Cloud PAM with IGA: AWS Lambda & Shared Responsibility Model

Joe Raschke

Joe Raschke

Principal Solution Strategist

Cloud migration strategies focus on increasing the speed of doing business. Transferring infrastructure to the cloud saves money and time, but it also changes the security and privacy dynamic. The Shared Responsibility Model for Cloud Security means that organizations cannot just transfer all risk to their cloud service providers (CSPs). While the CSP secures cloud access to the cloud from their users, the customer needs to secure access within the cloud. AWS Lambda creates a unique access risk since services, not people, trigger its cloud activities. However, organizations often use Lambda to run administrative and operational processes, such as patch updates, that require privileged access to systems and networks. Lambda’s automation creates new privileged access management (PAM) risks as it connects to applications and infrastructures without human governance.  

What does the Shared Responsibility Model for AWS LAMBDA look like?

AWS provides a detailed architecture in Lambda’s security model to ease the Shared Security Model requirements. While AWS protects many cloud infrastructure service components,  customers continue to bear the burden and responsibility for securing data and providing identity access governance. Simply, AWS protects the cloud’s infrastructure, but in Lambda’s case, users need greater control over the governance.

When Lambda executes a function, it executes the provisioning of the service and the required resources necessary to run your code. The function will run in the dedicated execution environment that is used for the lifetime of the function and the temporal function is security disposed. However, despite AWS disposing the code automatically, the function’s actions have been completed without the appropriate governance and oversight. In many cases, this leads to a privileged access management failure.

Cloud Security Fundamentals in LAMBDA

Lambda builds security into the functions that run in dedicated execution environments, such as within an operating system or database, to view development, testing, and deployment within the cloud. Additionally, Lambda offers monitoring and alert notifications, that can be integrated into governance solutions. Meanwhile, this poses a PAM risk because users can change the function without going through a governance process which can lead to misuse of the original elevated privileges and, as discussed in the 2019 Data Breach Investigations Report, a data breach.

Function-as-a-Service in Multi-Cloud Environments

Organizations deploy Lambda and similar services, such as Google’s Cloud Function and Microsoft’s Azure Functions but still need to address management and governance of those functions to meet the Shared Responsibility Model requirements. As the use of these functions scale, management and governance become difficult to prioritize, track, and document. The same approach to management, monitoring, and governance will apply.

Services that utilize this type of Shared Responsibility Model

Saviynt’s Cloud PAM solution connects with the cloud and continuously monitors for new privileged activities in the same way that the cloud constantly updates so that organizations can gain the visibility necessary to prove governance over Cloud Privileged Access Management. Within the Saviynt platform, you can create an audit trail to track the entire process that includes the request for access, granting of access, and executing of the access at a fine-grained level. The logging capabilities document what actions took place, including disposal of the temporal service.

Cloud PAM Limits Exposure

Streamlining privilege escalation and ensuring governance over automated tasks, such as Lambda functions, significantly reduces cybersecurity risk. By utilizing a full life cycle request-on-demand access for privileged access solution, organizations obtain complete visibility into the way cloud based applications access the infrastructure. Your visibility includes complete monitoring of the access and activity to ensure that it maintains the appropriate risk- and policy-based access, provides for urgent or break-fix events, and can monitor for violations of segregation of duties policies.

Assured Compliance-as-a-Service

With identity, compliance and governance go hand-in-hand. The need to create policies, monitor activity, document responses, and prove governance over your program still exists, and Function-Based solutions with proper governance can fulfill those requirements. Saviynt’s Cloud PAM solution provides unique PAM capabilities by integrating Identity Governance and Administration (IGA) capabilities to provide full visibility and ensure governance over PAM tasks.

Saviynt’s platform provides “governance-as-a-service” to enable compliance-as-a-service. Customers can set fine-grained access entitlement, diving as deeply as read/write access level, that streamline access requests as they extend into the Cloud based Hybrid world. Our Compliance-as-a-Service approach uses analytics to alert you to policy violations and risky access requests, easing the burden of governance and compliance.

Saviynt’s reporting capabilities within the platform connect directly with cloud log reports to enable assurance over IGA monitoring and remediation, including:

  • Tracking and management of privileged access to cloud workloads
  • Real-time monitoring and enforcement of baseline security policies on their cloud infrastructure
  • Visibility of federated identities used in cloud based instances and fine grained object for continuous compliance
  • Periodic certification process for critical resources in cloud based solutions
  • Role based lifecycle management and governance

Saviynt: Extending Governance by Providing Assured Compliance-as-a-Service

Saviynt’s native approach to cloud security reduces customer effort by providing visibility to access within the Cloud and enforcing governance with fine-grained access controls across  Applications and Infrastructures.

As businesses move from on-premise to hybrid and cloud infrastructures, the shared model of security between cloud providers and customers will continue to evolve, which means that organizations need dynamic IGA solutions connected to built-in cloud security controls to alleviate risk, secure data, and manage compliance.

Visit Saviynt’s listings on the AWS Marketplace:

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.