Welcome
With Abbey, you can improve your security and compliance programs by automatically controlling and right-sizing permissions so the risks around unauthorized access is limited in the event of a breach.
You do this by leveraging your normal Infrastructure as Code (IaC) tooling — Terraform, CI/CD systems, secrets managers, and Terraform wrappers. Abbey provides a Terraform plugin that extends your Infrastructure as Code capabilities from Infrastructure to Identity, Access, and Management (IAM).
Abbey acts as a companion to your existing infrastructure by automating access management for you. Your employees request access, Abbey collaborates with your infrastructure to provision access, they use the resources, and access is revoked when they're done.
_Isoflow_Diagram_4_10_2023.png?alt=media&token=1b021ec5-fbfa-4eba-877f-51fbf86ecf7f)
Requesting access with Abbey.
The core of Abbey consists of 3 components:
- 1.The Abbey Terraform Provider that you use to delegate access management to Abbey.
- 2.The Abbey Platform contains Abbey's Policy Evaluation Engine and Workflow Engine.
- 3.The Abbey App for your employees to discover resources and request access and for your security teams to get visibility into identity and access.
The high-level flow of Abbey has 3 stages:
In order to delegate automated access management to Abbey, you use the Abbey Terraform Provider and add Grant Kit resources to your existing Terraform setup.
Delegate access to Abbey using Terraform.
A Grant Kit is a Terraform resource that represents any resource in your infrastructure that you want Abbey to manage for you. You define and configure a Grant Kit for resources, add Access Policies, and deploy normally. The deploy registers your resources with Abbey and effectively says "Hey Abbey, from this point forward, please manage permissions for these resources for me."
Resources can be arbitrarily granular and point to any resource you want as long as it's available in the Terraform Registry.
After registering your resources with Abbey, your employees can discover and request access to them through familiar UI and chat-based experiences.
.png?alt=media&token=9e3d47fa-8fc6-42aa-8515-eeeb19493ca5)
Employees discover and request access.
When someone requests access, Abbey will stage new permissions change in a Pull Request for you. Abbey leverages Pull Requests and Git history to give you secure native capabilities around audit logs and visibility to simplify your compliance story.
Abbey automates granting access.
Once your CI/CD checks pass for the Pull Request, Abbey will start the Grant Kit process for granting access.
First, Abbey will evaluate your Access Policies. If any of these policy checks produce a violation, Abbey will automatically deny the access request for you and close the Pull Request.
If the policy checks pass, then Abbey will trigger your approvals workflow and route notifications to the right reviewers to approve or deny the access request. If anyone denies the request, Abbey will again close the Pull Request for you. If all approval conditions are met, then Abbey will merge your Pull Request and materialize the access changes from the request. At this point, the employee will be able to access the resource.
Abbey works well with your preferred Terraform setup, whether it's Terraform natively or using one of the many wrappers such as Atmos, Spacelift, Terragrunt, or Terraspace.
Once the employee is done using the resource, you can have their access automatically revoked. Revocation can be configured for a number of use cases, such as on-/offboarding for new hires or team changes, on-call rotations, and more.
Abbey automates revoking access.
Abbey's Policy Evaluation Engine is a distributed runtime that continuously evaluates your Revocation Policies. If any of these policies result in a revoke, then Abbey perform the same steps it did for granting permissions, but this time for revoking permissions. Abbey will generate the appropriate change in Terraform and leverage your infrastructure to materialize the revocation changes.
To maximize interoperability with other systems, Abbey uses Open Policy Agent (OPA) Policies with rules written in Rego.
Rego rules are written against the Abbey OPA Constraint Framework, which is a minimal version of the OPA Constraint Framework.
Throughout a company's lifecycle, people need access to things to do their work. Ideally, they should only have just enough access to do their jobs and no more. That way, when they do get breached, the risk radius is limited because they wouldn't have overly-permissive access.
However, the reality is security teams are over-extended across many initiatives, don't have enough budget, and don't have tooling that works well and fits their existing software development processes. This makes managing access hard and even harder at scale. This is because as a company grows, more people are added, more systems are onboarded, and access to these systems change constantly. There's 3 ways to solve this problem.
First, you ignore it. Probably not a good idea.
Second, you can manually manage access. Ticketing systems, back-and-forth interactions, validating identities, searching through history for compliance — this is the status quo today. Businesses have even had success in this approach today. But that leaves the problem solved or unsolved at the cost of time, energy, and value-adding work. As you scale, you can keep doing it manually and see more cost trade-offs or perhaps even devolve back into ignoring the problem.
The third way is automation.
With automation, you can leverage benefits from Infrastructure as Code and the software development lifecycle broadly. Properties such as verifiable, testable, and reproducible, auditable, and automated are desirable properties when it comes to managing access to sensitive data. These properties aren't easily achieved through manual processes. Abbey helps you automate and be more secure without being intrusive. You get to use your typical development tooling, your CI/CD systems, and your own IaC setup. Permission grants are manifested back into your VCS using open tooling and formats so access can function even without the presence of Abbey.
You can start automating access requests in just a few minutes by trying out the Quickstart or visiting one of our Tutorials.
Last modified 1mo ago