In the future, 2020 might well be remembered in IT circles as the year of the cloud data breach. After all, nearly 79% of CISOs responding to a midyear survey conducted by IDC Research reported that their organization had suffered a cloud data breach at some point in the last 18 months. Among these organizations, 89% had experienced three or more cloud breach events. And 43% had seen ten or more.
It’s clear that the challenges security and identity professionals face are significant. The business case for making a move to the cloud has never been more compelling. Enterprises must deliver the rapid innovation that today’s consumers expect or face falling far behind their more nimble competitors. At the same time, sophisticated and well-resourced advanced persistent threat actors are specifically targeting cloud resources. As long as attackers can adapt their strategies and techniques more quickly than businesses can evolve their defenses, we can only expect the same troubling trends to continue.
2020’s events accelerated shifts to the cloud. Organizations fast-tracked their adoption of remote work, doubling down on cloud migration and digitization efforts. But rapid transformation can increase security risks, especially if done too hastily. As a result, the number of cloud misconfiguration-related data breaches has steeply increased since last year, now comprising more than 10% of all breaches examined in the 2020 Verizon Data Breach Investigations Report. It’s becoming increasingly apparent that yesterday’s security tools and management models are ineffective in today’s cloud-based world.
Nowhere is this more true than the realm of Privileged Access Management (PAM). According to research consultancy Forrester, 80% of breaches in recent years involved privileged credential misuse. Legacy PAM solutions built for on-premises infrastructure and resources are simply inadequate for managing access in environments comprised of various software-as-a-service (SaaS) applications, cloud databases, and modern development platforms spread across multiple cloud providers. Applying policies consistently and uniformly across these intricate and rapidly-changing computing ecosystems is just too complicated for tools that weren’t designed for the task.
It’s now crucial that security leaders build processes and solutions that will enable them to achieve secure risk-based access controls, holistic visibility, and uniform governance in a cloud-first world.
The benefits of moving to the cloud – streamlining business processes, accelerating growth, becoming better able to meet customers’ needs – were once nice to have. Now they’re essential for enterprises who want to retain market share and competitive advantage. Migrating workloads to the cloud reduces administrative and infrastructure costs, speeds development and time-to-market for new services, and enables anywhere, anytime access to enterprise computing resources. This is an indispensable enabler for modern, dynamic business.
But cloud environments are inherently different from legacy on-premises IT environments. These differences are responsible for many of the benefits of cloud migration, but also have the potential to create new security vulnerabilities.
Real-world cloud computing ecosystems tend to be complex, requiring new tools and processes to monitor and manage them. As companies increasingly move towards hybrid and multi-cloud environments that combine on-premises systems and elements from multiple public cloud providers’ offerings, complexity continues to grow. This further amplifies the challenges of maintaining visibility and control. Legacy tools not specifically designed to work in these environments are usually not up to the task. Even when they can be re-platformed for the cloud, often they’ll only work in one provider’s environment with limited functionality and a cumbersome architecture.
And because traditional network borders have largely dissolved in today’s enterprise computing environments, the role that perimeter-based defenses once played has been supplanted by a new model for comprehensive security and risk management.
“The dynamics of securing data are changing. So, too, are the dynamics of securing privileged access. Whether your organization is running workloads in the cloud or on on-premises systems – or a combination of the two – enforcing baseline security policies, maintaining comprehensive visibility, and ensuring that you understand your current risk exposure is becoming more and more complex.”
– Vibhuti Sinha, Chief Product Officer at Saviynt
Once security leaders begin thinking of identity as the new perimeter, they’ll soon discover that identities and privileges must be managed and monitored centrally to eliminate one-off configurations, simplify operational workflows and support compliance. They’ll also realize that identity context is critical for making privileged access decisions – blanket permissions introduce too much risk, while blocking access without understanding when and where it’s needed interrupts workflows and impedes productivity.
Decision-makers who understand that identity is the new perimeter will view identity governance and PAM as among the most critical functions of their security solution stack. And the poor fit between legacy security processes and technologies and the needs of today’s cloud-based computing environments is especially salient when considering PAM solutions.
Yesterday’s PAM technologies typically handle privileged accounts by storing administrative accounts’ credentials in a password vault. These tools then grant privileged accounts rights to access resources. Typically, these rights are neither time- nor task-limited. Instead they have what is known as standing privilege: anyone with such rights has privileged access to resources for an unlimited amount of time.
And while traditional PAM solutions scan environments at regular intervals, those intervals weren’t designed to suit dynamic cloud environments where new services and workloads can be spun up and scaled down in minutes.
What’s more, traditional PAM solutions were designed to handle legacy user accounts that get accessed with a username and password and attached to a human identity. Many lack the capabilities needed to handle new cloud-based identities and machine-to-machine communications. They weren’t built to handle the Internet of Things (IoT), or Industrial Internet of Things (IIoT) device communications, or robotic process automation (RPA) bots. Nor were they designed to work with serverless functions, containers, or workloads-as-services, or to integrate into CI/CD pipelines.
