Privileged access management (PAM) has long been central to a good enterprise cybersecurity strategy. However, its nature is changing. The pace of digital change is speeding up and reliance on the cloud increasing. So, businesses and agencies must develop new PAM strategies to keep up. Processes and tools that could support yesterday’s on-premises IT rarely meet the needs of today.

The events of 2020 sped up the pace of digital adoption across workplaces. But even before that, IT and cybersecurity experts lacked confidence about whether their PAM tactics were working. Nearly 40% of the respondents to a mid-2019 survey from Remediant said they weren’t sure their current PAM solution would be able to prevent all misuse of privileged accounts, and 8% weren’t certain that it could prevent any.

The current business climate only amplifies these challenges. To meet the needs of today’s consumers — as well as their employees — enterprises are rushing to change. But not all are building security into the new cloud services they depend upon. Having the right PAM strategy will be key for cyber resilience in the months and years to come.

Privileged Access Management Is Different in the Cloud

In the past, a PAM strategy involved the people, processes and technologies used to maintain visibility into and control over the accounts, identities and services that have elevated privileges (that means greater access to resources than standard user accounts do). These might include system admin accounts as well as user accounts that can manage local devices. Machine IDs such as service accounts, secure shell and application programming interface keys also fall under this category. So do other IDs used by automated processes to interact with operating systems or configurations.

Legacy privileged access management solutions gathered all the credentials connected with these privileged accounts into a centralized password vault. Some solutions created the passwords for privileged accounts, too. Many offered audit logging or session tracking to help meet compliance needs. Most password vaults worked best when supporting on-premises deployments, however. This means that they can fall short in several critical ways when applied to the cloud.

Learn more on PAM

Why Is This Important Now?

To maintain insight into corporate IT networks, older privileged access management solutions conduct scans at regular intervals. Those intervals didn’t work well when paired with the cloud. Now, IT workers can spin up or scale down new services and workloads in minutes.

Password vault solutions often grant specific accounts rights to access resources in an absolute manner. These solutions don’t limit rights by time or by task. Instead, they apply ‘standing privilege’. Anyone with standing privileges maintains that access for an unlimited amount of time.

In legacy systems, this model was adequate. Admins needed to limit standing permissions to what users needed to get their jobs done, but that was doable. After all, development and operations functions were separate and infrastructure was confined to the office and the data center.

However, it’s not enough for modern multi-cloud, hybrid and DevOps systems. These are much more complex, involving shifting permission sets and usage models and services that change over time.

The Core of a Robust Cloud PAM Strategy: Zero Standing Privilege

 

Cloud computing requires a paradigm shift. IT leaders have changed their thinking about infrastructure, operations and cost management. A similar change needs to take place when it comes to protecting data in the cloud.

As network edges dissolve into extended enterprise computing ecosystems, more groups are adopting zero trust-based frameworks. The zero trust paradigm is summarized in the slogan ‘never trust, always verify’. In essence, it states that every user, device, or application must prove that they are who they say they are and demonstrate that they really need access to a particular resource.

Zero standing privilege (ZSP) is a means of applying zero trust principles to problems in privileged access management. With ZSP, the system grants access to privileged resources only for a limited time. It does so on an as-needed basis, checking each access request one by one and deciding on them according to preset policies or risk-based rankings. Furthermore, ZSP enables just-in-time access. That makes it possible for developers to build with freedom but greatly reduces the chance of privileged credential abuse.

Enforcing ZSP across fast-changing systems is challenging. Ask yourself whether your team has the means to track and manage the IDs that will require privileged access. You should have a means of preventing unwanted access from occurring, as well as ensuring that you can apply governance.

Privileged Access Management for Modern Cloud and Hybrid Work Places

To ensure you don’t neglect cloud resources in your PAM strategy, it’s essential to include cloud-focused solutions within your identity and access management (IAM) solution setup.

“The modern enterprise has two options,” explains Vibhuti Sinha, chief product officer at Saviynt and member of the Forbes Technology Council. “Combine solutions to mitigate gaps or utilize a converged alternative.”

Adopting the combined-solution approach involves maintaining three distinct solutions, some of which overlap:

1.) A legacy PAM solution, which will handle privilege management for on-premises applications and infrastructure

2.) An Identity Governance Administration (IGA) solution, which will manage account provisioning and identity lifecycles

3.) A Cloud Infrastructure Entitlement Management solution, which will enforce time-limited access controls across your cloud resources.

This can be a highly effective approach if you already have existing IGA or PAM solutions in place but want to mitigate cloud risks. In this case, it’s important to ensure that you’ve placed these solutions well so that there are no coverage gaps.

The converged-solution approach means adopting a privileged access management platform that was designed for the cloud — one that can grant permissions on a dynamic, as-needed basis across complex hybrid and multi-cloud environments, as well as for software-as-a-service (SaaS) apps.

Choosing a Privileged Access Management Solution

Which approach is right for your needs will depend on your internal expertise and administrative resources, and what you need the solution to do. It’s important that a cloud solution be able to manage fully remote employees as well as third-party vendors or contractors who may need to access resources for limited times.

“With cloud technology and SaaS applications dominating most organizations’ digital transformation strategies, dynamic visibility into who is trying to access what is paramount,” says Sinha. “So is limiting the scope and duration of each user’s access on an as-needed basis.”

These key capabilities will enable the modern enterprise to navigate digital transformation without increasing cyber risk.

More from Cloud Security

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…