In Part 2 of 3, Dive Into the Capabilities You Need to Advance Through the Five Levels of the Cloud PAM Maturity Model.
In part 1 of our blog series, we talked about the increasing threat of privileged access risks in the cloud era, the challenges of optimizing Privileged Access Management (PAM), and why the future is cloud-native. Given the dramatic expansion of threats, organizations are under pressure to minimize the blast radius from insider threats or cyberattacks. This begins with modernizing their PAM programs.
With Saviynt’s PAM Maturity Model, IT and security leaders can benchmark their current capabilities and determine where they need to be based on their security strategy and risk tolerance.
By working to programmatically implement least privilege in their infrastructure, clouds, and applications, organizations can more effectively reduce risk and move closer to Zero Trust.
A fully mature PAM program embraces the following controls:
- Privilege Containment
- Privilege Governance
- Reduced Blast Radius
- Role Elevation
- Just-in-Time (JIT) PAM
Privilege Containment and Governance: Levels 1 and 2
Traditionally, PAM programs start by vaulting privileged accounts with the highest risk, such as administrator or root accounts. Vaulting these high-risk accounts is necessary for break-glass purposes.
Many organizations have a large footprint of privileged access in their environment. Administrators are given (or inherit) expansive, persistent privileged access in the name of speed and convenience. Over time, this access remains available even if no longer necessary, such as when the employee leaves or changes roles.
To get privilege sprawl under control, organizations should identify all privileged accounts, including those that may reside on local devices. Then, they should work to define roles and access needs to rein in ubiquitous, always-on privilege. Activities like certification campaigns and their related cleanup processes should be programmatized to establish privileged access governance.
The challenge is that traditional PAM tools weren’t built for governance. While they can show you which user has access to what credentials, they can’t provide insight into whether they should have access. At this point, many organizations attempt to build and maintain legacy PAM and IGA solutions to get better visibility.
This is a step in the right direction, according to Chris Owen, Director of Product Management at Saviynt. “But to create a preventative risk-aware approach,” he says, “companies still need to maintain and provision access across two systems. They may quickly find that they need large amounts of professional services — and dollars — to maintain these programs.”
Saviynt’s Enterprise Identity Cloud platform unifies PAM with IGA to govern all identities in one place. Built-in automation and intelligence does the heavy lifting so that customers drastically shorten onboarding time, improve compliance, and strengthen their security postures.
Advancing to Proactive Controls
Reducing The Impact of a Security Breach: Levels 3 and 4
Organizations can reduce the blast radius of a breach by removing standing administrative privileges and defining what permissions are needed for what systems — and the duration of those permissions. From there, they should extend least privilege access for human and machine identities to applications and cloud services by provisioning users in and out of elevated roles as needed.
In a traditional PAM world, getting to this stage is ultimately about deploying agents and capturing events that happen over time on desktops, servers, and other systems. Role elevation rules will need to be created, tested, and managed by staff resources. At the end of the day, however, agents aren’t really designed for cloud or ephemeral workloads, and many organizations only roll it out to a few critical apps.
With Saviynt’s identity-based, agentless Cloud PAM solution, our customers can avoid lengthy rule-creation cycles and advance to role elevation more easily. Using our identity connectors, we actually delete roles from a user’s account and remove excessive, “always-on” access in real time.
Role management originally comes from the IGA world. This is why many traditional PAM vendors are now trying to move into identity management. As a leading IGA vendor, Saviynt has more than a decade of experience developing the industry’s only Identity Warehouse, which houses every identity — human or machine and provides granular insights on all identities from a single repository.
Fully Mature: Eliminating all Privilege
Restricting Access To Administrative Identities With Just-In-Time (JIT) Provisioning: Level 5
In the target state of Zero Standing Privilege (ZSP), all standing privilege is removed and access is granted at the minimum level of privilege required — and only for the time needed to perform the task. This enables organizations to thwart attackers before they can move laterally across organizational IT ecosystems.
Traditional PAM solutions were purpose-built to discover and onboard everything. That capability is still widely promoted by the industry. But unless organizations are actually removing privileges as soon as accounts are onboarded, they will not achieve ZSP.
Achieving ZSP is not an easy task, and often legacy PAM tools aren’t up for the task. In today’s multi-cloud, pervasive SaaS world, organizations need an identity-based, SaaS-delivered approach.
With Saviynt Cloud PAM, reaching PAM maturity doesn’t need to be an arduous journey. Our solution is delivered via an agentless, zero-touch cloud-architecture so you can quickly deploy privileged access capabilities. You can achieve zero-standing privileges with just-in-time (JIT) access and intelligent risk insights powering your PAM solution. Ultimately, your teams are empowered to make smarter decisions with governance-driven risk and privileged access data.
In our next installment, we’ll cover cloud PAM maturity in action: modern use cases for today’s organizations.