September 8, 2021 By Dawn Blizard 4 min read

Privileged access management (PAM) has long been central to a good enterprise cybersecurity strategy. However, its nature is changing. The pace of digital change is speeding up and reliance on the cloud increasing. So, businesses and agencies must develop new PAM strategies to keep up. Processes and tools that could support yesterday’s on-premises IT rarely meet the needs of today.

The events of 2020 sped up the pace of digital adoption across workplaces. But even before that, IT and cybersecurity experts lacked confidence about whether their PAM tactics were working. Nearly 40% of the respondents to a mid-2019 survey from Remediant said they weren’t sure their current PAM solution would be able to prevent all misuse of privileged accounts, and 8% weren’t certain that it could prevent any.

The current business climate only amplifies these challenges. To meet the needs of today’s consumers — as well as their employees — enterprises are rushing to change. But not all are building security into the new cloud services they depend upon. Having the right PAM strategy will be key for cyber resilience in the months and years to come.

Privileged Access Management Is Different in the Cloud

In the past, a PAM strategy involved the people, processes and technologies used to maintain visibility into and control over the accounts, identities and services that have elevated privileges (that means greater access to resources than standard user accounts do). These might include system admin accounts as well as user accounts that can manage local devices. Machine IDs such as service accounts, secure shell and application programming interface keys also fall under this category. So do other IDs used by automated processes to interact with operating systems or configurations.

Legacy privileged access management solutions gathered all the credentials connected with these privileged accounts into a centralized password vault. Some solutions created the passwords for privileged accounts, too. Many offered audit logging or session tracking to help meet compliance needs. Most password vaults worked best when supporting on-premises deployments, however. This means that they can fall short in several critical ways when applied to the cloud.

Learn more on PAM

Why Is This Important Now?

To maintain insight into corporate IT networks, older privileged access management solutions conduct scans at regular intervals. Those intervals didn’t work well when paired with the cloud. Now, IT workers can spin up or scale down new services and workloads in minutes.

Password vault solutions often grant specific accounts rights to access resources in an absolute manner. These solutions don’t limit rights by time or by task. Instead, they apply ‘standing privilege’. Anyone with standing privileges maintains that access for an unlimited amount of time.

In legacy systems, this model was adequate. Admins needed to limit standing permissions to what users needed to get their jobs done, but that was doable. After all, development and operations functions were separate and infrastructure was confined to the office and the data center.

However, it’s not enough for modern multi-cloud, hybrid and DevOps systems. These are much more complex, involving shifting permission sets and usage models and services that change over time.

The Core of a Robust Cloud PAM Strategy: Zero Standing Privilege

 

Cloud computing requires a paradigm shift. IT leaders have changed their thinking about infrastructure, operations and cost management. A similar change needs to take place when it comes to protecting data in the cloud.

As network edges dissolve into extended enterprise computing ecosystems, more groups are adopting zero trust-based frameworks. The zero trust paradigm is summarized in the slogan ‘never trust, always verify’. In essence, it states that every user, device, or application must prove that they are who they say they are and demonstrate that they really need access to a particular resource.

Zero standing privilege (ZSP) is a means of applying zero trust principles to problems in privileged access management. With ZSP, the system grants access to privileged resources only for a limited time. It does so on an as-needed basis, checking each access request one by one and deciding on them according to preset policies or risk-based rankings. Furthermore, ZSP enables just-in-time access. That makes it possible for developers to build with freedom but greatly reduces the chance of privileged credential abuse.

Enforcing ZSP across fast-changing systems is challenging. Ask yourself whether your team has the means to track and manage the IDs that will require privileged access. You should have a means of preventing unwanted access from occurring, as well as ensuring that you can apply governance.

Privileged Access Management for Modern Cloud and Hybrid Work Places

To ensure you don’t neglect cloud resources in your PAM strategy, it’s essential to include cloud-focused solutions within your identity and access management (IAM) solution setup.

“The modern enterprise has two options,” explains Vibhuti Sinha, chief product officer at Saviynt and member of the Forbes Technology Council. “Combine solutions to mitigate gaps or utilize a converged alternative.”

Adopting the combined-solution approach involves maintaining three distinct solutions, some of which overlap:

1.) A legacy PAM solution, which will handle privilege management for on-premises applications and infrastructure

2.) An Identity Governance Administration (IGA) solution, which will manage account provisioning and identity lifecycles

3.) A Cloud Infrastructure Entitlement Management solution, which will enforce time-limited access controls across your cloud resources.

This can be a highly effective approach if you already have existing IGA or PAM solutions in place but want to mitigate cloud risks. In this case, it’s important to ensure that you’ve placed these solutions well so that there are no coverage gaps.

The converged-solution approach means adopting a privileged access management platform that was designed for the cloud — one that can grant permissions on a dynamic, as-needed basis across complex hybrid and multi-cloud environments, as well as for software-as-a-service (SaaS) apps.

Choosing a Privileged Access Management Solution

Which approach is right for your needs will depend on your internal expertise and administrative resources, and what you need the solution to do. It’s important that a cloud solution be able to manage fully remote employees as well as third-party vendors or contractors who may need to access resources for limited times.

“With cloud technology and SaaS applications dominating most organizations’ digital transformation strategies, dynamic visibility into who is trying to access what is paramount,” says Sinha. “So is limiting the scope and duration of each user’s access on an as-needed basis.”

These key capabilities will enable the modern enterprise to navigate digital transformation without increasing cyber risk.

More from Cloud Security

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Best practices for cloud configuration security

5 min read - Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today