Saviynt Blog | Security News and Research

Making Multi-Cloud Security easy

Written by MJ Kaufmann | Apr 24, 2020 2:16:00 AM

All cloud providers are not created equal. For example, Azure, Amazon Web Services, Google Cloud, and Alibaba Cloud all have different areas of strength.  It would not be unusual for a business to incorporate multiple cloud providers into its cloud ecosystem to leverage the unique advantages of individual cloud providers while limiting risk derived from investing too heavily in a single provider. The real challenge lies in securing and governing multi-cloud environments. Why? Each provider offers its management console and monitoring capabilities which complicates compliance and creates a lack of enterprise-wide visibility. Does this sound familiar? If so, let’s explore the keys to meet these challenges.  

Simplify governance

Crucial to maintaining security across multiple environments is ensuring governance rules are applied consistently throughout the enterprise. This becomes complex for multi-cloud environments because individual cloud providers offer disparate methodologies for implementing IAM and managing policy requirements. Additionally, each cloud provider has  different levels of policies creating issues with overall visibility which becomes amplified with the addition of multiple cloud service providers. This increases the risk of missing key pieces or critical parts of policies making consistent implementation harder to ensure throughout multiple environments with complex policies and a growing increase in workloads.

Saviynt’s robust interface allows organizations to define and configure customized control sets mapped specifically to internal policy requirements. These controls are defined using a drag and drop interface eliminating the need for programming experience, and expediting the timeline from design to implementation. Each new access request is evaluated against the latest policy configuration providing better context and deeper visibility into rights and permissions to improve access decisions. 

Remove toxic combinations

In business processes, governance and compliance are not only essential to secure a multi-cloud environment, but it is also equally challenging. Meeting the rigorous compliance requirements of SOX, PCI, HIPAA, and the various other regulatory demands require the same level of consistency as discussed above. Regulatory controls implemented and enforced must be uniform throughout the entire organizational IT ecosystem. 

With resources spread across multiple cloud environments, the risk of toxic permission situations occurring due to over granting permissions or allowing cross-functional access increases. Operational access controls are a vital component of SOC2 Type II audits. They exist to ensure that cross-departmental controls are implemented. They limit the flow of high-risk data between departments or the scope and power of a single individual ensuring critical tasks are divided out to lower the threat of a single bad actor or account compromise.  For example, a marketing developer gaining access to a finance workload or an individual granted rights to both dev and prod environments demonstrate failures in operational access controls. The combination of disparate management consoles and a lack of interconnectivity between platforms heightens the complexity of catching and remediating these types of incidents.

Saviynt provides an in-depth view of the multi-cloud ecosystem merging the information from all providers into a single pane of glass interface. Identities and permissions are analyzed across the multi-cloud ecosystem and mapped back against 250 of Saviynt’s industry-standard compliance controls and risk signatures customized to meet your organizational needs. Once set, these rules are applied throughout the organizational IT environment providing intelligent analytics to access requests as they are made. This ensures that compliance is continuously integrated across the cloud ecosystem and consistently applied throughout the data lifecycle. 

Seek frictionless access

Administration of the multi-cloud environment using multiple divergent platforms is burdensome at best. Tracking, logging, and identity management difficulty increase as organizations grow and employ more individuals requiring more access across multiple environments. Over time, it becomes an audit nightmare. 

Saviynt utilizes intelligent analytics to monitor risk requests and provide appropriate access. Users can request and obtain near-real-time access as their risk is assessed across a wide swath of peer and usage-based data, and in low-risk situations are automatically granted. Saviynt’s predictive analytics help prevent users from excessive access and inform the requestor if access incurs potential risk.

For requests that carry significant risk and cannot be automatically granted, Saviynt approvers are privy to all this data via a single-pane-of-glass interface. Approvers have full visibility of the risk and can  consult with other relevant parties in the organization, simplifying effort and preventing approvers from having to do time-intensive in-depth manual reviews. Streamlining  this process allows approvers to make data-driven decisions to grant or deny access which results in providing frictionless access to the requestor. 

Privileged Access Management

Multi-cloud Security isn’t limited to the cloud service providers but also to development tools that automate the CI/CD pipeline. Industry-standard tools such as Chef, Puppet and Ansible automate and expedite the creation and deployment of instances. Their primary focus is to speed things up. They rely on coarse-grained privileged access to coded scripts for managing deployments but lack fine-grained entitlements. This can result in potential violations due to untrackable unauthorized alterations, even though an individual has the ability to edit the scripts if the changes are not authorized then a violation occurs.  

Saviynt bridges the gaps in these automation tools in several ways. It provides visibility into the utilization of high privilege entities such as cookbooks, recipes, scripts, etc allowing access and usage tracking. It also offers fine-grained Privileged Access Management (PAM) providing more precise access control over management consoles, CLI, API’s, end workloads and serverless to limit sensitive access to critical workloads and applications. By utilizing full lifecycle management through role governance, role architecture, mining, and provisioning it ensures full visibility into an identity’s access which allows appropriate crafting of controls and limitations.

Streamline operations

When working across multiple clouds, there is also the difficulty of efficiently managing the access request process for assets. In an optimal world, a user should be trustable to make requests for data and limit their scope to only the information that is needed; this would be compliant with the least privilege practice. Unfortunately, when working with multiple environments, the access request process is especially cumbersome.  IT tracks down the owners of an asset and ascertains if the requestor truly requires the full scope of access requested. They then research whether the request could create a net toxic combination of access that defies segregation of duties. As this process takes time, it is common for users to make requests of a far larger scope and scale than they might require now. “Just in case” they might need additional access in the future, and prevent the request from being bogged down by the process.

These toxic combinations also appear in automation tools utilized to streamline operations such as Chef, Puppet, and Ansible. Different workloads exist across the ecosystem but the visibility built into these workloads through such tools is limited. They allow configuration changes to scripts by privileged accounts but lack verification to ensure that the privileges are acceptable or do not cross lines that would violate controls.  

Saviynt understands just how cumbersome this process is and has worked hard to streamline the process. By maintaining visibility across the cloud, Saviynt can generate intelligent insights into all of the access and risk that an identity possesses; no matter where that access may lie. Then uses risk-based analytics when an access request is made to automatically approve or escalate the request for more access based upon the organization’s determined risk tolerance. By streamlining these steps, many requests can be auto-resolved without even requiring additional escalation time. To help expedite the process, approvers are then given full visibility into these risk calculations and analytics, and granted internal channels of communications to quickly make informed decisions about granting access, rather than wasting time researching the potential risk of such action.

Saviynt also integrates directly with automation tools providing deep insight into their operations, and shoring up the security component while allowing the tools to focus on the organizational streamlining. This integration allows deep visibility across the ecosystem allowing better evaluation of each identities’ access. By leveraging this deep insight, Saviynt identifies risky access situations that the automation tools are not designed to catch or handle.

Business agility in the cloud

As a cloud-native solution, Saviynt is able to see across the cloud ecosystem as well as on-prem. Utilizing an intuitive drag and drop interface allows businesses to quickly configure policies and controls in order to meet compliance and business needs no matter where the data resides. With this deep insight data owners are able to make sound risk-based decisions, driven by Saviynt’s intelligent analytics to rapidly grant or deny access requests allowing for continuous end to end compliance without slowing down the speed of business. 

Join Saviynt Senior Solutions Engineer, Ulrich Schultz, and Avanade National Digital Identity Leader, Mike Amadei for an in-depth discussion of how to meet the challenges of governing multi-cloud strategies, the benefits of frictionless access, built-in continuous compliance and streamlining your operations using a single solution.