Many organizations prefer to keep IT and OT as separate as possible, and for good reason. From a security standpoint, this seems wise. But in truth, that separation is becoming unrealistic, and IT and OT share a lot of common ground. Creating more rigid barriers between the two consumes time and budget, and it also undermines your security, because users inevitably look for back doors. At BRYXX, we believe there’s a better way.
In previous blog posts, we’ve highlighted how reducing rework and busywork frees up time and increases the quality of code your teams produce. We also introduced a controversial idea: building an internal development platform that allows easier, cheaper, and safer development, while also automating and securing the resource plane so that the safest way is also the easiest.
The next step
But what if we were to include OT and the separation between IT and OT on the same automated resource plane? And what if we were to do this so securely and seamlessly that the end user wouldn’t even think about whether they’re in the IT or OT environment. Crucially, this is done without the complex separation of IT and OT and without making the internal development platform a single point of failure. To achieve this, we completely disable SSH access.
The principal remains the same: you rapidly and securely develop IT applications with added value on a platform and then roll them out to a fully automated IT or OT environment. If there is still a separation between IT and OT, the internal development platform functions as a relay between the two, delivering highly secure IT and OT, without any friction.
The right authorization
But doesn’t that security have to be particularly stringent? Yes! The OT environment must remain highly protected. Only a few authorized persons should have access to it, and in the ideal situation, everything would be automated according to a strictly defined scenario. Only a handful of people would have the right to allow traffic between IT and OT.
We also take the route of maximum automation to secure the OT environment, so that no one has to make manual changes. Again, everything runs on the platform and is audited, standardized, watertight.
If OT solutions suppliers need to log in remotely for maintenance or updates, this is still possible thanks to the use of a privileged access management tool. If you’ve thought carefully about how to separate IT and OT without making life difficult for yourself, and you suggest the same easy, secure access method to your vendors, there’s every likelihood that they’ll comply without issue.
Temporary SHH? Also an option!
If your supplier resists this form of access, we can easily build in a feature that allows them the necessary access. Incidentally, just because SSH is disabled by default doesn’t mean that it always has to stay that way. You could leave SSH disabled for your day-to-day operations and then enable it when it’s time for maintenance, updates, or upgrades, as long as you carry out an SSH audit at the time.
Switching between different modes demands little in the way of effort. The total automation of the IT and OT environments means that it’s much simpler and safer to switch from one mode to the other, within one platform that automates, unlocks, and includes IT and OT. For us, that is the happy medium between security and user-friendliness, without introducing unnecessary complexity.