Privileged access management (PAM) is in a bizarre place right now. On the one hand, organizations mostly understand the value of PAM. In a July 2019 study cited by Forbes, for instance, just 1% of respondents said that they don’t use any kind of PAM. More than eight of 10 of those respondents were happy with the tools and strategy that they were using for PAM.

On the other hand, many people aren’t confident that their PAM solutions and strategy are helping. Two out of five respondents said their PAM solution could prevent only some types of attacks. What’s more, 8% said that they didn’t feel their PAM solution could stop inappropriate access.

Why This Lack of Confidence?

Part of the reason has to do with how people are approaching privileged access management. Half of the 2019 survey respondents revealed that they’re using a directory service like Azure Active Directory. Just over a quarter (27%) indicated that they’re using native endpoint OS tools. A further 49% specified that they were using a specific PAM tool.

This could explain why some teams struggle to obtain visibility of their privileged accounts. Without this, you might have to rely on manual methods to manage those assets. You can’t repeat those approaches across different instances, either. That makes the task of privileged access management highly random and possibly costly in terms of both time and budget.

Learn more on PAM

Privileged Access Management Amid Business Change

A rapidly changing IT landscape could lead to lack of confidence in PAM tools and strategies, too. That’s because it makes it difficult for security teams to keep pace. The privileged accounts and entitlements they have to watch over might grow too fast.

Consider the fact that just 36% of organizations were planning to keep their PAM deployments on premise back in 2019. That was before the events of 2020 accelerated many organizations’ digital transformations. The pandemic caused a spike in adoption of tech such as the public cloud. Indeed, Gartner predicted that worldwide public cloud end-user spending will grow by 23% by the end of 2021.

Such investment doesn’t make protecting digital accounts any easier. According to Help Net Security, nearly 60% of CISOs considered a lack of visibility to be one of the greatest threats to their cloud infrastructure. This viewpoint reflects the many cloud-based data breaches in 2020. Nearly four-fifths (79%) of survey respondents said they had suffered at least one breach in that 12-month period. Two-thirds revealed they had suffered three or more cloud breaches, with 63% of those having exposed sensitive data.

Moving to the Cloud

These findings also show how hard it can be to move privileged access management to the cloud. Manual processes become even more difficult when the hybrid cloud is involved. So too does detecting potential instances of misuse. Given the dispersed nature of the network, threat actors can use one set of privileges to move laterally to another business asset. From there, they can compromise sensitive business data. Security teams won’t be able to detect that type of attack unless they’re able to achieve visibility in the cloud.

But, that’s not easy. Many AM solutions aren’t granular enough to do everything they need to in the cloud. That’s because they can’t account for all the different human and machine IDs as well as all the connections and policies concerning them. Cloud systems are dynamic by nature, so privileges constantly change as new cloud assets spin up and wind down. Not only that, but both users and services gain the same privileges for IDs to which they have access. In other words, they inherit identity access, a policy that makes privileged access management even more complex.

Making it even more difficult, many PAM solutions lack support for some of the new types of human and service IDs that come with the cloud. This creates a gap in visibility, enabling attackers with access to a privileged account or ID to evade detection.

Making Cloud-Based Privileged Access Management Work

To solve some of the challenges discussed above, you need a PAM strategy that accounts for the dynamic nature of the cloud. This includes being aware of the role that an employee takes on when they first join and any changes that occur over time. With that type of insight, security personnel can quickly allocate access to an employee when the need arises. They can also remove access when the employee no longer needs it. Information security (Infosec) teams can then leverage that same approach to manage privileged access for contractors and to remove all permissions once an employee leaves. That last point is an important step in ongoing efforts to protect against insider threats.

Identity analytics are key to all these and other cloud-based PAM functions. After all, identity analytics can warn about access combinations that could pose a threat before attackers find them. They can also inform alerts pertaining to privileged access violations so that infosec personnel can respond to potential issues before they escalate into security incidents.

Enforcing Privileged Access in the Cloud

Many organizations can’t leverage identity analytics or dynamically manage privileged access on their own. That leaves them with two options, noted Forbes. They could choose to combine legacy PAM solutions with separate Cloud Infrastructure Entitlement Management and Identity Governance Administration tools. The gamble here is there’s no guarantee that those solutions will integrate together, so there isn’t any assurance that your workers won’t waste time trying to manage all those deployments together. On the other, you could turn to a single solution that takes on a proactive, life cycle approach to privileged access management across the entire infrastructure, thus saving time and money.

More from Cloud Security

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Best practices for cloud configuration security

5 min read - Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today