Beyond the Vault: Cloud-Powered PAM and the Least Privilege Revolution

Cloud-Powered PAM
and the Least Privilege Revolution

Across the globe, enterprises race toward improved cloud migration and digitization. Some call it a shift from “cloud speed to COVID speed.” This transition requires PAM and identity governance platforms to also keep pace. 

The problem is, few are. 

KuppingerCole recently recognized Saviynt as an Innovation Leader in its latest PAM Leadership Compass report. In particular, analysts commended our PAM-as-a-Service platform advancements. Given emerging issues like remote work enablement and structural changes to IT architecture, these innovations are essential.

Similarly, according to Paul Fisher, Senior Analyst at KuppingerCole, “today’s IT environments require a vigilant approach to protect privileged accounts and reduce cybercriminal entry points into an unsuspecting organization.”

The problems with legacy PAM are well discussed, with issues like limited oversight, high deployment and operational costs, and static account architecture built around usernames and passwords — all of which slow modernization. 

Cloud-powered PAM platforms embrace new principles; these solutions revolutionize identity management and governance. Finally, applications exist to solve what PAM was supposed to do. 

In this eBook, we discuss the history of PAM, explore its password vaulting roots, and discover how modern enterprises can embrace Zero Trust with cloud PAM.

The Genesis of PAM

PAM emerged in the 1980s (with Sudo for Unix/Linux), although the first commercial vault didn’t release until the early 2000s. Vendors originally created vaults to store passwords for infrastructure. The reason: Every server is built with an administrator (or ‘root’) account – and these accounts often used the same password when built. Password vaults randomize these passwords and allow access to each by support teams when needed.

Later, broader adoption of password management, active directory bridging, and least privilege solutions occurred. By 2007, Privilege Escalation and Delegation Management (PEDM) for Windows appeared, albeit with a focus on endpoints like desktops and laptops. This technology offered better application control and removal of local admin rights. While PEDM theoretically limits privilege by granting admin rights for particular tasks, applications, or scripts on a limited-basis, it still relies on statically defined policy. These rules require manual creation and management. Worse still, they are always in effect for a user: if a privileged user’s device is compromised, the threat actor obtains the elevated access.

Confusion ensued as many began describing these solutions as ‘PAM’, although vaulting remained central. True privileged access management didn’t exist as we experience it today.

  1. Outdated PAM Puts Modern IT Ecosystems at Risk
    Concerningly, enterprises carried these solutions forward – even as ecosystems modernized. See, vaults were designed for shared accounts, not personal, application, or web accounts. Personal accounts include a variety of entitlements that do not lend themselves to management within a vault. Perhaps most concerning is that vaults don’t solve a most pressing security issue: excess privileges.
    79%
    of enterprises have had an identity-related breach within the past two years.*
    600%
    increase in cybercrime activity since the COVID-19 Pandemix began.*
  2. Difficulties Delivering Least-Privilege And JIT
    Centralizing privileged accounts in a vault can’t reduce the number of privileged accounts or reduce the risk of these privileges. The method won’t guide an enterprise toward principles of least-privilege or just-in-time access, either.

Liking this eBook? Save it for later

What Is ... Zero Trust?

Definition

A framework to move from implicit trust to a continuous re-evaluation of risk and trust levels.

Examples

User Verification
Applying risk-based authentication to validate that every user is who they claim to be.

Device Validation
Ensuring that only registered devices have access to resources.

Intelligent PAM
Provisioning users or devices with only as much access as is required, at the time it is needed.

Benefits

Movement toward “a workload-first, data-driven, and identity-aware security model.” Additionally, organizations reduce reliance on older legacy applications and securely re-architect IT environments using newer languages and designs that can benefit from cloud computing.

svt-zero-trust
svt-just-in-time-access

What Is ... Just-In-Time Access?

Definition

An approach to enforce true “least privilege”–that is, requiring users, processes, applications, and systems to have bare minimum rights and access to complete a necessary task.

Examples

Monitoring & Management
Time-bound, automatic provisioning and revocation.

Minimizing Standing Risk
Ensuring users and systems gain proper access for a limited amount of time within a Privileged Access Management (PAM) software solution.

Benefits

Enforce least privilege strategies by controlling where users can access privileged data or accounts – and dictating the actions they can perform once they have secured access.

As attacks grew, the 2010s saw new defense measures and applications introduced. While robust, the solutions were piecemeal – and ballooned enterprises’ architectures. The result: A buffet of SIEM, IGA, SSO, MFA, and Vulnerability Management tools to manage.

Although more robust PAM solutions now exist, M&A activity further muddles things. Often, incumbent vendors try to fast-track innovation by buying up PAM tools. Here, customers miss out. Fragmented architectures blunt the full potential of PAM. Companies now suffer with different consoles, different reporting interfaces, and disparate agents in play.

