What Does It Mean to "Shift Left"?
"Shift left" is a powerful concept that prioritizes catching and resolving issues earlier in a process, thereby minimizing defects and increasing quality output. In security, the methodology is being used to find vulnerabilities that are traditionally addressed in detection and remediation cycles, and preemptively address those problems upstream. While popularized in the AppSec domain, an equally powerful application of shifting left is evolving in identity management. Identity is the new security perimeter in the cloud-native world. We need to explore a new access control paradigm to reduce risk, one defined by the use of policy and automation.
Today's World: Checkbox Compliance and IAM for the Sake of Productivity
There's no shortage of identity-based attacks making headlines, from privilege escalation to unauthorized access, among others. Compliance, while a good signal of general security practices, isn't always an indication of real risk reduction. Quarterly or yearly access reviews "discover" overprovisioned and non-off-boarded users with sensitive access, leaving security gaps in place for months at a time. While quarterly timing might be enough to "check the box," real risk reduction would require running timely and more frequent reviews for most applications (whether they are connected to your identity provider or not). The growing number of SaaS and IaaS offerings, the impact of group sprawl, and the level of manual effort required for this makes more frequent reviews cost-prohibitive for most businesses.
We are rooted in a world that traded security for productivity. We grant as much birthright access as possible so we can avoid managing access changes downstream, but still periodically check in on this access as required by compliance. When access changes are needed, they are thrown over the wall via help-desk tickets that sit in queues for days or weeks. From a security standpoint, a lot of energy is spent on compliance and managing access, yet we're barely scratching the surface on risk reduction.
Change Your Thinking: Access Controls That Actually Reduce Risk
Better security outcomes in compliance and IAM necessitate that we automate like engineers and take new approaches. Alerting, quarterly reviews, and ticketing are heavy-handed detection and remediation tactics that identify and address overprivilege after it has already happened. In order to shift left, we need to modernize how access is controlled. Architecting modern access controls will require an identity-centric view into any and all technology, democratized access decision-making, the ability to define least privilege policy as code, and above all, automation wherever we can get it. A first principles-based approach to securing access is required: Users should have access for as long as they need it to do their job, and no longer. Implementing this is hard, but here are a few starters:
1. Democratization of access management, but central enforcement of control policy. System owners have the best information and context for why users need access, and IT doesn't enjoy being the ticketing middleman. Access decisions made by system owners should be balanced with a centrally defined policy for managing access based on classifications. Policy should be defined in code, if possible, and managed through change management processes.
2. Justification for access and time-limited access. Users only need access while they're doing a job, performing a function, contributing on a team, working on-call, and so forth. Justification is the context for why a user needs specific access at that moment. Without that justification, the access is not required and is automatically removed.
3. Automating user access reviews (UARs). UARs are extremely effective at reducing standing privileges and identifying inappropriate accounts and access. The problem is that manual UARs are too time and labor intensive to run frequently, which means delays in identifying and revoking expired accounts and privileges. With automated user access reviews, we find 10% to 25% of access is regularly marked as overprovisioned, inappropriate, or unused, and is subsequently removed.
4. Self-service and just-in-time access provisioning. Employees should be able to request access right when they need it from comprehensive app and resource catalogs. Accounts and permissions should be provisionable without manual touches, whether it's connected to the SSO provider or not. Policy should drive the process, so low-privilege access can be granted automatically without a human in the loop, and higher-privilege access can be routed to the correct approvers quickly and efficiently.
Moving Forward, Shift Left With Least-Privilege Thinking, Tools, and Automation
We need to recognize that access is messy and embrace that reality with the principle of least privilege and the automation to enforce it. We should not focus on rigidity and centralization, but rather on policy and delegation. Users change roles and teams. Sometimes you need temporary access and permissions. Employees come and go. What's important is that your environment, governed by policy and run by automation, always and predictably reverts to the minimum level of sensitive access necessary for your team. Only then can you reduce the attack surface area of identity and move from detecting breaches to avoiding them in the first place.
About the Author
Alex Bovee is co-founder and CEO of ConductorOne, a technology company focused on modern identity governance and access control. With a background in security and identity, he most recently led Okta's zero-trust product portfolio and prior to that, enterprise device security products at Lookout Mobile Security. He co-founded ConductorOne to help companies become more secure and productive through identity centric automation and access control. In his spare time, he enjoys playing guitar and shuttling his kids around to activities.