Rethinking PAM Maturity in the Cloud: Understanding the Risk Landscape

Author: Maggie White

Date: 10/14/2022

In Part 1 of 3, Explore How Saviynt’s New Cloud PAM Maturity Model Can Help You Reassess and Reprioritize Privileged Access Risks.

With privilege emerging as the largest cybersecurity attack vector, organizations of all sizes and industries are under pressure to shore up their PAM programs to remove excessive privilege and to support Zero Trust adoption. The analyst firm Forrester estimates that 80% of security breaches involve privileged credentials. In fact, recent research from Palo Alto Networks’ Unit 42 team found new threat actors are deploying Cuba Ransomware using novel tools and techniques, including a new local privilege escalation tool. Ransomware attacks continue to grow at an alarming rate, with projected costs for global businesses rising to $265 billion by 2031. Organizations that don’t prepare now can potentially incur remediation costs, suffer reputation damage, and face exorbitant cyber insurance premiums — not to mention the steep price of the ransomware payment itself.

Why Do So Many Privileged Access Management Projects Fail?

Privileged Access Management (PAM) tools are critical to preventing and mitigating internal and external cyberattacks. These systems include processes, systems, or technologies that help secure, manage, and monitor elevated access for human and machine identities.

Traditional PAM tools have been around for about 20 years and are built on on-prem infrastructure that works by locking privileged credentials into a vault and rotating passwords to these accounts.

When it comes to cloud workloads, this approach falls short for a variety of reasons:

DevOps processes outpace traditional PAM tools’ ability to monitor access
Local privileged credentials are undiscovered and unmanaged by the PAM tool
Certifiers can’t get a unified view of the environment to attest to least privilege

Most organizations have some form of Privileged Access Management, but often these initiatives fall short of expectations — or were never aligned with the business needs in the first place. Google “why do so many PAM projects fail?” and you’ll find millions of possible responses to your query.

Chris Owen, Director of Product Management at Saviynt, has more than 20 years of industry experience — and has only seen about 20% of PAMs come to full fruition.

“In the traditional tool world, it’s all about deploying agents, monitoring events and creating rules based on those events,” he says. “Because this takes so long to deploy, operate, and patch, many companies end up deploying PAM on just a few critical applications, and this does little to reduce the blast radius.”

Simply put, you can’t fix today’s cloud access challenges with yesterday’s tools and approaches. Today’s complex infrastructures require a comprehensive cloud PAM approach that integrates Identity Governance Administration (IGA), PAM, and Cloud Infrastructure Entitlement Management (CIEM) solutions to simplify management and continuously improve cloud security and compliance.

Why Identity-Driven, SaaS-Delivered PAM is Different

As a leading innovator in cloud-native PAM, Saviynt works with customers every day to reduce cloud risks and improve their security posture. We’ve long recognized the global need to rethink what it means to have a “mature PAM program” in the context of a multi-cloud world.

Vaulting is not going away; it’s necessary for critical standing accounts like admin accounts on Windows or root accounts on UNIX. These accounts need management and should be there for break glass purposes only.

But once those basics are covered, organizations should move on to PAM initiatives that drive value and greater cyber maturity, including:

Privilege Governance
Reduced Blast Radius
Role Elevation
Just-in-Time PAM

As organizations continue to move applications and workloads to the cloud, those with disparate identity tools will struggle. Legacy systems are generally on-premises systems with higher costs associated with physical hardware, data center footprints and tokens. Siloed systems result in increased management costs and gaps in security. Even if the solution is cloud-based, it could still be limited in scope, requiring additional products to build a complete solution.

Oct-13_CPAM-Maturity-TN-Graphic — *Saviynt developed a cloud PAM maturity framework to help organizations rethink and advance PAM maturity.*

How Saviynt’s Converged Cloud Identity Platform Can Help

Saviynt Enterprise Identity Cloud (EIC) is the only converged cloud identity platform that helps you govern every identity with precision. Saviynt provides a combined identity management solution that places identity governance and privileged access management onto a single, converged platform. This allows organizations to govern and manage identities regardless of where they are located, or what type of identity (human or machine) they are. Our combined offering allows organizations to add the governance most PAM solutions are currently missing.

In the second blog in the series, we’ll share recommendations on how companies can use the maturity model to reduce privileged access risks in the cloud world.