Feb 22, 2023
•
Company
Resources
How to Automate On-Call Access Management with Opal and PagerDuty
How to Automate On-Call Access Management with Opal and PagerDuty
Managing engineering permissions for on-call rotations is really hard
After speaking with many developer operations teams, we have learned that most companies struggle with on-call access management. Companies need to make the difficult trade-offs between security and agility.
Indexing on agility increases security risk
Not having the required permissions to triage urgent issues has forced many companies to provision engineers permanent admin access to production systems – often through birthright access. This significantly increases the risk of compromised engineers because they have privileged access all of the time – even when they don’t need it.
Indexing on security increases operational burden
On the other end of the spectrum, companies can choose to revoke all access to production systems. Anyone who requires access must make a request, which will be manually triaged. Although this practice guarantees a much stronger security posture, it also greatly increases the operational overhead and can severely impact response times if there are any errors.
Opal and PagerDuty have partnered together to automate on-call access management
Opal and PagerDuty have partnered together to build a new approach. Revisiting the principles of least privilege – granting the right level of access to the right people for the right amount of time – Opal and PagerDuty have re-defined on-call access management to enable customers to adopt both security and agility.
In this blog post, we will break down “granting the right level of access to the right people for the right amount of time” in the old and new way.
Granting the right level of access
The Old Way
Engineers have full admin access (eksadmin or administratoraccess) as a result of being part of multiple Okta groups
The New Way
Using Opal native integrations, admins can bundle fine-grained resources into an Opal on-call group.
To the right people
The Old Way
Teams of engineers have access to production systems based on static job functions
The New Way
By integrating with specific PagerDuty schedules, Opal can grant privileged access based on dynamic needs, such as whether an engineer is on-call or not
For the Right Amount of Time
The Old Way
Engineers have permanent production access even if they do not need it
The New Way
Opal’s PagerDuty integration will grant privileged access to engineers when they are on-call and revoke it when they are off-call
About Opal
Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.
Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.
About PagerDuty:
PagerDuty is the leading SaaS incident response platform. To learn more about the integration, PagerDuty and Opal have created documentation on the integration.