Why Privileged Access Management Is So Hard in the Cloud

August 27, 2021
| |
4 min read

Privileged access management (PAM) is in a bizarre place right now. On the one hand, organizations mostly understand the value of PAM. In a July 2019 study cited by Forbes, for instance, just 1% of respondents said that they don’t use any kind of PAM. More than eight of 10 of those respondents were happy with the tools and strategy that they were using for PAM.

On the other hand, many people aren’t confident that their PAM solutions and strategy are helping. Two out of five respondents said their PAM solution could prevent only some types of attacks. What’s more, 8% said that they didn’t feel their PAM solution could stop inappropriate access.

Why This Lack of Confidence?

Part of the reason has to do with how people are approaching privileged access management. Half of the 2019 survey respondents revealed that they’re using a directory service like Azure Active Directory. Just over a quarter (27%) indicated that they’re using native endpoint OS tools. A further 49% specified that they were using a specific PAM tool.

This could explain why some teams struggle to obtain visibility of their privileged accounts. Without this, you might have to rely on manual methods to manage those assets. You can’t repeat those approaches across different instances, either. That makes the task of privileged access management highly random and possibly costly in terms of both time and budget.

Learn more on PAM

Privileged Access Management Amid Business Change

A rapidly changing IT landscape could lead to lack of confidence in PAM tools and strategies, too. That’s because it makes it difficult for security teams to keep pace. The privileged accounts and entitlements they have to watch over might grow too fast.

Consider the fact that just 36% of organizations were planning to keep their PAM deployments on premise back in 2019. That was before the events of 2020 accelerated many organizations’ digital transformations. The pandemic caused a spike in adoption of tech such as the public cloud. Indeed, Gartner predicted that worldwide public cloud end-user spending will grow by 23% by the end of 2021.

Such investment doesn’t make protecting digital accounts any easier. According to Help Net Security, nearly 60% of CISOs considered a lack of visibility to be one of the greatest threats to their cloud infrastructure. This viewpoint reflects the many cloud-based data breaches in 2020. Nearly four-fifths (79%) of survey respondents said they had suffered at least one breach in that 12-month period. Two-thirds revealed they had suffered three or more cloud breaches, with 63% of those having exposed sensitive data.

Moving to the Cloud

These findings also show how hard it can be to move privileged access management to the cloud. Manual processes become even more difficult when the hybrid cloud is involved. So too does detecting potential instances of misuse. Given the dispersed nature of the network, threat actors can use one set of privileges to move laterally to another business asset. From there, they can compromise sensitive business data. Security teams won’t be able to detect that type of attack unless they’re able to achieve visibility in the cloud.

But, that’s not easy. Many AM solutions aren’t granular enough to do everything they need to in the cloud. That’s because they can’t account for all the different human and machine IDs as well as all the connections and policies concerning them. Cloud systems are dynamic by nature, so privileges constantly change as new cloud assets spin up and wind down. Not only that, but both users and services gain the same privileges for IDs to which they have access. In other words, they inherit identity access, a policy that makes privileged access management even more complex.

Making it even more difficult, many PAM solutions lack support for some of the new types of human and service IDs that come with the cloud. This creates a gap in visibility, enabling attackers with access to a privileged account or ID to evade detection.

Making Cloud-Based Privileged Access Management Work

To solve some of the challenges discussed above, you need a PAM strategy that accounts for the dynamic nature of the cloud. This includes being aware of the role that an employee takes on when they first join and any changes that occur over time. With that type of insight, security personnel can quickly allocate access to an employee when the need arises. They can also remove access when the employee no longer needs it. Information security (Infosec) teams can then leverage that same approach to manage privileged access for contractors and to remove all permissions once an employee leaves. That last point is an important step in ongoing efforts to protect against insider threats.

Identity analytics are key to all these and other cloud-based PAM functions. After all, identity analytics can warn about access combinations that could pose a threat before attackers find them. They can also inform alerts pertaining to privileged access violations so that infosec personnel can respond to potential issues before they escalate into security incidents.

Enforcing Privileged Access in the Cloud

Many organizations can’t leverage identity analytics or dynamically manage privileged access on their own. That leaves them with two options, noted Forbes. They could choose to combine legacy PAM solutions with separate Cloud Infrastructure Entitlement Management and Identity Governance Administration tools. The gamble here is there’s no guarantee that those solutions will integrate together, so there isn’t any assurance that your workers won’t waste time trying to manage all those deployments together. On the other, you could turn to a single solution that takes on a proactive, life cycle approach to privileged access management across the entire infrastructure, thus saving time and money.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more