How to automate access revocation to maintain least privilege for DevOps
A big, often overlooked, part of access management is revoking access; de-provisioning access, removing group membership and deleting orphaned accounts.
Apono helps automate this process as part of its access lifecycle:
Apono helps automate the entire access lifecycle:
The admin defines the access lifetime per app, environment, resource and permission
The user requests access with Slack, Teams or CLI
According to each Access Flow, access is approved automatically or by approver(s)
When the access lifetime ends, Apono revokes the access for you automatically
All requests, approvals, grants and revocations are fully audited
Congratulations! You just automated the complete access lifecycle, saving time and resources and reducing standing access
Apono serves as your central control tower for shut-down - in case of emergency or incident, you can revoke all active access directly from Apono:
Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke access
End users can revoke their own access
With Apono, admins and approvers have full control over who can access what:
Admins can define Access Flows with automatic revocation
Admins can find all active access and revoke it
Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke all the active access they approved
It's hard to keep track of all the active access in the organization. Access can be granted in the IdP for users and groups, users can be granted access directly from apps' IAM portals, using roles, permission sets or users (personal or shared).
This causes access drift, shadow admins, orphaned accounts, partial offboarding, and unused access which increases downtime and attack risks.
Apono lets you find out who has access to what in the organization:
BEFORE
Take standing access for users and groups and turn into dynamic, just-in-time, on-demand, temporary access. It's dynamic, easy to manage and fully audited.
AFTER
Admins can use the Apono UI to find and revoke all active access