Effective Privilege Management for the Cloud: The 3 Keys

With the proliferation of multi-cloud computing environments, it’s critical that privileged access management (PAM) covers both cloud and on-premise systems.

Industry threat reports have found credential misuse to be the #1 one cause of breaches. But a compromised account should not in itself be enough for a hacker to score the crown jewels. If it is, that represents a failure of access management systems, such as PAM and identity governance and administration (IGA).

Many organizations already run at high risk from over-privileged IT administrators and power users. As they transition to cloud-based solutions, much of the on-premise complexity doesn’t go away. We end up with the hybrid multi-cloud management challenge shown in the figure above.

The stakes are high. A succession of such as the recent breach of Capital One’s AWS S3 storage buckets highlight the need for seamless, but automated, management of privilege in the multi-cloud infrastructure.

To protect the necessary use of privilege in cloud environments, identity and access management (IAM) systems and PAM must support cloud-native application program interfaces (APIs) to all levels of cloud deployment. It must support serverless computing models on top of the traditional Windows or *NIX servers still found in the IaaS layer. IAM and PAM must also operate in more dynamic, high scale environments.

To rise to the challenge, PAM must improve in three key areas:

1. Embrace the just-in-time (JIT) access model for cloud access
2. Improve support for service accounts and the DevOps pipelines in infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments
3. Integrate with identity governance and administration (IGA) services

JIT PAM – A Transformational Model for Access Control

Privileged accounts – such as those for domain administrators or server root administrators –have too much power to be properly controlled through ordinary IGA tools that map users to roles. PAM solutions provide tight controls around the use of privileged accounts through privileged credential vaulting, session control, and session recording capabilities.

However, although traditional PAM vaults and rotates credentials for privileged accounts, these accounts are static. The binding between the privileged accounts and the privileged roles is static, or “always on.”

Cloud services, such as the AWS AssumeRole showcase the new Just-in-Time (JIT) PAM model. AssumeRole enables a user to obtain a temporary set of security access tokens and credentials from Amazon’s Security Token Service (STS). Also supported by Microsoft, JIT access significantly reduces the IT attack surface because privileges are not “always-on.”

Providing JIT PAM for user accounts in the software-as-a-service (SaaS), PaaS, and IaaS environments not only can significantly reduce risk, it is also a more natural administrative model for serverless environments without the kinds of built-in accounts you find in the traditional OS. JIT PAM epitomizes the concept of least privilege, and it enables IAM solutions to work with “one identity” for privileged users taking on roles or gaining permissions only at the point of need.

Unifying IGA and PAM for User and Service Account Management

Because managing fundamentally role-based JIT access represents a more dynamic process than managing traditional static privileged accounts, JIT PAM should integrate more closely with the same IGA solutions organizations use for role management today.

In the cloud, one immediate challenge is for IGA/PAM solutions to bring DevOps user accounts under a least-privilege identity governance model. DevOps user accounts for the most sensitive applications should only receive elevated privileges after matching relevant risk criteria, and access should be limited to only the granular permissions required.

What about service accounts? Machine and service accounts tend to be more prevalent than user accounts in IaaS environments, yet managing them remains a significant gap for most organizations. IGA and PAM solutions should implement a holistic approach to managing and dynamically assigning roles for both user and service account access.

To this end, service account authentication can be controlled through API keys or secrets vaults. Service account authorization privileges can be controlled through roles known to the IGA system. IGA handles the manual or automated workflows to approve access while cloud PAM solutions may provide containerized access gateways or secrets vaults to DevOps pipeline orchestrators such as Ansible, Chef, and Jenkins.

What’s at Stake

The convergence of JIT access, PAM, and IG offers the best hope of overcoming PAM’s traditional adoption barriers and adapting it to the cloud environment. It is early days for some of the required IGA/PAM/cloud integrations. This and other practical challenges could lead some customers to go slow on improving cloud PAM coverage. But delaying exploration of cloud IGA/PAM could prolong the life of systemic vulnerabilities related to privilege, and these vulnerabilities will become much worse in a hybrid, multi-cloud environment. Consider tackling the PAM cloud security problem now by looking for easy wins and/or risk reduction to your most critical systems over the next 6-12 months.

Additional Reading

Is PAM the Weakest (Missing) Link in Your Cloud Security Strategy? (Dan Blum webinar)

Despite Recent Breaches, the Cloud is not Falling (blog)

The Guide to Just-in-Time Privileged Access Management (white paper)

Using Secure Remote Access as a Bastion Host for Cloud-Based Access (blog)