Privileged access management (PAM) is in a bizarre place right now. On the one hand, organizations mostly understand the value of PAM. In a July 2019 study cited by Forbes, for instance, just 1% of respondents said that they don’t use any kind of PAM. More than eight of 10 of those respondents were happy with the tools and strategy that they were using for PAM.

On the other hand, many people aren’t confident that their PAM solutions and strategy are helping. Two out of five respondents said their PAM solution could prevent only some types of attacks. What’s more, 8% said that they didn’t feel their PAM solution could stop inappropriate access.

Why This Lack of Confidence?

Part of the reason has to do with how people are approaching privileged access management. Half of the 2019 survey respondents revealed that they’re using a directory service like Azure Active Directory. Just over a quarter (27%) indicated that they’re using native endpoint OS tools. A further 49% specified that they were using a specific PAM tool.

This could explain why some teams struggle to obtain visibility of their privileged accounts. Without this, you might have to rely on manual methods to manage those assets. You can’t repeat those approaches across different instances, either. That makes the task of privileged access management highly random and possibly costly in terms of both time and budget.

Learn more on PAM

Privileged Access Management Amid Business Change

A rapidly changing IT landscape could lead to lack of confidence in PAM tools and strategies, too. That’s because it makes it difficult for security teams to keep pace. The privileged accounts and entitlements they have to watch over might grow too fast.

Consider the fact that just 36% of organizations were planning to keep their PAM deployments on premise back in 2019. That was before the events of 2020 accelerated many organizations’ digital transformations. The pandemic caused a spike in adoption of tech such as the public cloud. Indeed, Gartner predicted that worldwide public cloud end-user spending will grow by 23% by the end of 2021.

Such investment doesn’t make protecting digital accounts any easier. According to Help Net Security, nearly 60% of CISOs considered a lack of visibility to be one of the greatest threats to their cloud infrastructure. This viewpoint reflects the many cloud-based data breaches in 2020. Nearly four-fifths (79%) of survey respondents said they had suffered at least one breach in that 12-month period. Two-thirds revealed they had suffered three or more cloud breaches, with 63% of those having exposed sensitive data.

Moving to the Cloud

These findings also show how hard it can be to move privileged access management to the cloud. Manual processes become even more difficult when the hybrid cloud is involved. So too does detecting potential instances of misuse. Given the dispersed nature of the network, threat actors can use one set of privileges to move laterally to another business asset. From there, they can compromise sensitive business data. Security teams won’t be able to detect that type of attack unless they’re able to achieve visibility in the cloud.

But, that’s not easy. Many AM solutions aren’t granular enough to do everything they need to in the cloud. That’s because they can’t account for all the different human and machine IDs as well as all the connections and policies concerning them. Cloud systems are dynamic by nature, so privileges constantly change as new cloud assets spin up and wind down. Not only that, but both users and services gain the same privileges for IDs to which they have access. In other words, they inherit identity access, a policy that makes privileged access management even more complex.

Making it even more difficult, many PAM solutions lack support for some of the new types of human and service IDs that come with the cloud. This creates a gap in visibility, enabling attackers with access to a privileged account or ID to evade detection.

Making Cloud-Based Privileged Access Management Work

To solve some of the challenges discussed above, you need a PAM strategy that accounts for the dynamic nature of the cloud. This includes being aware of the role that an employee takes on when they first join and any changes that occur over time. With that type of insight, security personnel can quickly allocate access to an employee when the need arises. They can also remove access when the employee no longer needs it. Information security (Infosec) teams can then leverage that same approach to manage privileged access for contractors and to remove all permissions once an employee leaves. That last point is an important step in ongoing efforts to protect against insider threats.

Identity analytics are key to all these and other cloud-based PAM functions. After all, identity analytics can warn about access combinations that could pose a threat before attackers find them. They can also inform alerts pertaining to privileged access violations so that infosec personnel can respond to potential issues before they escalate into security incidents.

Enforcing Privileged Access in the Cloud

Many organizations can’t leverage identity analytics or dynamically manage privileged access on their own. That leaves them with two options, noted Forbes. They could choose to combine legacy PAM solutions with separate Cloud Infrastructure Entitlement Management and Identity Governance Administration tools. The gamble here is there’s no guarantee that those solutions will integrate together, so there isn’t any assurance that your workers won’t waste time trying to manage all those deployments together. On the other, you could turn to a single solution that takes on a proactive, life cycle approach to privileged access management across the entire infrastructure, thus saving time and money.

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…