Securing and Governing Privileged Access at Scale

In today’s world of digital transformation, it is critical to secure both cloud and on-premise systems against breaches caused by credential misuse. Safeguarding your assets with a better access management system is needed to protect against high stakes breaches, provide necessary use of privilege in the cloud, and minimize risk from over-privileged IT administrators. In this webinar, let’s discuss how to automate and manage privileged access to multi-cloud infrastructures (such as AWS, or GCP) or SaaS apps (like Workday or Salesforce). And how to enable continuous monitoring across your enterprise for identity risk and all access. 

A little history of two silos

For as long as I can remember, companies have always wanted to integrate Privileged Access Management (PAM) with Identity Governance Solution (IGA). But privileged access was viewed as an IT Security problem, not a business problem. IT departments treated PAM as a solution for business users separate from privileged IT users. Ultimately, this approach led to an extreme lack of visibility into the organizations’ most critical access.  Sound familiar? 

Then came the cloud service providers (CSPs) who drove a majority of PAM and IGA convergence use cases causing PAM use cases to be more complex with hybrid multi-cloud management challenges. In an effort to manage these complexities came the use of a ‘tenant administrator’ to identify all privileged functions. Organizations decided to keep using PAM to govern their enterprise access and employed a basic-user access review process. While this seemed like an efficient method, this strategy often led to a rote “check the box” approach to meet compliance mandates. 

Meanwhile, more security-mature organizations began investing in integrating their separate legacy PAM and IGA tools. Despite being a step in the right direction, these companies still needed to manually provision users and maintain critical access across two systems: their business users and privileged IT users.  This attempt was yet another manual unification of two siloed functions that frustrated the internal audit teams who wanted PAM reports that included identity data tied to business risk and the audit trail in one place without having to go to different systems. 

The other concern is the cloud brings massive amounts of data, and critical assets now sit outside the traditional perimeter. Traditional on-premise PAM architecture challenges increase ten-fold. Your critical assets have changed; and workloads can be spun up and down within days or hours. Admins can connect to the cloud executing privileged activities via direct console access, RDP, and command line. At each new access point, a new risk needs to be managed and monitored.

Enter Cloud PAM 

Are you getting the visibility you need into your most critical access?  Do regular intervals from traditional PAM provide enough monitoring to identify atypical identities and activities? Do the silos between the business user and IT still exist in your environment? 

In my experience, companies need to adopt a new approach to secure critical assets within the cloud. Key strategic moves that organizations are making include providing approved, time-bound, least privilege access to critical assets that can be monitored and audited. With the real-time discovery of assets continually spun up in the cloud, the Saviynt platform utilizes cloud-native technologies to manage the velocity and scale of these changes. This has helped businesses to reduce the blast radius and reduce the timeframe required to exfiltrate data from determined adversaries. 

For example, AWS or Azure can spin up an instance where workloads are constantly changing. Saviynt’s Cloud PAM integrates into their instance(s) in their private cloud and can identify anomalies, protect, and allow organizations to take action. 

Saviynt’s Cloud PAM handles massive amounts of data to store logs, analyze control enforcement, and identify risky activity. This includes the infrastructure configuration, activity, and access of privileged users across multi cloud infrastructure providers like AWS, Azure and GCP. Cloud PAM provides both containerized SSH and RDP access at a moment’s notice. After all, one of the biggest draws of the cloud is its ability to provide speed and agility. It is a widely held opinion that a Cloud PAM solution must be able to meet the cloud’s velocity and speed, or else it becomes a hindrance. 

What about legacy PAM and IGA?

Based on conversations with our customers, many mature organizations attempt to solve their problem by building and maintaining their legacy PAM and IGA integrations so they can gain meaningful visibility. To maintain this approach requires the need of a significant amount of professional services. In addition to the increased expense, we often discuss the brave new world of the dynamic cloud and the unique challenges that it brings when securing privileged access. 

Combine Cloud PAM and IGA or not

How do we tie identity to privileged access so we can truly understand what a person and or group does with their privileged access and the risk associated with the totality of a user’s access across the enterprise? Let’s take the first step. Deeply integrate Cloud PAM and enterprise IGA to create a convergence of the two. Better yet, why not make them integral to your purpose-built cloud-native solution? 

