The following is a work of fiction. However all the solutions are real things I’ve attempted in my time as a Cloud Consultant.
Image this, you’re minding your own business when an empowered developer pops out of nowhere. They need to get an application deployed. You begin to open your mouth but they quickly add that you don’t need to worry! They built it properly and it’s ready to deploy. It works not just on their laptop but on the dev environment in the cloud as well.
“So what’s the problem?” you ask, “can’t you just deploy it yourself?” Well yes, except the app contains some sensitive data. It’s really more of an internal tool, except for a few clients and a vendor or two”. Ah, you nod knowingly. Exposing an application is like setting up a printer, you’d think it would be easy, you’d think there would be established patterns and that you could automate or at least make a process for a solution. It seems like there are always new ways, new tools, new techniques but alas, for some reason every time is like starting from square one. “Lets explore some options” you find yourself saying.
- Expose the app publicly.
This is fine if your app is supposed to be public, but for an internal tool with privileged access that had limited budget you might want to reconsider. Besides, if its public then security/legal/marketing will need to approve it, and that’s gonna take time, plus considering the info it contains that will need a code review and pentest, and I’m guessing that there’s no budget for that. - Put it behind the VPN
Awesome, problem solved. Except for those outside parties who need access… - Public network access but with whitelisting IPs
Ok I think this one might work. You make it publicly routable but restrict access using firewall rules to the VPN egress points and the outside parties IPs. Of course the way the network is setup means that it won’t work for people accessing it from within the network. That can be solved with split tunneling but I think they disabled it for all those people working on government projects or using iPads for some reason. - Bulk auth on the LB, use an Identity aware proxy (or cognito) for users and VPN for engineers
This would work fine, except that the AD team isn’t gonna let us link in and the okta “integration” seems to have silenium as a dependency… - Web application proxy
Ok, we got this. We can use Okta for auth and since we have our own app we got corporate identity and guests. Just needs a connector in the subnet. Developers can just use the VPN. Ah wait, we’re out of licenses and they won’t buy more because they’re “about to” standardize on a new project (any day now…) - Zero trust enterprise solution
Basically a client creates an encrypted tunnel directly to the app, kinda like a cross between the web app proxy and a VPN. We even have license for it! Wait, there’s no way a client or vendor is gonna be allowed to install that. - Open source version of the above
Similar to the above, but open source probably allowed on clients laptops. Except of course the only ones that actually work require typing things in the CLI… What kinda clients are these anyway? - Write a custom app to generate temporary restricted endpoints
Ok here’s the plan. Write a lightweight app, that handles auth… when a user logs in they can click a button and it opens a port on the LB restricted to the callers IP. After an hour or so the session closes. This will only take a few weeks tops at.. wait the demo’s scheduled for Tuesday?
You pause, all out of ideas. The empowered developer just looks at you. After a long pause a look of dismay appears and they open their mouth “I mean I could just rewrite the thing for sharepoint”.
“Yeah…” you respond, “that’s probably for the best”
