Cloud data breaches are on the rise, demonstrating time and again the need for a different approach and strategy when it comes to managing and monitoring privileged access to cloud ecosystems.
Privilege access management (PAM) should:
- Be risk-aware and intelligent
- Reduce sprawl of infrastructure, accounts, access and credentials
- Use continuous identity analytics.
Just-in-time management of privileged accounts
According to Gartner’s 2018 Magic Quadrant for PAM report, by 2022 more than 50% of organizations with PAM implementations will choose just-in-time privileged access over long-term privileged access, which is a significantly higher percentage than today’s (under 25%).
Persistent accounts have been the norm when it comes to providing privileged access to users, applications and services in the IT landscape. But persistent accounts come with an overhead of constant management and maintenance, as well as high risk exposure. In the cloud, this exposure becomes multi-fold due to its elasticity and ephemeral nature.
Minimizing persistent accounts not only reduces the attack surface, but also alleviates audit concerns. Just-in-time account provisioning for privileged access is key to an effective and secure strategy for reducing the sprawl of privileged accounts across cloud systems.
Temporal and granular access assignment with in-session access elevation using roles or IDs
Traditional mechanisms employ separate accounts/IDs for regular vs privileged access. On cloud platforms, especially SaaS (software as a service) applications, this increases user license costs and also adds an overhead to the lifecycle management of additional accounts.
In-session elevation of access works seamlessly in cloud and can be achieved either using role/access elevation or assigning temporal access to privileged accounts.
Identity analytics must be the central theme of a PAM strategy
Achieving continuous visibility of privileged access on cloud assets is imperative. The inherent challenge with determining the user’s access on cloud assets/platforms lies within thousands of native JSON based policies, permissions and roles objects. Knowing who has access to what requires continuous crunching, sifting and calculating of the native cloud IAM objects.
Continuous identity analytics provides the right and detailed insights on risky access violations and toxic access combinations. It also serves as an intelligent hub to PAM workflows, in turn making the PAM workflows well versed with access risks and providing the necessary triggers for additional checks (if deemed necessary).
Risk and governance need to be a part of PAM processes from the start
When implementing PAM solutions, organizations often implement the bare minimum. Rapid time to market and adding continuous business value are the key business objectives of PAM implementations. However, integration dependencies on identity governance and administration (IGA) platforms often become the long pole in these implementations.
Converging IGA and PAM technologies in a single platform solves these issues in multiple dimensions. The element of risk is core to an intelligent IGA platform and converging the same with PAM platform allows PAM processes to be “risk-aware” and “intelligent”. The risk score can be a multi-dimensional attribute comprised of user’s risk, endpoint risk, infrastructure misconfigurations, access-plane and control-plane risks. Converging these parameters/risk models and bringing the same in one platform allows PAM processes and PAM actors to make more informed, better decisions.
With the convergence, privileged identity governance becomes implicit to the PAM workflows and processes. Getting visibility on toxic access combinations, performing detective and preventive separation of duties, intelligent and risk based access reviews, privileged account ownership and management and succession management of privileged IDs become available seamlessly in the converged IGA and PAM platform and organizations do not have to invest time and effort in integrating or solving these.
Identify the conduits/interfaces that could provide privileged access to underlying platforms
Securing privileged access to the cloud requires a different approach than securing a traditional on-premises environment. It requires an understanding of the various conduits or channels through which privileged access can be gained, as well as the challenges in securing each of those conduits.
These range from management portals, workloads, CLIs and APIs to serverless functions, short/long term access keys, instance profiles, service accounts, instance metadata, DevOps tools and continuous integration/continuous deployment (CI/CD) processes. Each of these interfaces consumes/interacts with the underlying cloud services in a different way and therefore requires a distinct and focused strategy for managing and monitoring privileged access.
The key aspect is to identify all possible conduits/channels in an organization’s cloud ecosystem to avoid access leaks.
Implementing identity analytics serves as an extremely effective way to determine the various privileged access contexts and becomes a great starting point to understand the access exposure in the ecosystem. Integration with the cloud platform’s native security or IAM framework is a must-have to determine access scope, access proliferation, out of band access, rogue access and explicit access (broken access inheritance).
Bring DevOps and CI/CD tools under PAM purview
Jenkins, Chef, Puppet, Ansible, etc. are some of the most widely adopted DevOps tools by organizations moving their workloads to cloud. While some help in managing drift, others help in workload orchestration. Most of these tools consume native cloud services under the context of a privileged service account. A PAM strategy for the cloud is incomplete unless it also covers DevOps and CI/CD processes.
Managing privileged access should not be confined to native cloud entities – every DevOps and CI/CD tool or process interacting with or consuming cloud services should fall under the purview of privileged access management.
Understanding organizations responsibilities according to the shared responsibility model
Despite significant efforts by public cloud providers such as Amazon, Microsoft and Google to raise awareness of the shared responsibility model, organizations are unable to grasp the concept and have made mistakes in understanding the responsibilities. In the context of PAM, this becomes even more important: organizations must be aware of and accept their responsibility for rotating/refreshing credentials, resetting access keys, temporal assignment of credentials to privileged accounts, etc.
To begin with, a responsibility matrix of compliance requirements/objectives for PAM across all cloud computing layers should be mapped between cloud service providers and organizations. The mapping matrix not only helps show a clear delineation of responsibilities, but also sets the right expectations for the organization teams’ roles and responsibilities.
Cloud-architected and available as a service
Managing privileged access on cloud requires the PAM solution to be resilient and scalable, capable of handling the scale, volume and velocity demands of the cloud. Lifting and shifting a traditional PAM solution to the cloud is not the right approach, because it is hosted in the cloud by not architected for it.
PAM for cloud must be built using native cloud technologies and must be made available as a service – this is key to reducing the infrastructure sprawl and waste of compute resources.
The model also allows rapid deployments, faster upgrades resulting in constant addition to business value, and significant cost savings (infrastructure, operational costs).