As more companies transition to using cloud-based resources to streamline business processes and accelerate growth, cybercriminals are re-tooling to target their attacks on cloud resources. And they’re seeing a big payoff. According to global intelligence firm IDC, nearly 80% of the companies surveyed experienced at least one cloud data breach in the past 18 months, and 43% reported ten or more breaches. It’s apparent that old security models and legacy tools are not a fit for the cloud-based world.
This is especially true of Privileged Access Management (PAM). PAM tools explicitly built for on-premise resources and applications are insufficient for systems that involve various SaaS applications, databases, and software development platforms spread across multiple clouds. Managing security consistently and uniformly applying governance is now much more complicated.
This guide explores cloud-native PAM (Cloud PAM) as the evolution of existing PAM technologies. We explain why the vulnerabilities that come with moving to the cloud are so problematic. And we look at the difference between Cloud PAM and Cloud Infrastructure Entitlement Management (CIEM) and the importance of securing the DevOps cycle in the cloud.
Why Legacy PAM Doesn’t Work for Cloud
PAM tools work by collecting privileged accounts’ credentials into a secure repository, which lowers the risk of admin credentials being stolen by outsiders or misused by insiders. Legacy tools grant privileged users access to “walled off” resources using these credentials (with standing privileges) via VPN tunnels. For on-premises resources, this model works just fine.
But it fails in the cloud for several reasons. The most obvious is that cloud resources are continually scaling up and down, and legacy PAM solutions don’t offer matching flexibility. Legacy PAM solutions scan environments at regular intervals, and those intervals don’t match the rate at which cloud resources auto-scale, leaving them periodically unmonitored.
Additionally, the cloud’s elastic nature creates risk when organizations rely on a legacy PAM strategy of persistent operating system accounts with static permissions. Credentials with standing privilege become more vulnerable because workloads (and the resources required for them) are continually shifting. Users get left with access to resources they no longer need, and credentials sit around for long periods, vulnerable to attack.
Read 5 Reasons Lifting-and-Shifting Legacy PAM to the Cloud Doesn’t Work to learn more about the insufficiency of legacy PAM tools for securing cloud resources.
Why Standing Privilege Must Go
Zero Trust’s identity-based access model is an ideal approach to access management. In this model, standing privilege doesn’t exist, and each access request is evaluated based on a range of identity factors — including role, position, duties, and usage behaviors. With Zero Trust, the organization monitors every resource and logs every access request. A system based on a collection of tools, including CloudPAM, evaluates each access request. If the system deems a request suspicious (based on identity factors), it alerts an administrator for closer review. (Otherwise, it auto-grants access.) For this reason, Cloud PAM tools combined with a Zero Trust approach offer much better protection for cloud-based resources.
It’s also important to note that PAM solutions aren’t divisible into simply legacy and cloud solutions. Some Cloud PAM solutions are designed only for cloud resources. But most organizations use a combination of on-premises and cloud-based. The most robust and flexible tools are cloud-based but built to defend on-premises, hybrid, and cloud architectures.
Cloud PAM vs. CIEM
Cloud Infrastructure Entitlement Management (CIEM) is often confused with Cloud PAM, so let’s briefly identify the differences between the two. CIEM helps organizations manage the myriad of entitlements that exist in the Cloud. CIEM ranges from fine-grained access on S3 buckets to IaaS roles and policies. On the other hand, Cloud PAM focuses on the privileged account and limiting/brokering/assigning access to these accounts on an as-needed basis — in contrast to standing privilege. Neither Cloud PAM nor CIEM is better than the other. They’re simply useful for different things.
SaaS Security Challenges
SaaS presents a particular challenge when it comes to security. Most organizations are actively using many different SaaS solutions, each fully siloed. The average employee regularly logs into eight different SaaS solutions. And 71% of companies have at least one SaaS subscription that isn’t being used (or monitored, as a result). IT departments struggle to maintain visibility into these resources and the sensitive data they typically contain.
Integrating identity governance and managing access may be simple (thanks to built-in APIs) or complicated for multiple SaaS applications. But SaaS resources must holistically integrate with the organization’s security and governance model. To sufficiently secure SaaS solutions, you must manage user identities centrally and access throughout the entire tech stack, identify which resources are available to which identities and apply controls to secure the environments. All of this is possible with a Cloud PAM that includes identity governance capabilities.
Securing the CI/CD Pipeline
The cloud is more than virtual machines, databases, and SaaS tools. One of the most popular cloud-architected strategy elements includes orchestrating cloud workloads using DevOps tools and continuous integration (CI) and continuous delivery (CD) processes. Serverless functions, containers, and Kubernetes workloads-as-services are now mainstream strategies to run workloads at scale. This innovation has expedited the process of pushing development to production, creating the DevOps process that is commonplace now.
Unfortunately, this innovation was mostly concerned with the speed of development and implementation. Security was an afterthought. With DevOps, the continuous delivery component of CI/CD requires privileged accounts having rights to deploy code into the environment. These accounts are typically manually configured, and they too often persist indefinitely — creating the standing privilege problem we identified above.
Breaches to the CI/CD pipeline are especially damaging since criminals can use an over-scoped key to take down an entire cloud datacenter. And if a fixed key is available in the automation software, they can easily copy it and use it when they like.
To solve this problem, DevSecOps evolved the CI/CD process to include security. Organizations can use Cloud PAM tools to eliminate keys with standing privilege and then evaluate each access request for suspicious activity and grant access for a limited time.
Read Why Your CI/CD Needs PAM and Saviynt to learn more about securing CI/CD with Cloud PAM.
Evolved Tools Meet Today’s Cloud Security Challenges
The cloud is immeasurably valuable in helping organizations speed up and optimize processes. Without the cloud, a company is unable to be competitive. But the cloud comes with significant security challenges. Cloud security depends on visibility and limiting access as much as possible — and Knowing who is trying to access what reduces instances of successful attacks. And limiting the scope and duration of each user’s access limits the damage done by an attack. Security tools and methods are evolving to allow organizations to accomplish these tasks. When you eliminate standing privilege and use a Cloud PAM system designed for a cloud or hybrid environment, you gain visibility and reduce risk.
For a deep dive into how Cloud PAM can help your organization secure its cloud or hybrid environment, read Cloud PAM for Robust Cloud Security.