Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Cloud PAM: 5 Keys to a Successful Foundation

September 29, 2020

  • Blog
  • Archive

As cybersecurity teams adapt to pandemic-accelerated digital transformation, cloud privileged access management (PAM) becomes even more central to the security architecture.

As explored in my recent Why Cloud PAM Matters webinar, essential capabilities for cloud PAM include: enabling just-in-time (JIT) privileged access, cloud native hosting, privileged task automation, and service account management.

Evolving from On-Premise to Cloud PAM

5 Foundations for Successful Cloud Privileged Access Management

The universe of IT privileges required to operate in a hybrid, multi-cloud environment is expanding. Yet, many organizations have struggled to extend PAM into their cloud. Gaps have included limited cloud identity and access management (IAM) Integration, poor visibility, use of static or always-on privileged accounts, and reliance on heavy server-side PAM agent software.

Here are five keys for building a strong foundation for PAM in the cloud:

1. Just-in-Time (JT) Access

JIT privileged access differs from traditional privileged access because it is OFF by default. Only when a user needs privileged access, and can get it approved through a business rule or workflow process, does the IAM or PAM system turn on the access by triggering an IT permission or calling a system API. JIT access greatly reduces standing privileges and the privileged user attack surface on-premise, in the cloud, and wherever it’s used.

2. Cloud Native Hosting

PAM is vital for protection against cyberattackers in several ways—from gaining an initial foothold, to moving laterally and escalating privilege. However, poorly implemented controls around privileged access can also interrupt or slow down critical production IT work.

For PAM to work well in the cloud, it must have broad SaaS provider coverage and deep IaaS integration. Just as agility and scalability are two of the cloud’s main business benefits, PAM must work seamlessly with cloud security, management, and network processes so as not to interfere with normal IT operations.

3. PAM Must be Part of DevSecOps

IT operations in the cloud center around DevOps and continuous integration and continuous delivery/deployment (CI/CD) processes. IT teams must bake DevOps security steps, like static or dynamic code analysis, into the CI/CD pipeline. PAM capabilities – such as secrets or credential checkout and interactive session control and recording – must be part of DevSecOps. To do that, they must deliver seamless operations and administration and gain IT user and/or developer acceptance.

4. Privileged Task Automation

In the DevOps world, traditional PAM tends to be too slow for automated processes like CI/CD. We need privileged task automation to fully bake PAM into DevSecOps. DevSecOps teams can make PAM part of the release pipeline automation via two families of use cases, and two integration points as shown in the figure below.

Cloud PAM & DevSecOps

Cloud native hosting, or integration, is also helpful for PAM in DevSecOps. Customers that consume PAM itself as a SaaS service get the benefit of the vendor’s partnerships or integration with key cloud service providers.

5. Service Account Management

The final piece of the cloud PAM puzzle to fully bring privileged access security into the DevSecOps model is service account management. PAM solutions can discover service accounts, remove hardcoded/embedded credentials, offer API support for credential management, enforce credential quality, and manage secrets for DevOps pipeline orchestration processes.

Customers should start managing privileged service accounts by first developing standards to classify and name the accounts. Consider managing the accounts through a PAM system. Focus on the highest-risk service accounts and/or the ones that are part of applications which integrate in a turnkey manner with your PAM solution.

Privileged Access Security Designed for the Cloud

Be aware of the need and opportunity to implement PAM differently in the cloud. It must support cloud native functionality, privileged task automation, JIT access, and service account automation. Begin evolving cloud PAM soon to avoid the greater risk of perpetuating systemic vulnerabilities from cloud gaps with traditional PAM (or a lack of PAM).

Understand the following practical considerations: Many of the IAM and/or CI/CD orchestration technologies underlying PAM in the DevSecOps world are still maturing. Work closely with IT teams per the DevSecOps model. Craft a phased approach, define a 6-12-month minimal viable product (MVP) target, and get started.

For more insights, check out my webinar: The Expanding Universe of Privileges: Why Cloud PAM Matters

Dan Blum

Cybersecurity Strategist and Author

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From September 23, 2020:
Protecting Against PowerShell Attacks: 5 Key Steps
From September 30, 2020:
Get Your Mac Users Ready for Big Sur (macOS 11) with Privilege Management for Mac 5.7

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.