Open-source tool for security engineers helps automate access reviews
ConductorOne open-sourced their identity connectors in a project called Baton, available on GitHub. Each connector gives developers the ability to extract, normalize, and interact with workforce identity data such as user accounts, permissions, roles, groups, resources, and more, so they can audit infrastructure access, start to automate user access reviews, and enforce the principle of least privilege.
Understanding user permissions across internal applications and infrastructure is a tedious exercise, requiring downloads or screenshots from each app, makeshift python scripting, inconsistent spreadsheets of unstructured data, and a never-ending cycle of that data going stale.
Security engineers are tasked with getting this identity data to secure infrastructure access, for user access reviews, and to investigate security incidents. Without access to identity data in a normalized format it’s difficult to accomplish any of those tasks without a lot of manual effort and time.
With the belief that identity data should be visible, understandable, extensible, and usable for anyone, engineers spent over two years building Baton, and are now making it available to everyone.
“We believe everyone, whether our customer or not, should have access to their own identity data,” said Paul Querna, CTO, ConductorOne. “We decided to open source what we’ve built to support that belief. Identity data is the foundation for access control, and access control is the method for establishing zero trust. We hope that Baton helps any security team get one step closer to zero trust.”
The connectors provide an automated way to extract data like user accounts, permissions, roles, groups, and other access details from applications in a single, standardized output file that can be extended to any identity security or governance project. For example, run user access reviews on every repository in GitHub without manually going through each one, compare production role changes in AWS over a set period of time, identify all of the resources and user permissions in your MySQL or Postgres database, or alert any time a contractor gets added to an Okta LDAP group.
Anyone can start using Baton today. Baton provides an SDK for any application from SaaS, IaaS, on-prem, homegrown, to back office, and connectors for Okta, AWS, GitHub, MySQL, and Postgres with many more to come.
Get started with a specific application by deploying the connector as a docker image hosted on-prem or in the cloud and adding application credentials. Each connector provides the source code to audit behavior and data access for security purposes, and can also be forked to add custom sync, discovery, or provisioning logic. Use the SDK to start building a new connector, available in Go language, or any language using buffers.