Hello everybody and here we are with a brand-new episode of your favorite Cognixia Podcast. We have been doing this for quite many weeks now and we are super grateful for all the love and support we have been receiving from all of you, it means a lot to us. So, thank you for listening to us every week, we really appreciate it!
Back to today’s episode. This week, we discuss something that we hear a lot of people talking about in the past 2-3 weeks – Granular Access Tokens. In this episode, we will talk about what are granular access tokens, what they do, and why they are important.
Before we tell you what these Granular Personal Access Tokens are, let us tell you why everybody is talking about them. Microsoft is introducing granular personal access tokens for its Azure DevOps REST APIs to limit the risks and damages when access credentials are leaked or stolen. Now, some weeks back, the renowned cybersecurity firm – Praetorian came out with details on how their researchers accessed the internal corporate networks of companies using GitHub, an entity owned by Microsoft, for their CI/CD tools. The researchers were able to compromise the access to GitHub using an accidentally leaked PAT. Now, this was done by the researchers of the Praetoria, but if it hadn’t been done by some unscrupulous cybercriminals, it could be a major problem for the companies whose networks got compromised. According to Praetoria’s report, there are multiple ways in which developers could compromise a personal access token – they could fall victim to a phishing scam, or their devices could get compromised, or they might mistakenly include the PAT in the command-line logs!
What some say is a response in this regard, Microsoft is bringing forth these fine-grained personal access tokens. So, what are these personal access tokens?
Personal Access Tokens or PATs are alternatives to passwords and are used for authenticating the identity of someone accessing a system or website. They are also used to authenticate the identities of the developers using the various APIs and scripts on a platform. In this particular case, the personal access tokens are used to authenticate users and developers into Azure DevOps. A personal access token would have a lot of information embedded into it.
In the case of Azure DevOps, the personal access tokens would contain information about an individual’s security credentials which would help the system identify the individual as well as provide other information such as the organizations that they have access to & the scope of every access. But with evolving systems and safeguards, cybercriminals tend to switch tactics too, focusing increasingly on stealing access credentials to corporate networks instead of just compromising systems. This makes safeguarding the tokens also an important task. This is where the granular personal access tokens become important. The Azure DevOps team has created a granular PAT scope for all its Azure DevOps REST APIs. Coupled with the OAuth2, this would enable organizations to limit the accesses that get granted to every personal access token.
We need to mention one thing here, personal access tokens have been around for quite a bit now, what is the highlight here is that the scope has now been refined. Earlier, some of the Azure DevOps REST APIs were not associated with a PAT scope, which caused users to deploy full-scoped personal access tokens to use the APIs. This was a high-risk task since if the full-scoped PAT fell into the hands of a malicious entity, it would possess a significant security risk to the enterprise, exposing their source code production infrastructure, as well as so many other valuable assets of the organization to attack.
Microsoft has urged its users to migrate away from the full-scoped personal access tokens to the granular ones as soon as possible to limit unnecessary accesses. It has also been suggested that organizations adopt a control plane policy which would also place appropriate restrictions on the creation of the full-scoped APIs in the enterprise.
Not just Azure DevOps, a similar move has also been made by GitHub back in October, by introducing a public beta of the fine-grained PATs. In the case of GitHub, the fine-grained personal access tokens enable or disable permissions from a set of more than 50 granular permissions which control the access to GitHub’s organization, user, and repository APIs. Every permission can be granted on a ‘no access’, ‘read’, or ‘read and write’ basis. Additionally, fine-grained personal access tokens also expire. They also do not have access to all the repositories that a user can access.
With time, personal access tokens have evolved too. Earlier, the PATs were relatively more coarse-grained, giving access to all repositories and organizations which were accessible to token’s users, without any associated control or visibility of what was happening to the user’s organizations. Over time, there was a need to change this and the personal access tokens have gotten significantly finer-grained now. These finer-grained personal access tokens deliver a more granular control to the developers, especially about permissions and repository accesses. It also puts the organization’s administrators in control of what’s happening, which is essential. With the fine-grained personal access tokens, administrators can put in place appropriate approval policies while getting full visibility of the access tokens that are using their organization’s resources.
To sum up, fine-grained personal access tokens offer enhanced security to developers and organization owners, to reduce the risk to your data of compromised tokens. While the push is to embrace the new fine-grained personal access tokens, the existing coarse-grained personal access tokens are still fully supported and are not referred to as personal access tokens (classic). A fine-grained personal access token would only have access to the repositories and organizations to that they have been explicitly granted access. In fact, if the administrator so desires, a particular fine-grained PAT can be targeted at a single repository in the organization.
Now that’s interesting, isn’t it? That’s the world of information security, such interesting developments keep happening. Embracing these fine-grained personal access tokens and working on helping developers understand the security best practices would definitely go a long way in making systems more secure, we are sure.
With that, we come to the end of this week’s podcast! We hope we gave you something to think about, something new you would like to learn about and explore. And if you would like to learn more about Azure DevOps, might we recommend pursuing the official Microsoft Certified: DevOps Engineer Expert credentials? To earn this Microsoft certification, you need to clear the official Microsoft certification exam – AZ-400: Designing and Implementing Microsoft DevOps Solutions. This Microsoft certification is ideal for developers and infrastructure administrators who also have subject matter expertise in working with people, processes, and products to enable the continuous delivery of value in their organizations. If this is a path you would like to embark on or you would like to know more about this or any of our other live online instructor-led training and certification courses, talk to us today!
Until next week then, happy learning!