5 Tips for Deploying Cloud PAM
Privileged account management for the cloud (cloud PAM) is at long last becoming easier to deploy. To see why, check out my September 17 webinar for BeyondTrust – The Expanding Universe of Privileges: Why Cloud PAM Matters. Therein, I highlight five architectural capabilities cloud PAM solutions are at long last using to close gaps with, and often exceed, the value of premise-based counterparts.
Security and compliance concerns drive many enterprises and cloud service providers (CSPs) to deploy PAM. Phishing attacks routinely compromise end user devices and accounts. Businesses must protect their core systems from these compromised accounts and devices, from other insider threats, or from privilege escalation attacks moving laterally via vulnerable service accounts.
Because PAM can interrupt the kill chain from a compromised user credential or service account to a breach of the businesses’ crown jewels, its absence can be an audit finding favorite. And as businesses move IT functionality into cloud environments, they must deploy PAM in the cloud too.
PAM Deployment Challenges
PAM can help organizations comply with GDPR, PCI DSS, HIPAA, SOX, and other regulatory requirements, as well as reduce the risk to core IT assets. But as described in Privileged Account Management (PAM) is Necessary, but Deploying it Stinks, getting these benefits can be difficult. I still remember years ago Phil Lieberman (then CEO of Lieberman Software) confessing: “No one deploys my product because they want to, they do it because someone tells them they have to.”
I’ve often been called to help customers struggling with technical or architectural PAM problems. Password vaults can become single points of failure. Load-balancing, performance and scalability concerns can dog session management and service account protection solutions. Emergency access processes are needed should PAM session management capabilities fail. Integrating PAM with IGA (identity management), ITSM (ticketing), and SIEM (monitoring) systems is no trivial matter.
To get help with PAM deployment challenges, contact us, or go here to learn more about our services.
However problematic PAM’s technical issues may be, the stakeholder adoption challenges are even more serious. For many years, PAM has remained a niche technology in on-premise IT environments because IT administrators – the intended users – resist it. As vital as PAM is for protecting powerful privileged accounts, poorly implemented controls over privileged access can interrupt or slow down critical production IT work. And up until recently, PAM’s adoption challenges have only been magnified as organizations move IT capability to the cloud.
PAM is a poster child for the cybersecurity-business alignment issues I address in my newly published book Rational Cybersecurity for Business. Check out this security leaders’ guide to alignment – downloads are complimentary!
Traditional PAM Cloud Gaps
When IT or security teams first tried to deploy PAM in the cloud, they had to address new kinds of privileged accounts in services such as AWS or Azure as well as SaaS environments. Traditional PAM solutions did not adapt well. They have had the gaps shown in the figure below.
The Next Generation
Fortunately, newer cloud PAM solutions are closing these gaps by implementing the following critical capabilities:
- Cloud-native hosting
- PAM baked into DevSecOps
- Just-in-time access
- Privileged Task Automation
- Service Account Management
I talk about each of capabilities below, and also cover them in my September 17 webinar for BeyondTrust – The Expanding Universe of Privileges: Why Cloud PAM Matters.
Cloud-Native, or Cloud Integrated Hosting
For PAM to work well in the cloud, it must have broad SaaS provider coverage and deep IaaS integration. Just as agility and scalability are two of the cloud’s main business benefits, PAM must work seamlessly with cloud security, management, and network processes so as not to interfere with normal IT operations.
Tip: Favor PAM solutions deployed in the cloud and integrated with cloud providers’ native APIs. Ask the vendors how they partner with cloud providers, what standards-based interfaces they support, and how they manage change to the APIs.
PAM Baked into DevSecOps
IT operations in the cloud center around DevOps and continuous integration and continuous delivery/deployment (CI/CD) processes. IT teams must bake DevOps security steps, like static or dynamic code analysis, into the CI/CD pipeline. PAM capabilities – such as secrets or credential checkout and interactive session control and recording – must be part of DevSecOps. They must deliver seamless operations and administration and gain IT user and/or developer acceptance.
Tip: Each of the next three capabilities – JIT access, privileged task automation, and service account management – are DevSecOps imperatives. Work closely with the DevOps teams your PAM solution could impact to integrate them in a well-planned, phased manner. The overall goal should be to improve as well as protect the IT administrators’ user experience.
Just-In-Time Access (“JIT PAM”)
JIT privileged access differs from traditional privileged access because it is OFF by default. It is only switched ON when a user needs privileged access and can get it approved through a business rule or workflow process. Only then does the IAM or PAM system enable the privileged access by turning on an IT permission or calling a system API. JIT access greatly reduces the number of standing privileges available for cyberattackers to exploit. This also reduces the privileged user attack surface on-premise, in the cloud, or wherever JIT access is used.
Tip: To provide JIT access to privileged accounts, PAM tools must integrate with identity governance and administration (IGA) tools. They must also integrate with cloud-native identity APIs such as the AWS AssumeRole.
Privileged Task Automation
In the DevOps world, traditional PAM tends to be too cumbersome for automated processes like CI/CD. We need privileged task automation to fully bake PAM into DevSecOps. DevSecOps teams can make PAM part of the release pipeline automation by providing single command privileged operations for:
- Project approvals or exceptions
- Moving builds to production
- Emergency hot fix or change control operations
- Creating or re-configuring production workspaces
- Accessing or re-configuring sensitive audit or event streams
- And many other tasks
Tip: To provide privileged task automation, PAM solutions must integrate with IGA or ITSM tools that process access request workflows or manage business rules. Integrate PAM with cloud providers’ platform and orchestration capabilities, or tools such as Chef, Ansible, and Jenkins.
Service Account Management
Last but not least, cloud PAM solutions can discover service accounts, remove hardcoded/embedded credentials, offer API support for credential management, enforce credential quality, and manage secrets for DevOps pipeline orchestration processes. In the past, security teams deploying PAM often had to painstakingly install agents, shims, or plug-ins to manage applications’ service accounts. Today, however, cloud-based applications are more likely to provide a credential management API.
Tip: Start managing privileged service accounts by developing standards to classify and name the accounts. Consider managing the accounts through a PAM system. Focus on the highest-risk service accounts and/or the ones that are part of applications which expose APIs that integrate in a turnkey manner with your PAM solution.
Start evolving cloud PAM soon to avoid the greater risk of perpetuating systemic vulnerabilities from cloud gaps. Be aware of the need and opportunity to implement PAM differently in the cloud. Look for solutions that support the 5 critical capabilities for cloud PAM.
Understand that your primary issue could be getting IT administrator adoption and plan the program carefully to make sure no technical glitches or support issues impact your ability to create a friction-free administrator experience.
Contact us if you would like some help developing a PAM deployment architecture and roadmap or working with IT teams per the DevSecOps model.