Mitigating Privileged User Risk for Cloud & DevOps Environments

Privileged user risk has risen in the modern computing environment. We need to re-factor privileged account management (PAM) for cloud environments, and for DevOps management models.

How and Why Has Privileged User Risk Spiked?

BeyondTrust and Forrester Consulting surveyed work-from-home (WFH) trends. The survey reports 91% of respondents forecasting an increase in the size of the remote workforce versus 45% before the pandemic. It also determined that 53% of US workers reported wanting to work from home more, even after the pandemic is over. No big surprise there.

The problem is that work-from-home security deficiencies, such as insecure Wi-Fi networks, shared computers, use of personal computers to access company resources, and weak passwords, put companies at risk. When combined with the fact that the users working from home to access your company's IT systems may also be employees of a third-party / vendor, privileged user risk spikes even more.

Finally, increased adoption of cloud environments such as Salesforce, Workday, Microsoft Office 365, Google for Work, and many others, also expands both the types of privileges, and the number of credentials or privileges that users require to perform their day-to-day work.

Refactoring PAM systems for Hybrid, Multicloud Environments

Old-school PAM systems were agent-heavy and cumbersome. They relied heavily on closed security environments--where most users worked inside the corporate network--and proprietary APIs. Many still lack the necessary flexibility to support the modern mélange of cloud systems and remote users. Many still coexist only uneasily with cloud computing solutions, such as Amazon Web Services or Microsoft Azure.

Fortunately, as I described in my February 24 webinar, Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets, newer PAM systems can be de-coupled to work in multiple infrastructure environments with multiple enterprise application models, using the PAM blueprint in Figure 1 below.

FIGURE 1: KEY

1. A single PAM service access point can logically live in the DMZ, but be hosted in any of your data centers or infrastructure-as-a-service (IaaS) environments.

2. The service access point authenticates users and hands sessions off to a PAM controller.

3. The controller authorizes privileged user sessions to the target assets.

4. The controller selects PAM administration points, or jump hosts, integrated with the computing platforms hosting the assets.

5. The administration point connects privileged users to assets, tunneling HTTPS to the native protocols, such as RDP or SSH.

PAM systems must also embrace and extend the zero trust model of no access without authentication. Authenticating all users and services regardless of where the access originates is just the first step. The next step is to implement the just-in-time (JIT) access model described below.

Re-factoring PAM systems for DevSecOps

DevOps enables cloud computing to deliver on its promise of cost-savings, business agility, and scalability. Thus, it's no surprise that DevOps is the cloud management style. To ensure DevOps security doesn't get left behind, security steps such as code analysis, vulnerability assessment, and PAM can be incorporated to the continuous integration continuous deployment (CICD) cycle of software changes and releases. With these, DevOps becomes DevSecOps.

PAM is a DevSecOps component, and to be that it must do three things:

1. Provide single command privilege task automation by integrating with the CI/CD orchestrators like Chef, Puppet, Jenkins, and Ansible.
2. For higher risk operations, implement the JIT access model to both users and services, instead of allowing standing access to accounts authorized with static credentials.
3. Support the management of service accounts (for applications) and user accounts with equal aplomb. To that end, we included the secrets vault for services as a critical component of the PAM blueprint in Figure 1.

Cloud PAM Big Picture

Some critical steps for a successful cloud privileged account management program are:

• Store passwords, credentials, and secrets used by privileged human users and applications and rotate them based on policy to prevent credential theft.
• Implement JIT access policies to reduce the risk of superuser roles, accounts, or unnecessary permissions.
• Manage and monitor access to critical assets with transparent connections to target systems to prevent credential exposure.
• Detect and prevent attacks involving privileged access using privileged user analytics, SIEM systems integration, and privileged system audits.
• Create an unalterable audit trail for any privileged operation

To get more details on privileged user risk, the 2021 PAM blueprint, and how to refactor PAM for cloud and Devops, please check out my on-demand webinar: Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets.