Data breaches in clouds are on the rise, demanding the need for a different strategy when it comes to securing privileged access pertaining to the cloud.
Adding PAM to the cloud discussion introduces 2 aspects referred to as “PAM in the cloud” and “PAM for the cloud”. When it comes to cloud and PAM, however, one little word makes a big difference, and in this article, we will be focusing on the latter – securing privileged access for the cloud.
But first, let’s get our definitions straight. PAM in the cloud means running a PAM software in the cloud as Software-as-a-Services (SaaS). Instead of hosting your PAM solution on-premise and managing the installation, maintenance and updates work yourself, the PAM vendor manages all that for you.
They manage a cloud environment wherein your PAM software resides, ensuring it’s available and up to date.
On the other hand, PAM for the cloud refers to a PAM software used to manage and secure access to services and systems that reside in the cloud. These services may include the cloud portal itself, databases, servers, storage, applications, networking infrastructure, what have you.
With that in mind, let’s look at certain aspects one should keep in mind to facilitate the efficient functioning of a PAM solution for the cloud.
Just-in-time approach in securing privileged access
Per Gartner’s 2018 Magic Quadrant for PAM report, more than 50% of organizations with PAM implementations will opt for just-in-time privileged access over long-term privileged access by 2022, which is significantly higher than today (under 25%).
In terms of granting privileged access to users, services, and applications in the IT landscape, persistent accounts have been the norm. However, with persistent accounts comes an overhead of constant maintenance and management, as well as high-risk exposure.
Due to the cloud’s ephemeral nature, this exposure becomes multi-fold.
Minimizing these accounts not only decreases the attack surface but also reduces audit concerns. Facilitating Just-in-time access is a key component of an effective strategy for securing privileged access across cloud systems.
Assigning granular and temporal access within-session access elevation using roles or IDs
Traditional mechanisms have separate IDs/accounts for regular vs. privileged access. When it comes to cloud platforms, especially SaaS applications, this increases user license costs, adding an overhead to the lifecycle management of extra accounts.
In-session access elevation works seamlessly in the cloud and can be achieved by either assigning temporal access or using role/access elevation to privileged accounts.
Privileged Access Governance should be the core component of a PAM strategy.
Uninterrupted visibility of privileged access to cloud assets is imperative. The inherent challenge with securing privileged access on cloud assets/platforms lies within large numbers of permissions, policies, and roles objects. Continuous sifting, crunching, and processing are important to know who has access to what.
Continuous privileged access governance provides detailed insights on risky access combinations and violations. It serves as an intelligent hub for PAM workflows, making them well-versed with access risks. This, in turn, provides necessary triggers for additional checks (if deemed necessary).
Identify the interfaces/conduits through which privileged access can be gained
Securing privileged access for the cloud requires understanding multiple channels or conduits that could provide privileged access, as well as the challenges in securing those conduits.
These include workloads, management portals, short/long term access keys, service accounts, and instance metadata, among others. Each of these interfaces interacts with the underlying cloud services in a different way.
Therefore, the key is to identify all possible interfaces in an organization’s cloud environment in order to determine access scope, out-of-band access, access proliferation, rogue access, and avoid any access leaks.
Include DevOps & CI/CD tools in the PAM scope
A PAM strategy for the cloud is incomplete if it doesn’t cover DevOps & CI/CD processes. Managing privileged access should not be limited to native cloud entities – each DevOps & CI/CD process or tool interacting with or consuming cloud services must be included in the scope of the PAM.
Organizations are not quite able to grasp the concept of the shared responsibility model. When it comes to PAM, this becomes all the more important.
They must be aware of and accept their responsibilities of refreshing/rotating passwords, temporal assignment of credentials to privileged accounts, resetting access keys, etc.
A responsibility matrix of compliance objectives/requirements pertaining to PAM for the cloud should be mapped between cloud service providers and organizations. This would help show a clear delineation of duties, setting the right expectations for the organization teams’ roles and responsibilities.
Securing privileged access for the cloud requires the PAM solution to be resilient and capable of handling the scale and volume demands of the cloud.
The model should allow faster upgrades and rapid deployments, constantly adding to business value and causing significant cost savings (infrastructure, operational costs).
Sectona Security Platform
Sectona Security Platform seamlessly integrates the elements for securing privileged access on growing attack surfaces for organizations. Explore a light, integrated approach towards privileged access management in modern Enterprise IT powered by the cloud.
- 1 Just-in-time approach in securing privileged access
- 2 Assigning granular and temporal access within-session access elevation using roles or IDs
- 3 Privileged Access Governance should be the core component of a PAM strategy.
- 4 Identify the interfaces/conduits through which privileged access can be gained
- 5 Include DevOps & CI/CD tools in the PAM scope
- 6 Understanding organizations’ responsibilities per the shared responsibility model
- 7 Cloud-architected
- 8 Sectona Security Platform