Finding the right balance of speed and security through just-in-time access to cloud resources

How Ramp achieved just-in-time access in AWS

Julien Colombain
11 min readintermediate
--
View Original

Overview

This article discusses the implementation of just-in-time (JIT) access to cloud resources at Ramp, focusing on balancing speed and security for backend engineers. It outlines the challenges faced with traditional IAM roles and how fine-grained access control and automation through ConductorOne improved workflows and security.

What You'll Learn

1

How to implement just-in-time access provisioning for cloud resources

2

Why fine-grained access control enhances security in cloud environments

3

When to utilize automation tools like ConductorOne for access management

Prerequisites & Requirements

  • Understanding of AWS IAM roles and policies
  • Familiarity with ConductorOne and Terraform(optional)

Key Questions Answered

What is just-in-time access and how does it work?
Just-in-time access is a security practice that grants users temporary access to specific systems and resources for a limited predefined period. This approach minimizes exposure to threats by allowing engineers to access production environments only when necessary, thereby reducing the window of vulnerability.
How did Ramp restructure IAM permissions to improve security?
Ramp transitioned from three broad IAM roles to over twenty fine-grained access control roles, allowing for clearer ownership and accountability among engineering teams. This restructuring enabled engineers to have tailored access based on their specific responsibilities, enhancing both security and operational efficiency.
What benefits did Ramp experience from implementing JIT access?
The implementation of JIT access significantly improved security by reducing potential breach windows, enhanced data protection, and increased user trust. It also aligned with regulatory compliance frameworks like SOC 2, demonstrating adequate controls and safeguarding customer data.
What challenges did Ramp face when onboarding engineers to the new access system?
Onboarding hundreds of engineers to the new access system proved challenging due to the need for comprehensive planning, communication, and support mechanisms. Clear documentation and ongoing assistance were crucial to ensure a smooth transition and rapid adoption of the new system.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implementing just-in-time access can significantly enhance your organization's security posture.
By allowing engineers to access production environments only when necessary, you minimize the risk of unauthorized access and potential breaches.
2
Establish clear ownership of resources within your engineering teams.
Defining who is responsible for different system aspects ensures that access controls align with operational needs and security considerations, streamlining decision-making.
3
Invest in automation tools for access management early in your development process.
Choosing the right tools like ConductorOne can save time and resources, preventing costly security breaches and optimizing development cycles as your company scales.

Common Pitfalls

1
Failing to establish clear system ownership can lead to inefficiencies and security gaps.
Without defined responsibilities, access controls may not align with operational needs, leading to conflicts in authorization and potential security vulnerabilities.
2
Neglecting the onboarding process for new systems can hinder adoption.
Inadequate planning and support during onboarding can result in productivity losses and resistance to change, ultimately undermining the value of the new system.

Related Concepts

IAM Roles And Policies
Access Management Best Practices
Cloud Security Frameworks