In this second installment of the blog series, I focus on some of the key design principles to consider while building a solution to secure Privileged Access in the cloud. The first one focused on the challenges in securing Privileged Access in the cloud (read the blog here).
Principle #1 – Just-in-Time Access Elevation
Access should be elevated only for a defined duration and should never be a static assignment, which aligns with the principle of least privilege. It can further be made intelligent to elevate or drop the access based on activity or usage patterns collected not only from Cloud services but also from devOps and CI/CD processes. Read my previous blog on why Privileged Access on cloud needs to be Elastic.
Principle #2 – Governance across all Conduits
Build an Identity Management and Governance framework that cuts across all different conduits that I elaborated in my previous blog. It is critical to ensure no residual access for Cloud Identities exist. Effective integration of Joiner/Mover/Leaver processes with cloud access assignments process invariably reduces the overhead and security risks.
Principle #3 – Reduce the Noise
Collecting usage data from all the conduits is important, however it’s even more important to cut down the noise due to sheer volume and velocity of log data. Monitoring is essential to define and refine access policies, and will not only strengthen the access controls in an ever-changing cloud ecosystem but also reduce noise further. The other aspect is defining baseline patterns and adding intelligence to monitoring to understand, “Who is doing What”.
Principle #4 – Keep an eye out for new conduits
As cloud services evolve, it becomes important to keep looking for conduits which can become the means to gain privileged access. Understanding the challenges to safeguard each conduit is the only way to ensure its being protected in the right way.
Privileged access management and governance in the cloud is going to be a very interesting space and watch this space as we rollout new capabilities. For any questions or comments on this blog series, feel free to reach out to me at [email protected].