines. Humans and robots have used different authentication methods. The identity-based access was first implemented for humans accessing their email, not for microservices accessing a database. Why would anyone have the need for "security for microservices?" What's so different about granting or denying access to a robot or a human?

Historically, secure access was implemented in silos. It was not uncommon for database administrators to have their own individual database accounts not synchronized with the corporate identity storage, yet the code written by developers to access the database would use another account stored in a configuration file. Secrets for SSH access would be managed separately. All of these credentials were siloed not only based on a computing resource type (database, SSH server, Kubernetes cluster) but also based on human-vs-machine separation.

In 2021 this will begin to change, as modern access solutions make no distinction between humans and machines. The new approach embraced by the "access as code" movement is to have identities and roles defined for both humans and machines, and have a unified access plane and unified audit log for both. Not only does this greatly simplify managing access, but also enables unprecedented visibility into access and behavior.

Location-Independent Computing

Drastically furthered by the onset of COVID-19, organizations will continue to shift away from on-premise computing towards cloud. But another transformation is also underway: the dramatic shift to work-from-home culture.

This presents new productivity challenges for engineers working from home and also introduces additional complexity for the security teams. As cloud environments continue to get more complicated, and grow in numbers, organizations must also embrace employees using their own devices to get the work done. VPNs were never meant to bridge the gap between dozens of cloud environments and thousands of employees working from home. We expect the trend towards endpoint-based access via a unified access plane to accelerate in 2021. An engineer expects to login once using their own machine at home, and get access to computing resources such as servers, Kubernetes clusters, databases or web applications on a VPC behind NAT, with a single login. They also expect to automatically lose access at the end of the day when their certificate expires. The unified, identity-based access for everything is going to become essential for work-from-home organizations.

Conclusion

As complexity of cloud environments continues to grow, and their numbers multiply, we expect several positive trends to accelerate in 2021, namely around simplicity of accessing these environments and better security and compliance.

The DevSecOps movement opens a new chapter in the degree of automation in the access and identity space. The unification of machine and human access will allow us to tie access to identity which, in turn, will drive the elimination of shared secrets from cloud-native environments. And finally, working from home will become easier as a result of the industry's response to COVID-19 and the emergence of Unified Access Plane concept, which borrows heavily from BeyondCorp.

In other words, life will get easier in 2021 which is, of course, what we should expect from technical progress.

##

About the Author

Ev Kontsevoy 

Ev Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev has had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras.

Published Thursday, December 31, 2020 7:30 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2020>
SuMoTuWeThFrSa
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789