As SaaS app adoption continues, it’s important to consider how this trend effects privileged access management at the application and individual user level. SaaS solutions manage identity and access in ways that are very different from their on-premises predecessors, which is becoming increasingly problematic for companies that have made the full — or partial — transition to the cloud. Why? Most legacy PAM vendors offer application control solutions that get deployed directly to endpoint solutions via agents. This approach provides privileged access by elevating applications instead of individual users. However, in our SaaS-driven world, this approach is quickly becoming obsolete. Legacy vendors don’t provide a modern means to manage these types of applications, and organizations should consider solutions that have addressed this gap in traditional PAM workflows.
Older PAM technology also introduces additional complexity into identity lifecycle management. It makes it relatively easy for orphaned accounts – belonging to terminated employees or other former users – to persist in the environment for long periods without monitoring or oversight.
Due to their hefty server and infrastructure requirements, traditional PAM tools are cumbersome to manage, even in entirely on-premises environments. Add the increased operational overhead that the cloud’s complexity brings, and security and identity teams will face an untenable burden.
The primary interfaces through which privileged access to any organization’s computing resources can be obtained are:
Organizations need to eliminate admin accounts and define privileges in more granular and creative ways.
Persistent privileged accounts are a key attack vector in an elastic cloud environment when static OS accounts are employed.
Traditional PAM tools fail to find and manage privileged-access vulnerabilities in code.
It’s extremely important to have an effective strategy for managing the permissions assigned to APIs in the cloud.
Because data resides here, it’s especially important to protect cloud databases. Failing to do so creates enormous risk exposure that can lead to large-scale breaches.
Should a privileged user’s workstation be accessed – or their laptop stolen – the risk of exposing access keys is high.
Today’s enterprises are embracing cloud technologies – and the dynamic business models that they enable – on an unprecedented scale. They’re supporting remote and geographically distributed workforces. They’re striving to provide new products and services at revolutionary speed. And they’re seeking cost and efficiency advantages that only the cloud can offer. As a result, they need to apply new paradigms when thinking about how to secure these environments.
Zero Trust is a radically different way of thinking about security architectures. Instead of relying on perimeter-based defenses to police an internal “trusted” zone where network traffic and entities are deemed safe, Zero Trust principles consider everything and everyone to be untrustworthy. Thus, every single user, device or application must prove who they are and why they need privileged access to a resource.
As a paradigm, Zero Trust consists of three core tenets:
Least privilege ensures that users only gain access to the specific tools they need to complete a task.
Zero Trust grants access on a “time-limited” basis, so access is automatically removed after a given period.
Zero Trust gatekeepers evaluate a user requesting access based on their identity profile and grants or denies access. Fine-grained entitlements allow the gatekeeper to grant precise access.
Zero Standing Privilege means that no user will ever be able to bypass the gatekeeper. It’s crucial that no user ever has standing privilege based on location or device.
Zero Standing Privilege (ZSP) is a means of applying Zero Trust principles to problems in privileged access management. Originally coined by the analyst firm Gartner, ZSP means that instead of granting administrative privileges to accounts on a permanent basis, users, devices or services are granted access to privileged resources for a limited time only, on the basis of need. Each access request is decided according to predetermined policies or criteria based on behavioral analytics. ZSP is an example of a Just-in-Time access model.
Adhering to the Zero Trust paradigm means that whenever privileged access is granted, it’s granted for a limited time only, and is intended to be just enough access for the task at hand. Zero Trust combines ZSP with intelligent context-based decision making that takes place every time a user or application submits an access request. It enables organizations to secure identity as the new perimeter and prepares them to defend modern infrastructures against today’s threats.
Moving from theory to practice for the Zero Trust and ZSP paradigms requires more than a mindset shift on the part of security and identity leaders. It also demands new processes and technologies, ones that were created specifically for the task at hand. The inherent complexity and ephemerality of cloud environments renders many legacy administrative and development practices insecure. Even DevOps, which has become popular in part because it’s naturally amenable to the fast-paced change that’s synonymous with cloud computing, can introduce vulnerabilities into code if CI/CD pipelines aren’t built with security in mind.
In particular, cloud environments require new ways of managing identity lifecycles while maintaining visibility across hybrid and multi-cloud ecosystems. And maintaining secure cloud development practices will necessitate new ways of managing secrets and privileged accounts within highly-automated test and production environments. And privileged machine identities must be managed in a way that’s dynamic as well as time- and function-limited. That’s where cloud PAM comes in.
Cloud PAM is designed for the cloud and built in the cloud to solve privilege management challenges unique to the cloud. It is specifically designed to work with SaaS applications as well as infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) computing models.
Purpose-built to make Just-in-Time access and ZSP paradigms enforceable, cloud Privileged Access Management automates simple decision-making about whether or not to grant particular access requests, and turns more complex requests over to a human for review. This eliminates errors while saving time and reducing management complexity. Cloud PAM is able to seamlessly incorporate risk-based business intelligence into approval workflows.
Cloud Privileged Access Management natively integrates with DevOps tools as well as the communication platforms that are in widespread use in today’s remote work-enabled business computing environments. It also works with security information and event management (SIEM) platforms and other security alerting infrastructures. And it integrates with identity governance solutions.
