Skip to content

Enhancing Security and Compliance in Break Glass Workflows with Rafay

Maintaining stringent security and compliance standards is more critical than ever today. Implementing break glass workflows for developers presents unique challenges that require careful consideration to prevent unauthorized access and ensure regulatory compliance.

In the previous blog, we introduced the concept of break glass workflows and why organizations require it. This blog post delves into how Rafay enables Platform teams to orchestrate secure and compliant break glass workflows within their organizations. Watch a video recording of this feature in Rafay.

Secure Break Glass Workflow Implementation

Consider a scenario where a developer needs temporary access to a namespace in a production cluster to debug a critical issue. Below is a typical workflow that the Platform Team would want to enable:

  1. Access Request Submission: The developer initiates a request for temporary access to the specific namespace via an external system such as ServiceNow or JIRA. This ensures that all requests are logged and traceable.

  2. Approval Process: The request undergoes a thorough review and must be approved by authorized personnel. This step is crucial for enforcing access policies and maintaining compliance with internal and external regulations.

  3. Automated Access Provisioning: Upon approval, the external system communicates with Rafay via a secure API call to grant temporary access to the developer. This automated process minimizes human error and ensures that access rights are provisioned accurately and promptly.

  4. Automatic Access Revocation: Rafay automatically revokes the developer's access after a predefined expiry period. This eliminates the risk of lingering privileged access and aligns with best practices for access management.

sequenceDiagram
    participant User
    participant ServiceNow/JIRA
    participant Approver
    participant Controller/Orchestrator
    participant Cluster

    User->>ServiceNow/JIRA: Request to access a namespace temporarily    
    Approver-->>ServiceNow/JIRA: Approves user's request
    ServiceNow/JIRA->>Controller/Orchestrator: API call to assign "temporary access to a namespace"
    User->>Cluster: Downloads kubeconfig
    User->>Cluster: Performs necessary operations
    Note right of Controller/Orchestrator: Access revoked after configured time expiry
    User->>Controller/Orchestrator: User no longer has access

Below is an example JSON payload illustrating how a developer (demos@rafay.co) is granted temporary access to the prod-app-namespace for an hour on a production cluster:

{
  "apiVersion": "system.k8smgmt.io/v3",
  "kind": "BreakGlassAccess",
  "metadata": {
    "name": "demos@rafay.co"
  },
  "spec": {
    "groups": [
      {
        "groupExpiry": [
          {
            "expiry": 1,
            "name": "prod-app-namespace",
            "startTime": "2024-10-17T06:30:50.366Z"
          }
        ],
        "userType": "local"
      }
    ]
  }
}

Flexible Access Management Options

Beyond API integration, Rafay offers multiple interfaces - UI, Terraform (TF), and RCTL for the Platform Team to manage temporary user access. This flexibility allows organizations to choose the method that aligns with their operational policies and compliance requirements.

Comprehensive Audit and Monitoring

Every assignment and revocation of temporary access is meticulously recorded as an audit event within Rafay. These audit logs are crucial for compliance audits and can be:

  • Exported as CSV files for reporting and archival purposes
  • Streamed in real-time to the organization's Security Information and Event Management (SIEM) systems, such as Splunk, for continuous monitoring and threat detection

Audits

Enhanced Visibility and Control

Rafay provides the Platform Team with full visibility into all users who have temporary access across the organization. This centralized view is essential for:

  • Ensuring adherence to the principle of least privilege
  • Quickly identifying and revoking unnecessary or unauthorized access
  • Generating reports for compliance audits and internal reviews

Visibility

Summary

Rafay empowers organizations to integrate with external systems like ServiceNow for secure approval workflows, ensuring that break glass access is granted in strict alignment with security and compliance policies. By providing centralized visibility and capturing extensive audit events, Rafay enhances transparency and accountability throughout the access management process. Implementing break glass workflows securely enables organizations to respond swiftly to emergency situations in production environments without compromising on security or regulatory compliance.