Securing Privileged Access for the Modern Enterprise: The Evolution of Cloud PAM

Limitations of Traditional PAM in the Cloud

Decision-makers who understand that identity is the new perimeter will view identity governance and PAM as among the most critical functions of their security solution stack. And the poor fit between legacy security processes and technologies and the needs of today’s cloud-based computing environments is especially salient when considering PAM solutions.     

Yesterday’s PAM technologies typically handle privileged accounts by storing administrative accounts’ credentials in a password vault. These tools then grant privileged accounts rights to access resources. Typically, these rights are neither time- nor task-limited. Instead they have what is known as standing privilege: anyone with such rights has privileged access to resources for an unlimited amount of time.

And while traditional PAM solutions scan environments at regular intervals, those intervals weren’t designed to suit dynamic cloud environments where new services and workloads can be spun up and scaled down in minutes.

What’s more, traditional PAM solutions were designed to handle legacy user accounts that get accessed with a username and password and attached to a human identity. Many lack the capabilities needed to handle new cloud-based identities and machine-to-machine communications. They weren’t built to handle the Internet of Things (IoT), or Industrial Internet of Things (IIoT) device communications, or robotic process automation (RPA) bots. Nor were they designed to work with serverless functions, containers, or workloads-as-services, or to integrate into CI/CD pipelines.

73%

of companies say all or nearly all of the applications they use will be SaaS solutions by the end of 2021.

Source: IDC Research

As SaaS app adoption continues, it’s important to consider how this trend effects privileged access management at the application and individual user level. SaaS solutions manage identity and access in ways that are very different from their on-premises predecessors, which is becoming increasingly problematic for companies that have made the full — or partial — transition to the cloud. Why? Most legacy PAM vendors offer application control solutions that get deployed directly to endpoint solutions via agents. This approach provides privileged access by elevating applications instead of individual users. However, in our SaaS-driven world, this approach is quickly becoming obsolete. Legacy vendors don’t provide a modern means to manage these types of applications, and organizations should consider solutions that have addressed this gap in traditional PAM workflows.

Older PAM technology also introduces additional complexity into identity lifecycle management. It makes it relatively easy for orphaned accounts – belonging to terminated employees or other former users – to persist in the environment for long periods without monitoring or oversight. 

Due to their hefty server and infrastructure requirements, traditional PAM tools are cumbersome to manage, even in entirely on-premises environments. Add the increased operational overhead that the cloud’s complexity brings, and security and identity teams will face an untenable burden. 

How Privileged Access is Different in the Cloud:

The primary interfaces through which privileged access to any organization’s computing resources can be obtained are:

Management consoles:

  • Access assignments were traditionally static or persistent
  • Privileges were typically assigned on a long-term basis
  • Segregated admin accounts lead to privileged identity proliferation

Organizations need to eliminate admin accounts and define privileges in more granular and creative ways.

Instances and workloads:

  • Consist of Linux and Windows virtual machines (VMs) and containers
  • Often use static operating system (OS) accounts

Persistent privileged accounts are a key attack vector in an elastic cloud environment when static OS accounts are employed.

Serverless functions:

  • Privileged roles are typically assigned within CI/CD pipelines
  • Application-as-code makes finding privileges a challenge
  • Code scans are time and resource-intensive

Traditional PAM tools fail to find and manage privileged-access vulnerabilities in code.

API interfaces:

  • It’s not uncommon for developers to leave API keys behind in code uploaded to public repositories, creating major, lasting vulnerabilities
  • Permissions assigned to APIs are rarely reviewed

It’s extremely important to have an effective strategy for managing the permissions assigned to APIs in the cloud.

Cloud databases:

  • Because cloud databases lack APIs, access cannot be managed through privileged account lifecycle management solutions
  • Making use of highly privileged default accounts is rampant

Because data resides here, it’s especially important to protect cloud databases. Failing to do so creates enormous risk exposure that can lead to large-scale breaches.

Command-line interfaces:

  • DevOps teams, developers and engineers use command-line interfaces frequently to interact with underlying infrastructure
  • There are granular differences between the syntax and arguments used in different cloud providers’ environments
  • Often make use of long-term keys as authentication credentials

Should a privileged user’s workstation be accessed – or their laptop stolen – the risk of exposing access keys is high.

Explore the eBook for a full scope on Cloud PAM:

  • Zero Trust and Zero Standing Privilege
  • Securing privileged access in the cloud
  • Safeguards for software & machine service accounts
  • Calibrating cloud speed & security with DevSecOps
  • Saviynt’s innovative CPAM-as-a-service platform

Want to learn more about measuring the ROI of your identity investment?

Sean Ryan of Forrester shares five of his best practices for maximizing return on identity management investments. 

Saviynt’s Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The platform brings together identity governance (IGA), granular application access, cloud security, and privileged access (PAM) to secure the entire business ecosystem and provide a frictionless user experience. The world’s largest brands trust Saviynt to accelerate digital transformation, empower distributed workforces, and meet continuous compliance, including BP, Western Digital, Mass Mutual, and Koch Industries. For more information, please visit saviynt.com.

Want to talk to an identity and security expert?

#1 IGA Solution. New Identity Leader for the Cloud Era.

Gartner | 2021 IGA Solution Scorecard