The 2019 Data Breach Investigations Report highlighted the new challenges facing organizations as they migrate to the cloud. Stolen credentials still top the chart for ways malicious actors gain unauthorized access to information and act like authorized users. Threat actors increasingly include system administrators. Privilege abuse and data mishandling are the primary misuse categories. In short, cloud Privileged Access Management (PAM) is more than a cloud security requirement, it is a cybersecurity imperative.
How Do Organizations Manage Cloud Privileged Access Management? Not Well.
Although researchers recognize the issues associated with privileged access in the cloud as a primary security issue, they offer few suggestions for better securing these accounts.
Businesses Increase Cloud Migration Strategies
According to the SANS 2019 Cloud Security Survey, more organizations are moving data and applications to the cloud:
- 76%: respondents who have business applications and data in the cloud
- 47%: respondents using server virtualization
Cyber Attackers Migrate to the Cloud
As organizations evolve their business operations, cyber attackers evolve their threat methodologies:
- 49%: cyber attacks arising from account or credential hijacking
- 42%: cyber attacks arising from misconfiguration of cloud services and/or resources
- 39%: cyber attacks arising from privileged user abuse
- 31%: cyber attacks arising from unauthorized (rogue) application component or compute instances
Cloud security focuses on proactively responding to new threat vectors. Shifting from on-premises IT architectures to cloud and hybrid ones change not only how cyber attackers can gain entry from weak external controls but also how they gain entry from the inside.
Why Privilege Access Risk Matters to Cloud Security
While on-premises infrastructures created limited access points for all users, cloud and hybrid infrastructures create an explosion of access points. Each access point requires credentials – user ID and authentication – that can be compromised as human and non-human identities access the cloud.
Traditional user accounts access the cloud through set controls:
Privileged users, however, go around the traditional IAM controls as they access cloud environments:
A malicious actor who obtains the privileged user’s credentials can infiltrate the cloud ecosystem, undetected – disguised as an authentic user.
Why Cloud PAM Risk Management Is the New Enterprise Risk Management
As part of the Shared Responsibility Model, cloud services providers protect the cloud from external threats and access to the cloud from their users. However, organizations must create risk control strategies that govern access within their cloud ecosystems. Unfortunately, as organizations build out their Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) infrastructures by adding more Software-as-a-Service (SaaS) applications, they lose visibility within the interconnected ecosystem.
Application-to-Operating System Risk
In IaaS, the organization “rents” cloud infrastructure and then moves its own architecture, data, operating systems, and applications to that location. Service accounts, such as for corporate applications now running in the cloud or for access to the IaaS console, need administrative privileges. Legacy PAM products provide administrative privileges without examining risk and lack the appropriate continuous monitoring capabilities to identify anomalous behavior.
Just-In-Time Privileged Access
The cloud never stops. Users never stop accessing the cloud. Therefore, administrators often need to create “just-in-time” access for users. Legacy PAM products lack the context-based, risk-aware automation to streamline this process which means that administrators creating the “just-in-time” access must manually approve the access. Unfortunately, this process increases risk if the administrator does not deprovision, or remove access, in a timely manner.
Hybrid Cloud Visibility
As the enterprise scales, it increases the number and types of cloud enablements. To create a cohesive IGA program for privileged users, organizations with a hybrid ecosystem use the dashboards provided by each tool, leaving them with multiple locations for monitoring and administering risk controls. These divergent dashboards and rule-sets create a human error risk. Unfortunately, legacy solutions often lack the interconnectedness needed to maintain segregation of duties policies and ensure “least privilege access” necessary across the ecosystem.
Data security in cloud computing requires organizations to incorporate governance of DevOps as part of the risk mitigation strategy. Serverless functions, or code which runs in the cloud, are primarily utilized for maintenance for cloud servers, workloads, or containers. However, these pose an additional risk as the automation often retains the privileges, or ability to interact with the cloud environment, after completing the task. If someone alters code without the organization governing the elevated privileges granted to these processes, the organization increases its privileged access risk.
Saviynt’s Cloud PAM: Revolutionizing Cloud Security
Although organizations can adopt cloud security services that incorporate PAM, these legacy providers fail at cloud PAM for a variety of reasons. The digital transformation risks associated with managing privileged access risk in the cloud all lead to one primary problem: Identity Governance and Administration (IGA). Although legacy PAM services can provide insight into who accesses what resource, they fail to provide insight into how the accounts access the resources.
Cloud Privileged Access Management – Cloud PAM
Saviynt’s platform, built in the cloud, works at the speed and velocity of the cloud. Unlike legacy products, Saviynt’s Cloud PAM continuously monitors for new workloads, applications, and privileged activities in the cloud. While legacy solutions may take hours or days to detect these new risks, Saviynt’s Cloud PAM does it in real-time, providing customers with a cloud-based solution to promote true cloud security.
Cloud Privileged Access Management (PAM) + Identity Governance & Administration (IGA)
Saviynt’s Cloud PAM solution brings together IGA and Cloud PAM in a single location. With a single source of information on a user-friendly dashboard, organizations can create a single identity for their privileged users so that they can continuously monitor privileged user activity the same way they monitor standard users.
With granular entitlements that incorporate metadata to link job role to endpoint and workload, organizations can extend governance to privileged and service accounts enabling user/group based ownership, periodic ownership certification/review, event-based/transfer ownership review, password management policy enforcement, and privilege/service account provisioning.
Cloud Privileged Access Management (PAM) + Identity Governance & Administration (IGA) + Advanced Analytics
With Saviynt’s advanced analytics, organizations can review the number of high privileged users and accounts throughout their ecosystem. Our advanced analytics allow for workload discovery across accounts, regions, and tags allowing the organization to block privileged workloads and tasks from engaging in risky actions.
With peer and usage analytics, Saviynt’s Cloud PAM + IGA + Analytics provide alerts that require meaningful actions to prove governance over the cloud ecosystem.
Why Saviynt? Assured PAM Compliance-as-a-Service
Saviynt’s integration of Cloud PAM with IGA and advanced analytics changes how organizations secure their cloud and comply with the Shared Responsibility Model. Our real-time monitoring and enforcement of security policies, including segregation of duties, enable organizations to continuously monitor, remediate, and document their compliance activities.
Our role-based lifecycle management extends beyond traditional RBAC/ABAC to provide just-in-time provisioning of fine-grained entitlements that protect the enterprise from privilege abuse, ultimately protecting from cyber attacks.
Proactive cloud security requires organizations to think about tomorrow, not just today. Saviynt’s Cloud PAM solution enables a dynamic evolution that allows companies to create holistic cloud migration strategies built for the future, not the past.
For more information or to schedule a demo, contact us today.
For more information about Cloud PAM for Cloud Security, read our whitepaper, “Cloud PAM for Robust Cloud Security.”