Cloud PAM: Meeting Tomorrow’s Needs Today

MJ Kaufmann

MJ Kaufmann

Security Specialist

Privileged access management (PAM) at its core tracks and secures access to sensitive or high privileged resources. It’s the nuance where many organizations fail. Merely implementing a vaulting system for administrative accounts with limited access does technically constitute PAM, but ignoring more in-depth PAM use-cases ignores the important proactive and preventative measures of integrated governance, appropriate session handling, as well as monitoring and auditing. 

PAM is designed for traditional “accounts” with usernames and passwords. Many of these fail to account for the dynamic nature of cloud or hybrid environments. These legacy PAM systems have failed to evolve and support new identity types that exist within cloud ecosystems. These cloud-based challenges are best met with solutions built for the cloud that seamlessly integrate with cloud technologies, as well as remaining on-premises workloads. 

Traditional PAM is Not Enough

Cloud adoption and digital transformation projects accelerated out of necessity. In order to accommodate newly remote workers, companies pushed resources into the cloud allowing work from anywhere. This sudden expansion of resource accessibility also expanded the threat surface. Attackers continue to get smarter and masquerade as employees working from anywhere, so the need for time-limited administration has become a necessity. Ensuring that usage is appropriate while integrating with on-premise systems has organizations driving towards a security model based on Zero-Trust principles, which is a security model based upon not trusting anyone by default, even those on the internal networks.

These changes necessitate new methods of securing data to better handle the evolving business model. Cloud PAM directly integrates with collaboration tools and applications allowing for unique sharing and data access management.Many collaboration platforms allow indiscriminate sharing of data that an individual has access to. Cloud PAM provides the oversight to perform identity based risk analysis on privileged and shared data.

Among the many security concerns during this mass expansion into the cloud is the integration of non-employee users. Non-employees can vary from contractors to vendors that deliver solutions that can be as vital as standard employees. Like employees, they often require access to privileged data and processes in order to accomplish their duties. However, they are often not managed through normal HR processes. A modern PAM solution built for the cloud integrates these identities with current employees and manages their lifecycle to ensure access isn’t lingering beyond their engagement. Establishing accounts with Just-in-Time provisioning is a massive benefit of cloud PAM.   

Beyond Recorded Sessions

Recorded sessions used to monitor that credentials usage is appropriate has traditionally been a PAM staple, but monitoring and reviewing those sessions is manual and tedious. Even systems administrators’ credentials are at risk of being compromised or misused, as seen in the recent high-profile Twitter hack. If an administrator’s credentials are compromised, attackers can periodically access sensitive information or make changes to systems masquerading as normal usage.

Legacy PAM solutions offer degrees of session monitoring in conjunction with indirect access to credentials. When access is made, these credentials are channeled through a controlled interface, and a recorded session logs everything from keystrokes to what’s on screen. Cloud PAM solutions extend this session monitoring beyond RDP and SSH to view and record sessions in the cloud. Extending this visibility across different cloud platforms helps to illuminate privileged usage that would otherwise be missed with legacy PAM monitoring. This level of session archiving allows for future auditing of credential usage, creating an audit trail that’s useful for incident response. This pro-active security control enables organizations to monitor privileged use throughout the entire organizational IT ecosystem, similar to how logs monitor system activity. This preventive security can be increased by leveraging machine learning to trigger alerts for certain behaviors and ensure faster identification and remediation of questionable access.

Beyond Governance  

Traditional PAM applies governance by validating adherence to business rules such as password rotation. Done manually, this constitutes hundreds of staff-hours. Automation guarantees that no accounts are missed and increases team efficiency. The advent of the cloud extended identities to include IoT devices, workloads, and other silicon-identities, exponentially growing their numbers. These identities require the storage of complex access keys and may be time-limited then disappear. These identities require management of their keys and dynamic provisioning of rights to allow them to complete their tasks and de-escalate them to a safe state once the task is complete.  

Zero Standing Privileges

Whether an organization’s IT ecosystem is in the cloud, on-premise or hybrid, not having persistent administrative rights is a crucial security feature. This feature, known as Zero Standing Privileges, is lacking in traditional PAM and now delivered by more sophisticated Cloud PAM solutions. This feature requires limited access to administrative identities and an access request to allow for Just-in-Time (JIT) provisioning granting administrative access. Administrative access must be explicitly enabled, and usage is monitored, allowing machine learning algorithms to identify anomalous behavior. By doing this, breaches can be caught early before attackers dive deep into the organizational IT ecosystem. 

The Depth of Visibility

Identity governance (IGA) seamless integration is an essential feature of modern PAM solutions. IGA looks beyond privileged account access, and into the scope of all access that an identity has, both privileged and non-privileged, flagging toxic permissions combinations and potential SoD violations. These occur when multiple permissions create situations where regulatory compliance violations occur.

True integration with IGA and guaranteeing persistent compliance requires that when requests for elevated access are made, everything must be tied back to risk. Cloud PAM looks at not only user risk but also workload risk and endpoint risk in order to create a holistic view of risk for an identity for a request. This holistic view drives governance beyond simply applying least privilege or zero standing privilege but is how continuous compliance can be guaranteed.  

This principle also holds true as many enterprises migrate toward cloud-based applications, such as ERP’s, GRC products, or EHR management systems, it is vital that they are able to maintain compliance & security visibility. Only next-generation cloud PAM solutions are able to integrate with these systems beyond simple access management. Viewing inside the applications to see access and permissions allows for the transparency organizations require to stay compliant and secure.  

A New Era of Cloud PAM 

Historically PAM solutions tracked and secured accounts while limiting access. Legacy PAM took things further with session recording and MFA. While these PAM solutions covered the basics they lack key features such as Just-in-Time (JIT) provisioning, native cloud integration, and the principles of zero standing privilege. Legacy PAM has served its purpose and helped organizations get by, but the modern enterprise needs an innovative, next-generation Cloud PAM solution. For this reason, Saviynt has further expanded our Cloud PAM offering, recently delivering a major update to the application that includes Google Cloud Platform support.

Saviynt is the only cloud-native PAM solution with IGA and PAM converged to provide frictionless access, enforcing zero standing privileges with Just-in-Time (JIT) provisioning for a variety of platforms and identities. Saviynt offers built-in lifecycle management with integrated governance for service accounts as well as the ability to securely check out credentials and record privileged sessions. Saviynt Cloud PAM does more than just manage privileged access, it also helps prevent breaches by detecting suspicious activities, creating alerts for fast remediation before bad actors can fully infiltrate your organization’s IT ecosystem. 

A Special Invitation

To hear more about Saviynt’s innovative Cloud PAM, join us at KuppingerCole’s Virtual Event Advanced Privileged Access Management & New Trends where Vibhuti Sinha, Chief Cloud Officer for Saviynt and Rohit Nambiar Director IAM, Information Security, Equifax will share their expertise. This exciting virtual event, taking place on August 20, 2020, is designed to address one of the greatest challenges facing businesses today – securing and managing privileged access. This is a FREE event but you can only access the content if you register. Sessions will not be available after the fact.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >