Soaring data breaches in the cloud demand the necessity of a different approach to protecting cloud environments. As the number of user accesses proliferates, securing privileged access in the cloud with a PAM tool has become the need of the hour.
Adding a PAM solution to the cloud discussion introduces two aspects: “PAM in the cloud” and “PAM for the cloud”.
PAM in the cloud implies running a PAM solution as Software-as-a-Services (SaaS). Instead of hosting your PAM solution on-premise and managing the installation, maintenance and updates yourself, a PAM vendor does everything for you. The cloud vendors operate a cloud environment wherein your PAM software resides, ensuring it’s available and up to date.
On the other hand, PAM for the cloud refers to PAM software used to manage and secure access to services and systems that reside in the cloud. These services may include the cloud portal, databases, servers, storage, applications, networking infrastructure, and other network architecture.
When it comes to cloud and PAM, however, one little word makes a big difference, and in this article, we will be focusing on the latter – securing privileged access with a PAM for the cloud.
Now, let’s look at certain aspects one should keep in mind to facilitate the efficient functioning of a PAM solution for the cloud.
The Just-in-Time Approach to Securing Privileged Access
Per Gartner’s 2018 Magic Quadrant for PAM report, more than 50% of organizations with PAM implementations will opt for just-in-time privileged access over long-term privileged access by 2022, which is significantly higher than today (under 25%).
Persistent accounts have been the norm in terms of granting privileged access to users, services, and applications in the IT landscape. However, with persistent accounts comes an overhead of constant maintenance and management and high-risk exposure.
Due to the cloud’s ephemeral nature, this exposure becomes multi-fold.
Minimizing these accounts decreases the attack surface and reduces audit concerns. Facilitating Just-in-time access is a vital component of an effective strategy for securing privileged access across cloud systems.
Assigning Granular and Temporal Access Using In-Session Access Elevation Using Roles or Ids
Traditional mechanisms have separate IDs/accounts for regular vs privileged access. When it comes to cloud platforms, especially SaaS applications, this increases user license costs, adding an overhead to the lifecycle management of additional accounts.
In-session access elevation works seamlessly in the cloud and can be achieved by assigning temporal access or using role/access elevation to privileged accounts.
Privileged Access Governance Should be the Core Component of a PAM Strategy
Uninterrupted visibility of privileged access to cloud assets is imperative. The inherent challenge with securing privileged access on cloud assets/platforms lies within large numbers of permissions, policies, and roles objects. Continuous sifting, crunching, and processing are essential to know who has access to what.
Continuous privileged access governance provides detailed insights into risky access combinations and violations. It serves as an intelligent hub for PAM workflows, making them well-versed with access risks. This, in turn, provides necessary triggers for additional checks (if deemed necessary).
Identify the Interfaces/Conduits Through which Privileged Access can be Gained.
Securing privileged access to the cloud requires understanding multiple channels or conduits that could provide privileged access and the challenges in securing those conduits.
These include workloads, management portals, short/long-term access keys, service accounts, and instance metadata. Each of these interfaces interacts with the underlying cloud services in a different way.
Therefore, the key is to identify all possible interfaces in an organization’s cloud environment in order to determine access scope, out-of-band access, access proliferation, and rogue access and avoid any access leaks.
Include DevOps & CI/CD Tools in the PAM Scope
A PAM strategy for the cloud is incomplete if it doesn’t cover DevOps & CI/CD processes. Managing privileged access should not be limited to native cloud entities – each DevOps & CI/CD process or tool interacting with, or consuming cloud services must be included in the scope of the PAM.
Organizations are not quite able to grasp the concept of the shared responsibility model. When it comes to PAM, this becomes all the more critical.
IT teams must be aware of and accept their responsibilities of refreshing/rotating passwords, temporal assignment of credentials to privileged accounts, resetting access keys, etc.
A responsibility matrix of compliance objectives/requirements pertaining to PAM for the cloud should be mapped between cloud service providers and organizations. This would help show a clear delineation of duties, setting the right expectations for the organization teams’ roles and responsibilities.
Securing privileged access to the cloud requires the PAM solution to be resilient and capable of handling the scale and volume demands of the cloud.
The model should allow faster upgrades and rapid deployments, constantly adding to business value and causing significant cost savings (infrastructure and operational costs).
Sectona Security Platform
Sectona Security Platform seamlessly integrates the elements for securing privileged access on growing attack surfaces for organizations. Explore a light, integrated approach towards privileged access management in modern Enterprise IT powered by the cloud.
- 1 The Just-in-Time Approach to Securing Privileged Access
- 2 Assigning Granular and Temporal Access Using In-Session Access Elevation Using Roles or Ids
- 3 Privileged Access Governance Should be the Core Component of a PAM Strategy
- 4 Identify the Interfaces/Conduits Through which Privileged Access can be Gained.
- 5 Include DevOps & CI/CD Tools in the PAM Scope
- 6 Understanding Organizations’ Responsibilities Per the Shared Responsibility Model
- 7 Cloud Architected
- 8 Sectona Security Platform