September 8, 2021 By Dawn Blizard 4 min read

Privileged access management (PAM) has long been central to a good enterprise cybersecurity strategy. However, its nature is changing. The pace of digital change is speeding up and reliance on the cloud increasing. So, businesses and agencies must develop new PAM strategies to keep up. Processes and tools that could support yesterday’s on-premises IT rarely meet the needs of today.

The events of 2020 sped up the pace of digital adoption across workplaces. But even before that, IT and cybersecurity experts lacked confidence about whether their PAM tactics were working. Nearly 40% of the respondents to a mid-2019 survey from Remediant said they weren’t sure their current PAM solution would be able to prevent all misuse of privileged accounts, and 8% weren’t certain that it could prevent any.

The current business climate only amplifies these challenges. To meet the needs of today’s consumers — as well as their employees — enterprises are rushing to change. But not all are building security into the new cloud services they depend upon. Having the right PAM strategy will be key for cyber resilience in the months and years to come.

Privileged Access Management Is Different in the Cloud

In the past, a PAM strategy involved the people, processes and technologies used to maintain visibility into and control over the accounts, identities and services that have elevated privileges (that means greater access to resources than standard user accounts do). These might include system admin accounts as well as user accounts that can manage local devices. Machine IDs such as service accounts, secure shell and application programming interface keys also fall under this category. So do other IDs used by automated processes to interact with operating systems or configurations.

Legacy privileged access management solutions gathered all the credentials connected with these privileged accounts into a centralized password vault. Some solutions created the passwords for privileged accounts, too. Many offered audit logging or session tracking to help meet compliance needs. Most password vaults worked best when supporting on-premises deployments, however. This means that they can fall short in several critical ways when applied to the cloud.

Learn more on PAM

Why Is This Important Now?

To maintain insight into corporate IT networks, older privileged access management solutions conduct scans at regular intervals. Those intervals didn’t work well when paired with the cloud. Now, IT workers can spin up or scale down new services and workloads in minutes.

Password vault solutions often grant specific accounts rights to access resources in an absolute manner. These solutions don’t limit rights by time or by task. Instead, they apply ‘standing privilege’. Anyone with standing privileges maintains that access for an unlimited amount of time.

In legacy systems, this model was adequate. Admins needed to limit standing permissions to what users needed to get their jobs done, but that was doable. After all, development and operations functions were separate and infrastructure was confined to the office and the data center.

However, it’s not enough for modern multi-cloud, hybrid and DevOps systems. These are much more complex, involving shifting permission sets and usage models and services that change over time.

The Core of a Robust Cloud PAM Strategy: Zero Standing Privilege


Cloud computing requires a paradigm shift. IT leaders have changed their thinking about infrastructure, operations and cost management. A similar change needs to take place when it comes to protecting data in the cloud.

As network edges dissolve into extended enterprise computing ecosystems, more groups are adopting zero trust-based frameworks. The zero trust paradigm is summarized in the slogan ‘never trust, always verify’. In essence, it states that every user, device, or application must prove that they are who they say they are and demonstrate that they really need access to a particular resource.

Zero standing privilege (ZSP) is a means of applying zero trust principles to problems in privileged access management. With ZSP, the system grants access to privileged resources only for a limited time. It does so on an as-needed basis, checking each access request one by one and deciding on them according to preset policies or risk-based rankings. Furthermore, ZSP enables just-in-time access. That makes it possible for developers to build with freedom but greatly reduces the chance of privileged credential abuse.

Enforcing ZSP across fast-changing systems is challenging. Ask yourself whether your team has the means to track and manage the IDs that will require privileged access. You should have a means of preventing unwanted access from occurring, as well as ensuring that you can apply governance.

Privileged Access Management for Modern Cloud and Hybrid Work Places

To ensure you don’t neglect cloud resources in your PAM strategy, it’s essential to include cloud-focused solutions within your identity and access management (IAM) solution setup.

“The modern enterprise has two options,” explains Vibhuti Sinha, chief product officer at Saviynt and member of the Forbes Technology Council. “Combine solutions to mitigate gaps or utilize a converged alternative.”

Adopting the combined-solution approach involves maintaining three distinct solutions, some of which overlap:

1.) A legacy PAM solution, which will handle privilege management for on-premises applications and infrastructure

2.) An Identity Governance Administration (IGA) solution, which will manage account provisioning and identity lifecycles

3.) A Cloud Infrastructure Entitlement Management solution, which will enforce time-limited access controls across your cloud resources.

This can be a highly effective approach if you already have existing IGA or PAM solutions in place but want to mitigate cloud risks. In this case, it’s important to ensure that you’ve placed these solutions well so that there are no coverage gaps.

The converged-solution approach means adopting a privileged access management platform that was designed for the cloud — one that can grant permissions on a dynamic, as-needed basis across complex hybrid and multi-cloud environments, as well as for software-as-a-service (SaaS) apps.

Choosing a Privileged Access Management Solution

Which approach is right for your needs will depend on your internal expertise and administrative resources, and what you need the solution to do. It’s important that a cloud solution be able to manage fully remote employees as well as third-party vendors or contractors who may need to access resources for limited times.

“With cloud technology and SaaS applications dominating most organizations’ digital transformation strategies, dynamic visibility into who is trying to access what is paramount,” says Sinha. “So is limiting the scope and duration of each user’s access on an as-needed basis.”

These key capabilities will enable the modern enterprise to navigate digital transformation without increasing cyber risk.

More from Cloud Security

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today