Because cloud PAM is itself a SaaS solution, it comes with all the benefits that enterprises have come to expect from cloud-based platforms. There’s no need to invest in infrastructure, management is done for you, and configuring and updating the software is easy. Deployment is simple, too. It’s delivered via an agentless, zero-touch architecture and can be deployed in days even at a large organization.
“Here at Saviynt, we believe in utilizing native cloud technologies to build a platform that is elastic, resilient and can be delivered as a service. We are realizing these principles by adopting a web browser-based design pattern, by converging governance capabilities into our product and by deeply integrating with public cloud providers’ native security frameworks. ”
– Vibhuti Sinha, Chief Product Officer at Saviynt
A service account is a privileged account that belongs to – and is used by – software and machines. Traditionally, credentials are static, and are rarely changed because of the administrative overhead involved. Service accounts often have access to multiple resources, and it’s not uncommon for them to be overprivileged. Service account passwords are often shared among IT or development teams and re-used across multiple systems, and service account sprawl is common.
Service accounts are commonly configured with a “set it and forget it” mentality. If they are compromised, service accounts provide a means for attackers to quickly move laterally across the environment, accessing multiple systems with a single password. Their existence represents a significant potential vulnerability in any enterprise environment.
Securing cloud infrastructure requires dynamic service accounts with specific, time- and function-limited access. Development teams often leave service account keys behind in code, since doing so facilitates easier testing. And would-be-attackers are constantly scanning code repositories for these keys.
What’s needed is a mechanism for delivering time-limited access. With time-limited keys, credential access can be checked out like a book from the local public library, used only for the time that it’s needed, and checked back in, when it will expire. It’s also possible to deliver time-limited access automatically, relying on a credential-less approach in which access privileges are granted and revoked at predetermined times established by an administrator or security team member.
Relying on CI/CD pipelines is a core tenet in DevOps philosophy. But most CI/CD pipelines were built for speed and the ability to deliver dynamic updates without downtime; they weren’t necessarily designed with security in mind.
Automating whenever possible is also a core tenet in DevOps. DevOps practices strive to automate software testing as well as provisioning and deployment. Secrets management is crucial for security in DevOps environments.
Cloud Privileged Access Management monitors secret distribution, limits privileged credentials’ lifespans, and manages privileged accounts to minimize vulnerabilities and limit the potential for damage if compromise occurs. Because cloud PAM integrates with the cloud-native toolsets that make up the CI/CD pipeline, it’s able to limit access and provide visibility and accountability across the pipeline’s entirety. Privileged accounts with rights to deploy code into the environment have been exploited in some of the most devastating recent large-scale breaches, and protecting the CI/CD process can dramatically reduce an enterprise’s risks.
“The SolarWinds attack started with a compromised software build process that allowed an advanced persistent threat group to insert malicious code into the Orion software update. Given the imperative for speed of software development and release, many organizations provide access to accounts along the DevOps toolchain that is overprovisioned from a privilege standpoint, enabling this kind of breach.”
– Yash Prakash, Chief Strategy Officer Saviynt
As new security challenges mount, the opportunity for new solutions to solve them is also growing. Industry analysts at Gartner predict that SaaS-delivered, converged platforms will become the preferred adoption method for IGA, AM and PAM capabilities by 2023, making up nearly half of all new deployments by then.
“By 2023, a new category of SaaS-delivered, converged IAM platforms will be the preferred method for IGA, access management (AM) and privileged access management (PAM) in more than 45% of new IAM deployments.”
– 2020 IGA Market Guide, Gartner
Saviynt’s cloud-native Privileged Access Management platform was built to enable business agility without introducing risks. It features a pioneering architecture with zero on-premises footprint, which simplifies and speeds deployment for any IT infrastructure – regardless of whether yours is a DevOps, hybrid, multi-cloud or on-premises environment. This architecture ensures high availability, easy maintenance and upgrades and eliminates operational risk.
Saviynt Cloud Privileged Access Management provides a frictionless user experience through its simple access request/approval process, user-friendly drag-and-drop workflows and readily configurable dashboards. It includes comprehensive auditing and reporting capabilities as well as traditional PAM functionalities, such as a password vault, session recording and keystroke logging, and command filtering. It also incorporates advanced behavioral analytics and risk-based scoring based on real-world data from an array of third-party security and risk solutions.
Designed to make Zero Trust and ZSP possible in the real world today, Saviynt’s cloud-native Privileged Access Management platform enables just-in-time access, where users are granted elevated privileges for a limited time only. It automates the enforcement of least-possible privilege policies at cloud scale and enables credential-less access with passwords that are automatically hidden from users and rotated to ensure security. It also features integrated IGA to streamline the management of any identity’s access to any application across today’s complex hybrid infrastructures. And it includes service account management capabilities.
Saviynt’s Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The platform brings together identity governance (IGA), granular application access, cloud security, and privileged access (PAM) to secure the entire business ecosystem and provide a frictionless user experience. The world’s largest brands trust Saviynt to accelerate digital transformation, empower distributed workforces, and meet continuous compliance, including BP, Western Digital, Mass Mutual, and Koch Industries. For more information, please visit saviynt.com.