Posted by Joyce Ling
November 1, 2023
In today’s complex business landscape, managing vast and distributed tech infrastructures is a significant challenge, especially for global companies like Cimpress. With 13 subsidiaries, over 10,000 employees, and more than $2 billion in annual revenue, Cimpress recognizes the necessity of systems that are both efficient and secure.
Conor Mancone is Principal Application Security Engineer at Cimpress/Vistaprint. One of his critical responsibilities involves managing the secrets management infrastructure, helping meet the company’s demands for flexibility, usability, and reliability.
In this post, we talk about just-in-time access at scale, drawing from a conversation with Conor. We delve into Cimpress’s approach to technology and security, with an emphasis on the principle of Just-in-Time (JIT) Access.
What is Just-in-Time Access?
Within security and DevOps contexts, JIT access has become increasingly recognized as an essential best practice. It revolves around providing temporary permissions or credentials precisely when required, instead of long-term or persistent access. As Conor Mancone explains, JIT means that whether it’s humans, services, or infrastructure, credentials are given only when necessary. This methodology aims to tighten security measures, facilitate transparent access management, and promote more carefully monitored resource access.
Why Implement JIT Access?
The primary reason for implementing JIT access is to protect credentials and improve the security of the company. In our interview, Conor mentioned that security incidents due to leaked credentials are commonplace. Recent research supports this, with 49% of breaches involving stolen access credentials according to Verizon’s 2023 Data Breach Investigations Report (DBIR). JIT access substantially reduces the risk of stolen access credentials by ensuring credentials are short-lived and provided only when essential, reducing the window in which these credentials can be exploited.
In addition, JIT access simplifies many aspects of application development. It allows the application itself to fetch credentials when needed, making it easier to run applications locally and reducing the manual process of issuing credentials. Automation is a key benefit, as JIT access automates credential lifecycle management. While switching to JIT access may require some initial effort and training, Conor believes it ultimately saves engineering effort and time.
Teams at Cimpress are not required to adopt a JIT system—however, Conor has seen a high rate of adoption across the company because of their stringent rotation requirements. Manual rotation can be difficult and time-consuming, and JIT access makes it more efficient by automating the process.In addition, the use of Akeyless as a secrets manager has made JIT easy to implement and adopt across the organization.
While it may be comforting to stick with familiar systems, Mancone highlights the benefits and importance of updating security measures to current challenges, keeping organizations a step ahead in their security endeavors.
Benefits of JIT Access
Conor identifies several critical benefits derived from implementing JIT access:
- Reduced Security Risks: By only providing access when required, there’s a diminished likelihood of unauthorized access. Attackers, even if present within the system, face obstacles using the necessary credentials when the window for expiration is short.
- Enhanced Infrastructure Safety: JIT’s applicability isn’t confined to just human-machine interactions. Its use in machine-to-machine contexts makes temporary credentials the norm, expiring rapidly if compromised, which enhances overall infrastructure safety.
- Decreased Exposure Duration: By their very nature, JIT credentials have a limited life span, narrowing the window for potential misuse and bolstering system resilience.
- Streamlined Operations: JIT simplifies administrative tasks for IT teams. Constantly monitoring numerous active credentials becomes redundant, making access management more efficient.
Setting Up JIT Access at Cimpress: A Dive into the Process
When tasked with managing secure access, the tools and platforms you employ can make all the difference. As previously mentioned, Cimpress uses Akeyless, a SaaS secrets management platform, to harness the power of Just-in-Time (JIT) access. Conor shared some insights into their setup.
In Cimpress’s JIT access strategy, the role of the secrets management system is crucial. The secrets management system had to meet two main criteria: first, to be readily accessible using JIT credentials, and second, to possess the capability to grant JIT credentials for various services within their ecosystem.
With that understanding, here’s a closer look at how Cimpress set the wheels in motion for JIT access:
- Identifying Source and Destination Points: As Conor describes, the secret manager isn’t the final destination—it’s the layover for wherever the user wants to go. Accordingly, when setting up JIT access, it’s crucial to pinpoint the starting points — where the access requests originate — and the endpoints. For Cimpress, common starting places are their AWS production infrastructure, Gitlab pipelines, local machines, and on-prem infrastructture.