IGA functionality automates user provisioning, provides intelligent activity, peer group analysis, recommended access request, who has access to what and why across your SaaS applications, and infrastructure. IGA also delivers continuous monitoring across your enterprise for all risk and all access. An access request is the first step towards privileged access management. Within traditional legacy PAM solutions group provide access, and an IGA solution is required to manage and maintain these groups and group memberships. Saviynt has built-in group management functionality for organizations that want to continue to manage their legacy privilege access. But, the true story of IGA and PAM convergence is that Saviynt provides privileged access directly in the endpoint system. 

Cloud PAM manages privileged access to multiple cloud infrastructures like AWS, GCP, Azure or SaaS apps like Workday or Salesforce. It manages and provides visibility into a multi-cloud environment, quickly identifying risk of any misconfiguration that can leave them open to public threat.

Incorporate preventive critical access risk analysis 

To appropriately analyze the risk of an access request, privileged or not,  you need a solution that incorporates the context of all the user’s access. With peer-based analytics, users gain visibility into whether their access request is likely to be approved. Over time, you can also leverage these analytics to update access policies by reviewing access request histories from a given subset of the user population to see typical request types and approvals. 

For example, every month at the same time, users request privileged access to update software, and this request is always approved. With peer-based analytics you can create a policy to allow the user access without creating a request.   

Create risk-based approval workflows 

Having the ability to route an access request differently based on the request’s risk posture can create a more efficient approval process. When creating true risk-based workflows, you need to account for the assets’ risk and the profile of the requestor. Then, compare the entire context to the user’s peer group. 

Consider the following scenario based on two privileged users requesting access to two different types of resources. The first user requests root level access to an EC2 instance. This is a request he made before and is consistent with requests from his peer group. The second user requests access to an S3 bucket containing personally identifiable information (PII) of the organization’s customers. This user has never requested this access and is not a typical request by her peer group. 

The first user’s request is auto-approved because the access is considered normal and low risk. The atypical high-risk nature of the 2nd user’s request routs the request for multiple approvals. Saviynt’s dynamic risk engine calculates the holistic risk score at the time of the request and can respond accordingly.  

Include risk analytics 

Even though many organizations choose to have a separate review process for privileged access, many great benefits still come from leveraging risk analytics within the review process. Reviewers make better and more informed decisions much quicker during the Access Review campaign.  For example, a reviewer is presented with two users recent privileged activities: a low risk signature, and a high-risk signature. Depending on the access request, the choice to approve or deny is a quick one. 

CONVERGE CLOUD PAM AND IGA AS-A-SERVICE

Saviynt’s Cloud PAM solution is built on Saviynt’s cloud-native, Gartner-recognized Identity Governance and Administration platform, providing customers all the governance and automation capabilities they require for the modern hybrid enterprise.

Multi-cloud ecosystem 

Providing a robust and scalable solution on Saviynt’s global and resilient cloud platform enables customers to meet the high velocity and transient nature of the multi-cloud ecosystem. This includes securing privileged access to applications running in the cloud, while keeping up with cloud infrastructure dynamics. 

Native enterprise IGA integration

Combining traditional birthright access with privileged access allows organizations to quickly provide the “right level” of access within their hybrid enterprise using a centralized access policy. Providing the “right level” of access for new users removes all former access when a user changes role or leaves the organization. Saviynt provides the appropriate level of notifications and visibility, if any access remains.

Best of all no more silos 

A business problem exists if the organization lacks meaningful governance controls for critical access.  Modernized enterprise IT security manages privileged access as a business problem with centralized controls, policies, and reviews. In my opinion, the biggest advantage is that privileged access is no longer just an IT security problem. 

To learn more about Saviynt’s revolutionary Cloud PAM with IGA, contact us today

0
Adam Barngrover

About author

Adam Barngrover is Principal Solution Strategist at Saviynt, with responsibility over Cloud Access Governance and Intelligence solutions. A graduate of the University of Oklahoma, with more than 14 years of experience in the Identity & Access Management space, Adam has helped organizations develop their Identity and Security strategy that revolved around Governance and Compliance frameworks. Prior to joining Saviynt, he was an IAM/IGA consultant working with Fortune 500 companies on the development and implementation of their IAM/IGA strategies

Leave a Reply

Your email address will not be published. Required fields are marked *