The Convergence, Part 2: IGA and Cloud PAM
As part of Saviynt’s multi-part blog series leading up to Saviynt Converge, our annual conference, I wanted to take time to discuss a major shift digital transformation is creating in the PAM marketplace. The cloud presents a totally new set of challenges that traditional Privileged Access Management (PAM) solutions are not prepared to meet. In addition to these new challenges, we see the convergence between the PAM and IGA markets as another major shift in the marketplace.
What Is The History of PAM?
For as long as I can remember, the intent to integrate Privileged Access Management (PAM) solutions with an Identity Governance Solution (IGA) has existed. However, for several reasons, a company’s management of PAM tools becomes its very own discipline within the IT security landscape.
First, privileged access was traditionally viewed as an IT problem not a business problem. Attitudes like this often created separate access policy silos – policies for the general business user and ones for the privileged IT department users. These silos led to an extreme lack of visibility into the most critical access within an organization.
Second, prior to the introduction of cloud services providers (CSPs),the vast majority of PAM and IGA convergence use cases were for “on-prem” resources and access. Some organizations began to govern the access provided within the PAM solution with basic access reviews that would “Check the Box” to meet compliance mandates.
More security mature organizations began protecting and monitoring the access being provided via the PAM tool. These more mature companies invested in integrations between their separate PAM and IGA tools. This approach enforced preventative controls and allowed companies to monitor privileged (risky) access, providing meaningful visibility into access changes and activity for the organization’s most critical access. Despite being a step in the right direction, the companies still needed to maintain and provision access to critical access across two systems when trying to create a preventative risk-aware monitoring approach.
NEW PAM CHALLENGES IN A Transformative WORLD
Today, many organizations have digital transformation and cloud-first initiatives as their top priorities. With the proliferation of data and critical assets now residing outside the traditional perimeter, identity is the new perimeter. As part of this IIT transformation, the traditional “on-prem” PAM architecture challenges are ten-fold in the cloud. The transient nature of the cloud is one of the biggest challenges for PAM solutions. Critical assets have changed. Workloads can be spun up and down within days or hours. Admins connect to the cloud in multiple ways to perform privileged activities including via direct console access, RDP, and command line. Each of these new access points creates a new risk that organizations need to manage and monitor.
Legacy PAM tools are required to periodically scan environments for new assets and install clients/agents as needed as well as update access policies and jump boxes with the new assets. Even if all these processes can be completed within a timely manner, we are right back to having a silo of access policies and lacking visibility into the most critical access because there is no integration with the IGA solution.
ENTER PURPOSE BUILT CLOUD PAM
With all the challenges listed above, companies need to adopt a new approach to securing critical assets within the cloud. This new approach needs to be cloud-native so it can keep up with the cloud’s dynamic nature and automated so it can continuously discover new critical assets.
In addition to auto-discovery, this new cloud PAM solution must be able to handle massive amounts of data for storing logs, analyzing control enforcement, and identifying risky activity.
This new cloud PAM solution also needs to provide both containerized SSH and RDP access at a moment’s notice. After all, one of the biggest draws of the cloud is its ability to provide speed and agility. Your Cloud PAM solution must be able to meet the cloud’s speed and agility or else it becomes a hindrance.
THE CONVERGENCE OF IGA AND PAM
Based on conversations with our customers, many mature organizations attempt to solve their problem by building and maintaining their legacy PAM and IGA integrations so they can gain meaningful visibility. To maintain this approach, they need large amounts of professional services.
In addition to this increased expense, we often discuss the brave new world of the dynamic cloud and the unique challenges that it brings when securing privileged access.
Now, how do we tie identity to privileged access so we can truly understand what a person does with their privileged access and the risk associated with the totality of a user’s access across the enterprise? The first step to this nirvana involves deeply integrating Cloud PAM and enterprise IGA, creating a convergence of the two. Better yet, make them integral to your purpose-built cloud native solution.
Combining Cloud PAM with Enterprise IGA leads to a number of benefits.
Inject Preventative Critical Access Risk Analysis into the Request Process
To appropriately analyze the risk an access request poses, be it privileged access or not, you need a solution that incorporates the context of all the user’s access. With peer-based analytics, users gain visibility into whether their access request is likely to be approved. Over time, you can also leverage these analytics to update access policies by reviewing access request histories from a given subset of the user population to see typical request types and approvals For example, if users request privileged access at the same time every month so that they can update software and if this request is always approved, then a policy could be created to automatically give this access to the user without the need for a request.
Create Risk-based Approval Workflows During the Access Request Process
Having the ability to route an access request differently based on the request’s risk posture can create a more efficient approval process. When creating true risk-based workflows, you need to account for both the assets’ risk and the profile of the person making the request, then compare that context to the user’s peer group. Consider the following scenario based on two privileged users requesting access to two different types of resources. The first user requests root-level access to an EC2 instance, a request he made previously and that is consistent with the access his peer group typically requests. The second user requests access to an S3 bucket containing personally identifiable information (PII) of the organization’s customers, but this access has never been requested by user 2 and is not typical access requested by her peer group. User #1’s request could be “auto-approved” as it is “normal” access and considered lower risk. User #2’s request would be sent for at least one level of approval if not more due to the anomalous and high-risk nature of the request. Saviynt’s dynamic risk engine calculates the holistic risk score at the time of request and can respond accordingly.
Include Risk Analytics in the Privileged User Access Review Process
Even though many organizations choose to have a separate review process for privileged access, many great benefits still come from leveraging risk analytics within the review process. Risk analytics enable reviewers to make better, more informed decisions during the Access Review campaign. To expand on the example above, a reviewer might be presented with two user’s recent privileged activities, one would be presented with a “low-risk signature” and one with a “high-risk signature” to help the reviewer make not only a better decision but a quicker decision.
CONVERGING CLOUD PAM AND IGA AS-A-SERVICE
Saviynt’s Cloud PAM solution is built on Saviynt’s cloud-native, Gartner-recognized Identity Governance and Administration platform, providing customers all of the governance and automation capabilities they require for the modern enterprise.
Built for Elasticity and Resiliency
Providing a robust and scalable platform on Saviynt’s global and resilient cloud platform enables both rapid deployments and regular upgrades. These capabilities lead to significant infrastructure and operational cost savings.
Native Enterprise IGA Integration
Combining traditional birthright access with privileged access allows organizations to quickly provide the “right level” of access to all users via a centralized access policy. In addition to providing the “right level” of access for new users, IGA integration also provides organizations with the comforting knowledge that all access has been removed when a user changes roles or leaves the organization. If any access remains Saviynt will provided the appropriate level of notifications and visibility.
No More Silos
In my opinion, the biggest advantage of the convergence between Cloud PAM and IGA is that there is no longer the concept of privileged access being only an IT problem because for the modern enterprise IT security is a business problem. Lack of meaningful governance controls around critical access is most definitely a business problem and should be treated as such with centralized controls, policies and reviews.
To learn more about Saviynt’s revolutionary Cloud PAM with IGA, contact us today.