- Creating Seamless Connections Between Source and Destination: Leveraging Akeyless’s capabilities, you can establish connections using different authentication methods depending on the origin:
- From AWS Production Infrastructure: Utilizes IAM authentication, turning AWS into a trusted third-party identity provider, eliminating the need for any separate Akeyless access credentials within AWS.
- From GitLab Pipelines: Uses JWTs issued by GitLab, which Akeyless recognizes and trusts. By verifying the JWT from a specific GitLab project or repository, access is granted.
- From Local Machines: Employs standard SSL and MFA for connection, ensuring developers don’t need to rely on permanent credentials.
- Setting Up Just-in-Time Credentials: Once connected to Akeyless, the system can issue temporary credentials. For instance, if GitLab wants to deploy to AWS, it first connects to Akeyless using a JWT. Once you establish that connection, Akeyless issues the necessary temporary AWS credentials. This principle applies across different systems, whether it’s database access or third-party integrations.
In Conor’s words, establishing JIT access is akin to a “rubber stamp, copy and paste” routine. It’s about discerning the source and target, setting up the credentials, and then essentially letting the system handle the rest. “Set up your just-in-time credentials, and then forget about it for all of eternity. Once you get it set up, it’s nice and easy to do.”
Navigating the Setup Challenges
When introducing a new system, especially one as significant as Just-in-Time access, you might anticipate considerable challenges. However, Conor Mancone’s experience with the process was overwhelmingly positive, thanks largely to the capabilities of Akeyless. Akeyless is the SaaS secrets management platform chosen by Cimpress.
Mancone shared, “A lot of these things I’m talking about, JWT authentication, IAM authentication, AWS producers, database producers—Akeyless already had all these built in. Sure, there’s a learning curve with understanding how Akeyless operates and getting things set up initially. But once you’ve grasped the concept, it’s really straightforward.”
He emphasized the efficiency gains, noting, “I can essentially spend the same amount of time to set up the JIT credentials as it would take me to issue a single credential. Once that’s done, Akeyless automates the entire process. Instead of repeatedly manually issuing a token, I set up the JIT credential once, and Akeyless handles it from there. This is where the engineering time savings becomes evident.”
However, like any technology adoption, it’s not just about the technical setup but also about adapting processes. “You have to plan for this, understand it, and integrate it the first time. But following that initial effort, you can largely forget about it. I’ve had integrations running for over a year that I haven’t had to revisit. They run smoothly without the constant worry about leaked credentials or other maintenance concerns. It’s as close as you can get to a ‘set it and forget it’ approach while maintaining top-notch security. It’s a win-win all around.”
Tools Needed for Implementing JIT
In the evolving landscape of digital security, implementing Just-in-Time (JIT) access requires robust tools. According to Conor Mancone, while many platforms can theoretically facilitate JIT, they often differ in capability, flexibility, and application.
To start, a secrets manager platform is foundational. “If you’re going to use just-in-time access, you need something to manage those credentials for you,” Mancone pointed out. This is a given. However, what is less understood is that not all systems designated as “secrets managers” are equivalent.
AWS, for instance, is a notable player that has been adapting to the changing security environment. They’ve made considerable efforts to shift away from static credentials, even actively discouraging users from creating them. As Conor observed, “AWS now actually actively discourages you from creating static credentials… they’ve got a giant screen about how creating static credentials is dangerous.” Although AWS provides various flows to access its services without creating static credentials, its primary limitation is its scope. “AWS does have a lot of just-in-time stuff built in. And as long as you’re only using AWS, it’ll be okay. But there’s not many teams that can say ‘all we ever use is AWS,’” stated Mancone.
While there are competitors in the space, they often come with limitations. Mancone shared that the previous provider, HashiCorp Vault, was lacking in automatic credential rotation features. In addition, it faced challenges in scaling within AWS due to infrastructural choices. He elaborated, “It doesn’t scale well when working with databases. It was built in the days when everybody had that one network, and we don’t live in that world anymore.” Consequently, in a multi-cloud environment, tools designed for the old paradigms might face significant integration and operational challenges when attempting to implement JIT access.
