Building Blocks: How to Create a Privileged Access Management (PAM) Strategy

September 8, 2021
| |
4 min read

Privileged access management (PAM) has long been central to a good enterprise cybersecurity strategy. However, its nature is changing. The pace of digital change is speeding up and reliance on the cloud increasing. So, businesses and agencies must develop new PAM strategies to keep up. Processes and tools that could support yesterday’s on-premises IT rarely meet the needs of today.

The events of 2020 sped up the pace of digital adoption across workplaces. But even before that, IT and cybersecurity experts lacked confidence about whether their PAM tactics were working. Nearly 40% of the respondents to a mid-2019 survey from Remediant said they weren’t sure their current PAM solution would be able to prevent all misuse of privileged accounts, and 8% weren’t certain that it could prevent any.

The current business climate only amplifies these challenges. To meet the needs of today’s consumers — as well as their employees — enterprises are rushing to change. But not all are building security into the new cloud services they depend upon. Having the right PAM strategy will be key for cyber resilience in the months and years to come.

Privileged Access Management Is Different in the Cloud

In the past, a PAM strategy involved the people, processes and technologies used to maintain visibility into and control over the accounts, identities and services that have elevated privileges (that means greater access to resources than standard user accounts do). These might include system admin accounts as well as user accounts that can manage local devices. Machine IDs such as service accounts, secure shell and application programming interface keys also fall under this category. So do other IDs used by automated processes to interact with operating systems or configurations.

Legacy privileged access management solutions gathered all the credentials connected with these privileged accounts into a centralized password vault. Some solutions created the passwords for privileged accounts, too. Many offered audit logging or session tracking to help meet compliance needs. Most password vaults worked best when supporting on-premises deployments, however. This means that they can fall short in several critical ways when applied to the cloud.

Learn more on PAM

Why Is This Important Now? 

To maintain insight into corporate IT networks, older privileged access management solutions conduct scans at regular intervals. Those intervals didn’t work well when paired with the cloud. Now, IT workers can spin up or scale down new services and workloads in minutes. 

Password vault solutions often grant specific accounts rights to access resources in an absolute manner. These solutions don’t limit rights by time or by task. Instead, they apply ‘standing privilege’. Anyone with standing privileges maintains that access for an unlimited amount of time.

In legacy systems, this model was adequate. Admins needed to limit standing permissions to what users needed to get their jobs done, but that was doable. After all, development and operations functions were separate and infrastructure was confined to the office and the data center.

However, it’s not enough for modern multi-cloud, hybrid and DevOps systems. These are much more complex, involving shifting permission sets and usage models and services that change over time.

The Core of a Robust Cloud PAM Strategy: Zero Standing Privilege

Cloud computing requires a paradigm shift. IT leaders have changed their thinking about infrastructure, operations and cost management. A similar change needs to take place when it comes to protecting data in the cloud.

As network edges dissolve into extended enterprise computing ecosystems, more groups are adopting zero trust-based frameworks. The zero trust paradigm is summarized in the slogan ‘never trust, always verify’. In essence, it states that every user, device, or application must prove that they are who they say they are and demonstrate that they really need access to a particular resource.

Zero standing privilege (ZSP) is a means of applying zero trust principles to problems in privileged access management. With ZSP, the system grants access to privileged resources only for a limited time. It does so on an as-needed basis, checking each access request one by one and deciding on them according to preset policies or risk-based rankings. Furthermore, ZSP enables just-in-time access. That makes it possible for developers to build with freedom but greatly reduces the chance of privileged credential abuse.

Enforcing ZSP across fast-changing systems is challenging. Ask yourself whether your team has the means to track and manage the IDs that will require privileged access. You should have a means of preventing unwanted access from occurring, as well as ensuring that you can apply governance.

Privileged Access Management for Modern Cloud and Hybrid Work Places

To ensure you don’t neglect cloud resources in your PAM strategy, it’s essential to include cloud-focused solutions within your identity and access management (IAM) solution setup. 

“The modern enterprise has two options,” explains Vibhuti Sinha, chief product officer at Saviynt and member of the Forbes Technology Council. “Combine solutions to mitigate gaps or utilize a converged alternative.” 

Adopting the combined-solution approach involves maintaining three distinct solutions, some of which overlap:

1.) A legacy PAM solution, which will handle privilege management for on-premises applications and infrastructure

2.) An Identity Governance Administration (IGA) solution, which will manage account provisioning and identity lifecycles

3.) A Cloud Infrastructure Entitlement Management solution, which will enforce time-limited access controls across your cloud resources.

This can be a highly effective approach if you already have existing IGA or PAM solutions in place but want to mitigate cloud risks. In this case, it’s important to ensure that you’ve placed these solutions well so that there are no coverage gaps.

The converged-solution approach means adopting a privileged access management platform that was designed for the cloud — one that can grant permissions on a dynamic, as-needed basis across complex hybrid and multi-cloud environments, as well as for software-as-a-service (SaaS) apps. 

Choosing a Privileged Access Management Solution 

Which approach is right for your needs will depend on your internal expertise and administrative resources, and what you need the solution to do. It’s important that a cloud solution be able to manage fully remote employees as well as third-party vendors or contractors who may need to access resources for limited times. 

“With cloud technology and SaaS applications dominating most organizations’ digital transformation strategies, dynamic visibility into who is trying to access what is paramount,” says Sinha. “So is limiting the scope and duration of each user’s access on an as-needed basis.”

These key capabilities will enable the modern enterprise to navigate digital transformation without increasing cyber risk.

Dawn Blizard

Dawn is a seasoned journalist with vast experience writing in the B2B tech and cybersecurity space. She has a Ph.D. in English literature and over a decade o...
read more