Re-Thinking Privileged Access in the Cloud Era
Traditional privileged access management solutions emerged in a pre-cloud era. While useful for legacy infrastructure, they fail to fully secure today’s cloud ecosystems – and the human and machine identities deployed across modern enterprises.
The need for reimagined PAM intensifies as more enterprises undergo digital transformation. To this end, the Saviynt team asked a bold question:
Why not build an easy-to-use cloud solution that offers identity-led, risk-aware, and scalable control over privileged and sensitive access to workloads and applications in a multi-cloud ecosystem?
Then, we got to work.
Creating the Cloud-Native PAM Category
KuppingerCole has recognized Saviynt as an Innovation Leader in their latest PAM Leadership Compass report. In particular, analysts commended our PAM-as-a-Service platform advancements. Given emerging issues like remote work enablement and structural changes to IT architecture, we view innovation as essential.
“Today’s IT environments require a vigilant approach to protect privileged accounts and reduce cybercriminal entry points into an unsuspecting organization,” said Paul Fisher, Senior Analyst at KuppingerCole. “Saviynt’s innovative cloud PAM solution takes PAMaaS to a whole new level and is ready for the Infrastructure as Code (IaC) future. It addresses modern cybersecurity challenges by protecting critical assets across cloud infrastructure and applications, accelerating digital transformation and cloud initiatives.”
Deficiencies in legacy PAM are well discussed, with issues like limited oversight, high deployment and operational costs, and static account architecture built around usernames and passwords — all of which slow modernization. Our PAM solution was founded on a key principle: It’s difficult for PAM to be truly ‘cloud-friendly’ if it doesn’t embody the principles of the platform it’s designed to protect.
Cloud PAM: The Way Privileged Access is Meant to be Managed
Concerningly, cloud-first PAM is underestimated as essential to both digital transformation and improved cybersecurity. According to an IDC survey of CISOs, “80% of leaders cannot identify excessive access to sensitive data in cloud production environments.” Further, “privilege abuse” was the most common action identified in over 20,000 incidents reviewed for Verizon’s 2021 Data Breach Investigations Report.
While on-prem infrastructures feature limited access points, cloud and hybrid infrastructures — plus business apps — introduce numerous access points. Each requires credentials (user ID and authentication, for instance) that may be misused as human and non-human identities access the cloud.
And while protecting the cloud from external threats remains a cloud service provider responsibility, organizations themselves must deploy controls to govern access within their own cloud ecosystems. Yet, as IaaS, PaaS, and SaaS applications grow, visibility within the interconnected ecosystem dims.
To manage growing cloud app and service suites, enterprises must rethink security. Enter: Cloud PAM. Delivering PAM as a service eliminates a lack of continuous discovery and risk visibility — a key weakness of legacy solutions.
Saviynt’s cloud-based platform was recognized for best-in-class innovation, market achievement, and overall leadership in PAM. To see why, read the KuppingerCole 2021 PAM Leadership Compass report.
Modern Businesses Demand More Dynamic Security
Today, enterprises must be able discover real-time activity among elastic workloads, accounts, and access. For example: Remote workers routinely use multiple devices to connect to various data and systems. To reduce access misuse, these devices, accounts, and sessions must be in the real-time purview of security leaders.
Equally as important, they must identify risky or misconfigured objects and automatically trigger remediation steps including reversal, exception approval, or quarantine. This is akin to ‘closing the door’ on excessive permissioning — a critical remedy to the outdated approach of giving privileged accounts excessive access in the name of simplification. Similarly, it addresses the issue of orphaned accounts; those forgotten accounts that sit on the network, primed for misuse.
Mismanaging contractor, vendor, and other external user access is an added concern. These audiences often need access to privileged data, although they’re seldom managed through standard HR processes. Our cloud PAM solution integrates these identities alongside employees and manages the lifecycle so access doesn’t linger unnecessarily.
To Efficiency and Beyond
To ensure appropriate privilege, PAM must reinforce just-in-time (JIT) principles for cloud access — a core requirement for Zero Trust frameworks. But this is incompatible with most legacy solutions built on the premise of vaults and credential rotation for privileged, but always-on, access.
Further, the manual work behind this is a non-starter to overburdened IT teams. Consider the range of IoT devices, workloads, and other silicon-identities in use. Each requires key management and dynamic provisioning of rights to allow for task completion and de-escalation to a safe state. Under this workload, Cloud PAM with automated risk analysis and governance capabilities becomes table-stakes.
As we architected our Cloud PAM solution, we recognized the need to remove all standing privileges; for instance, confronting the vaulting of all discoverable, privileged credentials. This dated approach to PAM never reduced the number of privileged accounts, nor limited the risk of standing privilege therein. Vaults didn’t solve the problem; they centralized it.
With Cloud PAM, Saviynt allows organizations to remove these accounts and incorporate least-privilege principles. Using a just-in-time approach to privileged access, end users receive the right level of privilege for their immediate task — across all assets, applications, and platforms.
Explicitly managed privileged access hardens corporate security postures in a variety of ways. First, enterprises establish a well-defined access audit trail. Usage monitoring also allows machine learning algorithms to identify anomalous behavior, where breaches are detected before attackers can reach the inner IT ecosystem. Saviynt’s Cloud PAM solution consumes configuration data from popular cloud platforms to provide insights into security and risk-prone configurations.
Next Steps to Conquer Cloud Complexity
Modern enterprises need to capitalize on the benefits native cloud technologies: Inherent elasticity, resilience, and delivery as a service. We deliver PAM via an agentless, zero-touch architecture so you can deploy secure privileged access capabilities in days, rather than weeks or months. Achieve zero-standing privilege with behavioral and usage data, risk insights, and an adaptable identity warehouse powering your PAM solution.
By spotlighting Saviynt’s cloud-native innovation, KuppingerCole puts old-school PAM solutions on notice.