NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Effective Privilege Management for the Cloud: The 3 Keys

November 27, 2019

  • Blog
  • Archive

With the proliferation of multi-cloud computing environments, it’s critical that privileged access management (PAM) covers both cloud and on-premise systems.

Industry threat reports have found credential misuse to be the #1 one cause of breaches. But a compromised account should not in itself be enough for a hacker to score the crown jewels. If it is, that represents a failure of access management systems, such as PAM and identity governance and administration (IGA).

PAM is part of a hybrid, multi-cloud management challenge

Many organizations already run at high risk from over-privileged IT administrators and power users. As they transition to cloud-based solutions, much of the on-premise complexity doesn’t go away. We end up with the hybrid multi-cloud management challenge shown in the figure above.

The stakes are high. A succession of such as the recent breach of Capital One’s AWS S3 storage buckets highlight the need for seamless, but automated, management of privilege in the multi-cloud infrastructure.

To protect the necessary use of privilege in cloud environments, identity and access management (IAM) systems and PAM must support cloud-native application program interfaces (APIs) to all levels of cloud deployment. It must support serverless computing models on top of the traditional Windows or *NIX servers still found in the IaaS layer. IAM and PAM must also operate in more dynamic, high scale environments.

To rise to the challenge, PAM must improve in three key areas:

  1. Embrace the just-in-time (JIT) access model for cloud access
  2. Improve support for service accounts and the DevOps pipelines in infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments
  3. Integrate with identity governance and administration (IGA) services

JIT PAM – A Transformational Model for Access Control

Privileged accounts – such as those for domain administrators or server root administrators –have too much power to be properly controlled through ordinary IGA tools that map users to roles. PAM solutions provide tight controls around the use of privileged accounts through privileged credential vaulting, session control, and session recording capabilities.

However, although traditional PAM vaults and rotates credentials for privileged accounts, these accounts are static. The binding between the privileged accounts and the privileged roles is static, or “always on.”

Cloud services, such as the AWS AssumeRole showcase the new Just-in-Time (JIT) PAM model. AssumeRole enables a user to obtain a temporary set of security access tokens and credentials from Amazon’s Security Token Service (STS). Also supported by Microsoft, JIT access significantly reduces the IT attack surface because privileges are not “always-on.”

Providing JIT PAM for user accounts in the software-as-a-service (SaaS), PaaS, and IaaS environments not only can significantly reduce risk, it is also a more natural administrative model for serverless environments without the kinds of built-in accounts you find in the traditional OS. JIT PAM epitomizes the concept of least privilege, and it enables IAM solutions to work with “one identity” for privileged users taking on roles or gaining permissions only at the point of need.

Unifying IGA and PAM for User and Service Account Management

Because managing fundamentally role-based JIT access represents a more dynamic process than managing traditional static privileged accounts, JIT PAM should integrate more closely with the same IGA solutions organizations use for role management today.

In the cloud, one immediate challenge is for IGA/PAM solutions to bring DevOps user accounts under a least-privilege identity governance model. DevOps user accounts for the most sensitive applications should only receive elevated privileges after matching relevant risk criteria, and access should be limited to only the granular permissions required.

What about service accounts? Machine and service accounts tend to be more prevalent than user accounts in IaaS environments, yet managing them remains a significant gap for most organizations. IGA and PAM solutions should implement a holistic approach to managing and dynamically assigning roles for both user and service account access.

To this end, service account authentication can be controlled through API keys or secrets vaults. Service account authorization privileges can be controlled through roles known to the IGA system. IGA handles the manual or automated workflows to approve access while cloud PAM solutions may provide containerized access gateways or secrets vaults to DevOps pipeline orchestrators such as Ansible, Chef, and Jenkins.

What’s at Stake

The convergence of JIT access, PAM, and IG offers the best hope of overcoming PAM’s traditional adoption barriers and adapting it to the cloud environment. It is early days for some of the required IGA/PAM/cloud integrations. This and other practical challenges could lead some customers to go slow on improving cloud PAM coverage. But delaying exploration of cloud IGA/PAM could prolong the life of systemic vulnerabilities related to privilege, and these vulnerabilities will become much worse in a hybrid, multi-cloud environment. Consider tackling the PAM cloud security problem now by looking for easy wins and/or risk reduction to your most critical systems over the next 6-12 months.

Additional Reading

Is PAM the Weakest (Missing) Link in Your Cloud Security Strategy? (Dan Blum webinar)

Despite Recent Breaches, the Cloud is not Falling (blog)

The Guide to Just-in-Time Privileged Access Management (white paper)

Using Secure Remote Access as a Bastion Host for Cloud-Based Access (blog)

Photograph of Dan Blum

Dan Blum, Cybersecurity Strategist and Author

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.