DEV Community

Cover image for Simplify Auditing with Zero Assumptions
Falon Darville for Zero Assumptions

Posted on

Simplify Auditing with Zero Assumptions

Zero Assumptions is a simple-to-configure access control that monitors engineers' work. Use your own Identity Provider (IDP) and build out your highly customizable configuration using our uncomplicated parameters.

For engineers, Zero Assumptions is easy to use and low effort. They log into the IDP and connect to the desired resource. No slowdown for them, and no assumptions for you.

Zero Assumptions purposefully enables organizations to create audit trails. It covers the missing authentication, authorization, and audit pieces. We provide the information that administrators need to hold their users accountable to their actions.

Password Deep Dive

Password sharing means that multiple individuals use the same password to authenticate and perform tasks. It's bad practice. Let's get into some specific reasons why.

The practice of sharing passwords poses many issues and complications, including the following:

  • Rotating shared passwords is a nightmare. There's no certainty around who is using the password, so some individuals may need to be tracked down (to share the new password with). Some individuals may get locked out and passwords may be shared over unreliable networks, opening the password up to being used by unintended individuals.
  • Every time an individual off-boards or needs to lose access to an account, someone has to remember to change the password. It's easy to forget and leave the account open to unwanted access.
  • It's easy to use a password manager to store and populate website passwords. It's more convoluted to use a password manager for databases and servers.
  • Auditing actions on a shared password account is hard, and sometimes nearly impossible.
  • If a password is leaked and precautions are taken to regain the account, then all users will be locked out.

To prevent getting into the password trap, we recommend:

  • Don't wait until password sharing becomes a problem. Access your situation early to come up with an alternative.
  • When determining if a solution is right for you, imagine it in scale. What's it going to be like to manage the solution for an exponential amount more of resources and people?
  • Understand that more passwords is not the solution.

At the end of the day, the purpose of a password is to provide access and associate that access with an identity. With Zero Assumptions, we're particularly interested in the auditing aspect, which is why shared passwords are never in the equation. Let's look at how we associate individuals to their actions.

Auditing and Individual Identities

With shared passwords, audit trails cannot be trusted. Multiple people use the same credentials, so it's hard to tell who is doing what. Who's running a very long query in production? Who downloaded all of your customer's social security numbers on a Friday night?

You need to be able to authenticate for accountability, and you can't do this without uniquely authenticating all users and/or all user devices.

Being unable to identify who's performing certain actions also won't pass certifications like SOC Type-2 or PCI-DSS.

With Zero Assumptions, you're part way to fulfilling certification criteria since you're accounting for self-managed off-boarding.

Reduce Password Usage

Zero Assumptions lets you bring your own IDP: Google Workspaces, Okta, and generic OIDC. With an IDP, you don't have to manage many users using many services.

Your users won't have to remember yet another password, and they'll be individually identified. All their actions will be directly associated with them.

Stay Connected to Zero Assumptions

Follow us here on DEV, Twitter, and LinkedIn.

Read more about Zero Assumptions.

Top comments (0)