Just-in-time access should be the norm.
If we say “your infrastructure needs to be secure,” nobody would disagree. But how that actually works is a lot less simple. There’s a good chance you’ve got multiple developers with free reign in AWS, backstopped by manual processes for access review. To really make your infrastructure secure and ensure the right people get access to the right things (at the right time!) will require not only a meaningful degree of upfront effort, but substantial tuning and maintenance.
If you lock down your team's access with a manual process, you'll introduce new problems. Getting features out quickly is hard enough; the last thing you want to worry about is leaving someone hanging on a ticket to get access to the S3 bucket they need to implement something urgent. You could build your own solution, but that invites a lifetime of maintenance overhead.
And we’ve all but accepted these slow-downs and tradeoffs as normal. But we shouldn't. Instead, we should embrace cloud-native tools that help us define just-in-time access in code -- so we can move quickly, securely, and at scale.
From the Blog: The Authorization Game
Sym helps you win the authorization game because we help you integrate context and actions from across your tech stack. Identity management systems like Okta or AzureAD do a great job of asserting who you are, but get stuck when trying to define what you can do. Rego and Cedar let you express authorization logic in elegant languages, but don’t help you collect all the inputs and outputs you need to make your access management system function. No-Code tools help you get started quickly, but fall flat when it comes to change management and covering edge cases.
Just-in-time to the rescue
It's hard it is to balance the pressure to ship with the pressure to stay secure. Teams often try to solve this pressure with least privilege systems that are based on giving users fine-grained permissions to do their jobs. We’ve seen these static systems fail, and it's no wonder: our jobs are dynamic. The infrastructure and resources we need are changing all the time, and our access management tools can’t keep up.
From the Blog: The Importance of Just-in-time Access for Least Privilege in the Cloud
As your team grows, even a few clicks to grant access can become too much. It is also easy to forget to revoke access at the right time. As your company grows, you may need to decouple the process of getting approval for access from the process of actually granting the access. Without automation, you may find yourself seeking approvals from managers or other authorities. This creates even more toil for yourself and delays for the requestor.
Sym helps you solve security gaps by starting with collaborative review rather than overly-tightened policies. Take your existing AWS permissions and wrap them in a Sym workflow. Then use our SDK to route access requests to peers or to the right approvers based on the context of the request.
|Without Sym||With Sym|
|Just-in-time temporary access||After approval, access must be granted, tracked, and revoked manually.||Sym handles both grant + time-based revoke, so every integration with Sym is one more thing you don't need to worry about.|
|Policy and governance||Reliant on unwritten, or hard-to-discover rules for who is allowed to make or approve requests.||With Sym's Python SDK, your access rules are expressed and enforced in code, and deployed via your SDLC.|
|Audit and compliance||Anyone handling a security audit must read through unstructured messages or ticket queues for evidence.||Compliance is an automatic byproduct of using Sym. Simply connect a Reporting destination and say "goodbye" to scraping Slack channels for context.|
Move faster with code
Instead of trying to juggle manual processes or navigate yet another UI, put your engineering organization in control by your policies and workflows as code. Set the rules that make sense for your organization, easily add new teams and workflows as you grow, and rest easy knowing that engineering, ops, and security can all collaborate via your SDLC.
Sym flows are adaptive, so you can automate approvals when it makes sense. Many teams start by checking a requester’s on-call status in PagerDuty, or by invoking an AWS Lambda to check an internal system for more context. No matter what, when a request expires, Sym will deescalate access and generate logs for evidence, taking another task off your plate.
Integrations to cover (nearly) any scenario
Sym’s SDK-centric approach means we’re a great fit for teams that are building out internal platforms. Once your first team gets a few Flows implemented, you now have a set of patterns that can easily be adapted for new teams in your organization. Your platform leaders can decide how much centralized review they need using the same SDLC tools you use for everything else.
Whether it is AWS, a SaaS app, an internal app, or a database — you can integrate our platform quickly and easily with your most sensitive systems and infrastructure.
From the Blog: Safe On-Call Access to Prod With Sym and PagerDuty
As Courier continues to grow, they’ll rely more and more on their internal developer platform to scale their engineering team. The components that are self-service and have great developer ergonomics will only become more important. This is where Sym’s “yes code” approach shines. Just like Sym helps teams distribute access decisions across the org, our SDK approach helps teams distribute the definition of the flows themselves across the org!
Being “Terraform-Native” means that Sym implementers get all the benefits of managing their Flows within a rich infrastructure-as-code ecosystem. Managing your access flows in code means you:
- Reduce costs by automating manual processes
- Increase the rate of change, replacing tribal knowledge with codified best practices
- Reduce the risks of manual errors
HCL as a Unifying Language
Terraform has some specific benefits beyond those that all infrastructure-as-code tools share. Sym leverages the multi-provider nature of Terraform to let you seamlessly declare Sym resources right alongside Sym’s dependencies in other systems. Sym’s connector modules package up your AWS dependencies for easy management in your Sym configurations. If you need to move these AWS dependencies somewhere else, that is totally fine - Terraform gives you the flexibility to manage things in the way that makes the most sense for your organization.
In our postgres example, the fact that we're using Terraform means we can declare Sym resources right alongside the AWS Lambda function that we're integrating with:
Updated 2 months ago