Mancone expressed a preference for Akeyless, highlighting its advantages over other solutions. But regardless of one’s tool choice, it’s clear that for a truly secure and streamlined JIT implementation, organizations must opt for tools that are adaptable, comprehensive, and designed with modern infrastructural complexities in mind.
The Impact of JIT Access Implementation at Cimpress
The adoption of Just-in-Time (JIT) access at Cimpress has yielded significant advantages:
- Efficient Access Management: JIT access has significantly lightened the administrative load associated with managing access credentials. As Conor explained, “it’s nice and easy to do” and has relieved IT teams from the tedious task of manually issuing credentials, allowing them to focus on more strategic responsibilities.
- Enhanced Security Measures: Implementing JIT access has resulted in heightened security. When organizations provide credentials only when necessary and for a limited duration, the risk of unauthorized access and data breaches becomes reduced. As Conor explained, “I don’t have to worry about credentials being leaked.”
- Scalability and Adaptability: JIT access seamlessly scales to meet Cimpress’s evolving needs and its multi-cloud environment, delivering flexibility and versatility. According to Conor, “it’s as close as you can get to set it and forget it and still be secure.”
- Operational Cost Savings: Automation inherent in JIT access has led to substantial cost savings in day-to-day operations, a point emphasized by Conor when he mentioned, “instead of having to manually issue a token every time somebody needs it, I can spend just a fraction of that time to set up just-in-time credentials once.”
These outcomes underscore the transformative impact of JIT access on Cimpress’s security and operational efficiency, as it aligns with Conor’s observation: “It’s a win-win all around.”
Conclusion: A Secure and Efficient Future
In the ever-changing realm of technology and security, Cimpress’s embrace of Just-in-Time (JIT) Access, guided by Conor Mancone, Principal Application Security Engineer, exemplifies a transformative approach to secrets security. JIT Access, in collaboration with Akeyless, a SaaS secrets management platform, offers a path to better security and operational efficiency.
This shift from prolonged access permissions to timed credentials significantly reduces security vulnerabilities while simplifying administrative tasks. The advantages of JIT Access extend beyond human interactions, enhancing safety in machine-to-machine contexts with short-lived, precisely timed permissions. Cimpress’s JIT Access journey mirrors a broader shift in the industry towards fortified security and streamlined operations. In a continually changing tech landscape, JIT Access emerges as an innovative approach, aligning security and efficiency seamlessly—a true “win-win all around.”
Akeyless Security, the company behind the Akeyless Vaultless Platform, is at the forefront of secure secrets management in the cloud. As showcased by Cimpress’s successful implementation of JIT Access, Akeyless offers a cutting-edge solution that not only enhances security but also simplifies operations. With up to a 70% reduction in costs compared to traditional vaults, Akeyless is designed for modern organizations seeking efficient secrets management. The platform leverages patented technology, Distributed Fragments Cryptology (DFC™), to ensure the highest level of security, distributing secrets across the cloud for unparalleled protection. If you’re ready to transform your security strategy and embrace JIT Access with ease, Akeyless is your trusted partner. Discover how Akeyless can empower your organization and drive efficiency—schedule a demo today.
NewsThe 2024 State of Secrets Management report exposes the perils of Secrets Sprawl. Drawn from insights of 200 leading security professionals, it reveals how overlooked vulnerabilities can lead to major breaches, a crucial read for enterprises striving to safeguard their digital assets.
DevOps InfoSec Security
CISOs Under Fire: The New Legal Frontline in CybersecurityRecent actions by the U.S. Securities and Exchange Commission (SEC) represent a significant moment for CISOs everywhere. On October 30, 2023, the SEC announced it was bringing charges against Austin, Texas-based software company SolarWinds and its CISO, Timothy G. Brown.
DevOps InfoSec Security
Avoid These Three Secrets Pitfalls in Your Software Development Lifecycle (SDLC)We’re zeroing in on three specific pitfalls in secrets management within your SDLC in this blog and laying out strategies to circumvent them for a more secure and streamlined operation.