Cloud First – The Way Privileged
Access
Should be Managed

Cloud-first PAM is underestimated as essential to both digital transformation and improved cybersecurity. According to an IDC survey of CISOs, “80% of leaders cannot identify excessive access to sensitive data in cloud production environments.” Further, “privilege abuse” was the most common action identified in over 20,000 incidents reviewed for Verizon’s 2021 Data Breach Investigations Report.

Delivering PAM as a service eliminates a lack of continuous discovery and risk visibility — a key weakness of legacy solutions.

80%
of leaders cannot identify excessive access to sensitive data in cloud production environments.”
Source: IDC
Modern Businesses Demand More Dynamic Security

Enterprises must be able assess real-time activity among elastic workloads, accounts, and access. For example: Remote workers routinely use multiple devices to connect to various data and systems. To reduce access misuse, these devices, accounts, and sessions need to be in the real-time purview of security leaders.
Further, they must identify risky or misconfigured objects and automatically trigger remediation steps including reversal, exception approval, or quarantine. This is akin to ‘closing the door’ on excessive permissioning — a remedy to the old tactic of giving privileged accounts excessive access in the name of ‘simplification.’ Similarly, it addresses the orphaned account issue; those forgotten accounts that sit on the network, primed for misuse.

51%
of organizations have experienced a data breach caused by a third-party.”
Source: Security Magazine

An added concern is mismanaging vendor, contractor, and other external user access. These audiences often need to retrieve privileged data, although they’re seldom managed through standard HR processes.

The Cloud PAM Difference

To ensure appropriate privilege, PAM must reinforce just-in-time (JIT) principles for cloud access — a core requirement for Zero Trust frameworks. But this is incompatible with legacy solutions built on the premise of vaults and credential rotation for privileged – but always-on – access.

svt-the-cloud-pam-difference

Further, the manual management is a non-starter to overburdened IT teams. Consider the range of IoT devices, workloads, and other silicon identities in use. Each requires key management and dynamic provisioning of rights to allow for task completion and de-escalation to a safe state. Under this workload, Cloud PAM with automated risk analysis and governance capabilities must be table-stakes.

Saviynt recognized the need to remove all standing privileges; for instance, confronting the vaulting of all discoverable, privileged credentials. This dated approach to PAM never reduced the number of privileged accounts, nor limited the risk of standing privilege therein. Vaults didn’t solve the problem; they centralized it.

With Cloud PAM, Saviynt allows organizations to remove these accounts and incorporate least-privilege principles. Using a just-in-time approach to privileged access, end users receive the right level of privilege for their immediate task — across all assets, applications, and platforms. This is why Saviynt designed a cloud PAM platform with Zero Trust, zero-standing privilege, and JIT access at the center. Without an on-prem footprint, the platform adds versatility: secure privileged access and critical asset protection across the entire infrastructure.

What’s Next For Cloud PAM

As PAM progresses, we believe that the 2020s will be about consolidation and simplicity. A true cloud PAM solution is converged. This means integrated IGA and PAM capabilities.

For example, the Saviynt platform works inside the cloud to attach rights and privileges to identities to streamline governance – no bolt-on software required. In contrast, traditional PAM focuses on infrastructure. Cloud PAM leapfrogs this with built-in connectors, bringing JIT to applications and consoles. And rather than creating additional user accounts for privileged access that need monitoring, administrators can assign time bound permissions to identities.

Explicitly managed privileged access hardens corporate security postures in a variety of ways. First, enterprises establish a well-defined access audit trail. Usage monitoring allows machine learning algorithms to identify anomalous behavior, where breaches are detected before attackers can reach the inner IT ecosystem. Saviynt’s Cloud PAM solution also consumes configuration data from popular cloud platforms to provide insights into security and risk-prone configurations.

These innovations extend governance. Sure, existing solutions may tell administrators who has access to what. But converged solutions broaden this. Not only do they certify access, but they manage the lifecycle of the user and the privilege. They should also be able to govern the machine a user uses and what access they have – even down to granular entitlements.

We’ve come a long way since the days when PAM was a fancy term for password vaulting. Today, PAM offers more:

  • Simplified onboarding and management
  • Alignment to zero standing privileges for infrastructure, applications, and web apps
  • JIT access to infrastructure, applications, and web apps
  • Real-time discovery and onboarding of dynamic cloud workloads
  • Governance-driven risk insights and reporting of cloud security

For enterprises that want improved security controls and operational disciplines – and want simpler, more robust identity and privilege control, there is a solution. 

Rarely can goals like these be solved with a single offering. But sometimes, rarely actually exists.

See why customers and analysts are excited about Saviynt. Explore our CPAM solution today.

Saviynt

Saviynt is the leading identity governance platform built for the cloud. It helps enterprise customers accelerate modern cloud initiatives and solve the toughest security and compliance challenges in record time. The Saviynt Enterprise Identity Cloud converges IGA, granular application access, cloud security, and privileged access into the industry’s only enterprise-grade SaaS solution. Learn more at Saviynt.com

Want to talk to an identity and security expert?

#1 IGA Solution. New Identity Leader for the Cloud Era.

Gartner | 2021 IGA Solution Scorecard