Enforce Least Privilege & Separation of Duties during Continuous Deployment

Feb 2, 2023 by Stephen Atwell

Role-based access controls (RBAC) are an essential part of any secure Continuous Deployment Platform. RBAC enables enforcement of the principle of least privilege by limiting access to applications and services to the minimum set of users. RBAC enforces separation of duties through role-based manual approvals. This helps to meet these common requirements and provides an additional layer of security within your DevOps organization.

This blog post discusses how Armory Continuous Deployment-as-a-Service uses automation and role-based access controls to ensure that changes to production applications are properly reviewed before being released. It also describes how to restrict application access by role. Finally, we’ll provide an overview of the Armory platform’s capabilities, including tenant and role management, configuration as code, and role-based approvals.

What Are Role-Based Access Controls?

RBAC is a security system that allows administrators to limit access based on the roles of users. This ensures that only authorized users can access or modify sensitive data and systems, and can require certain users to perform certain tasks in order to ensure separation of duties.

RBAC uses roles to define permissions. Each role has its own set of permissions and restrictions. For example, a user with the “administrator” role might be able to access all applications and services, while a user with the “WebUI developer” role might only be able to access the deployment of the Web UI service.

Separation of Duties

Many companies have SOC controls that ensure their applications are stable and secure. SOC often requires a separation of duties: Code requires approval before production deployment. This often takes the form of manual role-based sign-offs. For example, someone from QA may need to sign-off that tests passed, and someone from InfoSec may need to sign off that security scanners passed. Until you implement full automation, role-based approvals allow you to enforce and audit separation of duties around these tasks within your deployment pipeline.

Historically these process typically starts with a developer creating a change request. An authorized user must review this request. If approved a release manager deploys the change to production.

Using Role-Based Approvals to Enforce Separation of Duties

Using CD-as-a-Service developers can now start the release automation process. When the code is ready for approval the required approver can be notified, and simply click a button. After approval the change deploys automatically. This prevents unauthorized changes. It also provides visibility into manual processes so that they can be automated.

To enable separation of duties Armory Continuous Deployment-as-a-Service allows any Manual approval to optionally specify a list of roles. Only a user with one of these roles is able to issue the approval. Other users can see that an approval is needed, and can see the list of roles authorized to issue it. This example shows an environment, Security-Scanning, that requires an approval by the InfoSec role before it will proceed to any downstream environments.

  Security-Scanning:
    account: demo-staging-cluster
    strategy: rolling
    constraints:
      afterDeployment:
      - pause:
            untilApproved: true
            requiresRoles:
            - InfoSec
Other users can see who must approve.

Moving Beyond Role-based Approvals

While role-based approvals are a great way to start on your CD journey, many companies remove manual approvals from their deployment pipeline long-term. Once automation of a manual check is available it can replace the manual approvals. The role that approved the change can instead approve changes to the automation to continue enforcing separation of duties. Audits should check the approval of automation changes. Audits should also check that all changes were approved by the automation.

Enforcing Principle of Least Privilege Through Tenants

Armory CD-as-a-Service can break it’s configuration up into multiple secure tenants. This allows particular applications or teams to have their own dedicated security zone within Armory CD-as-a-Service. A tenant contains a set of Kubernetes clusters, applications, secrets, etc. Roles grant a particular access level within the scope of a tenant. Grant one or more roles to each user to give them access to their team’s resources. This allows you to easily break your application access up by team, while still supporting users who need access to applications owned by multiple teams.

The High-Level CD-as-a-Service Security Model. Tenants enable enforcement of the principal of least privilege during continuous deployment.

The principal of least privilege requires that teams have access to the minimum permissions needed to do their job. Enforce least privilege by creating a tenant per team and giving each tenant only the resources needed for that team’s applications.

Maintaining your RBAC as Code

Modern source control systems allow advanced permissions, automated validation and change control. They are also familiar tools for the typical team setting up a CD tool. Because of this Armory CD-as-a-Service took an ‘as-code’ approach to implementing it’s RBAC rules. CD-as-a-Service defines the RBAC configuration as yaml. You can update this yaml through git, just like any other code. When changes occur, your CI system can invoke the Armory CLI to automatically apply the updated RBAC configuration. This provides full audibility and change control to ensure your security configuration is itself secure.

This example RBAC configuration for Armory CD-as-a-Service creates a tenant-restricted ‘admin’ and ‘non-admin’ role for each of two teams.

tenants:
- Team1
- Team2
roles:
    - name:Team1 Member
      tenant: Team1
      grants:
        - type: api
          resource: deployment
          permission: full
    - name:Team1 Admin
      tenant: Team1
      grants:
        - type: api
          resource: tenant
          permission: full
    - name: Team2 Member
      tenant: Team2
      grants:
        - type: api
          resource: deployment
          permission: full
    - name: Vanguard Admin
      tenant: Team2
      grants:
        - type: api
          resource: tenant
          permission: full

Conclusion

Role-based access controls are an essential part of any secure IT infrastructure. By limiting access to certain tenants, companies prevent users from modifying other team’s applications. Platform teams and developers can also leverage role-based approvals to ensure separation of duties within their application.

The Armory platform provides an automated and secure way to manage role-based access controls. It includes features such as tenant and role management, configuration as code, and role-based approvals. These features prevent users from making unauthorized changes. Do you want a secure and flexible CD solution for Kubernetes that can leverage RBAC to ensure the principle of least privilege and separation of duties? Sign up to try Armory CD-as-a-Service for free today.

Share this post:

Recently Published Posts

What to Look For in Software Delivery Automation Tools

Mar 17, 2023

Software delivery automation tools can accelerate and improve the deployment process. DevOps engineers know that quickly delivering high-quality software to customers is critical to maintaining their company’s competitive advantage. Yet, enterprises often need help with implementing modern software delivery practices.   The market offers many software delivery automation products, each with different features. Choosing the […]

Read more

Release Roundup – March 2023

Mar 16, 2023

Spring has sprung and the Armory crew is feeling the good vibes. Across our continuous deployment solutions, we’re adding features and updates to make developers’ lives easier and help organizations enable better deployment practices at scale.  Here’s how you can stay in the loop on the latest releases, keep up with our various products, as […]

Read more

New Spinnaker Operator Updates Now available for the Spinnaker Community

Mar 15, 2023

Stay up-to-date with the latest Kubernetes release with Spinnaker. The Armory crew has worked diligently the past several weeks to release a new stable version of OSS Operator (1.3.0). This is the first release in just over 18 months and is now available for the open source community.  What Changed? The Spinnaker Operator is the […]

Read more