Privilege access management (PAM) has been a difficult problem to solve in the enterprise ecosystem. Solving the problem of PAM on the cloud has its own set of unique challenges and traditional models do not fit on the cloud.
Challenges of the cloud
1. Access Assignments lack context and access needs
Privileged access to cloud components includes managing it for three key entities: Management Consoles/CLIs, Cloud APIs, and assets/workloads. Access to these entities is provided by native IAM constructs viz. Roles, Permissions or Policies, and these access assignments are static or non-elastic in nature. They don’t provide the means to evolve intelligently as and when the users’ job profile, assets classification, or access needs change.
2. Disconnected Residual Access with plausible data breaches/leakages
Lack of well-defined user lifecycle processes often results in terminated users still having access to cloud assets/platforms via local cloud accounts, which could easily lead to potential data breaches.
3. Determining least privileged access at a point in time or continuously is challenging and expensive
The inherent challenge with determining the user’s access on cloud assets/platforms lie within thousands of native JSON based policies, permissions, and roles objects. Understanding the user’s net access at a point of time requires crunching, sifting through, and calculating these numerous objects. Adhering to the principle of ‘Least Privileged Access’ requires not only the calculation but also refine them continuously. This is an extremely expensive affair in terms of effort and costs.
4. Traditional on-premise PAM solutions are not cut out for the needs of Cloud and impacts user experience
Infrastructure as code has changed the definition of privileged access. IaaS (Infrastructure as a Service) services can interact with multiple CI/CD (Continuous Integration/Continuous Development) tools, DevOps platforms (Chef, GitHub, Jenkins, etc.), or avenues (console/CLI/API, etc.). PAM for IaaS means not only defining the same for native IaaS services but also for DevOps and CI/CD tools. Concept of shared-IDs and hardened Jumpboxes (bastion-hosts) to funnel the privileged requests fail to scale on cloud due to its elasticity.
5. Volume and Velocity – Barriers in effective privileged activity monitoring
The inherent nature of the cloud’s elasticity contributes to the velocity of activity logs. Organizations can have thousands of cloud assets/workloads created/destroyed within a day.
The volume of logs is another big issue to tackle. Volume for average size cloud ecosystem/datacenter could easily range in terms of terabytes. This makes usage monitoring difficult and privileged usage monitoring extremely difficult.
Further due to different implementations of session Identity information for console vs API vs workloads the correlation of privilege identity and its activity is often incorrect and inconsistent
6. Varied business processes across Cloud Accounts/Subscriptions
Reducing the blast radius on Cloud Environments/IaaS data centers is important, but it leads to the creation/setup of multiple Cloud Accounts/subscriptions for an organization. These are often managed by individual business units or groups each having their own defined processes for Identity lifecycle, access management, and, above all, different interpretations of privileged access. Varied business processes and disjoint identity lifecycles can lead to unauthorized privileged access to critical assets.
Cloud needs a better PAM solution and it needs to be elastic!
1. Access assignment should elevate or drop based on the usage patterns, activity context, and user’s profile
Combining users’ access patterns and usage will allow creating an intelligent system that can elevate/drop access assignments. This is imperative to maintain the principle of least privileged access in the ecosystem. Intelligence profiling and learning allows the system to do this automatically thereby reducing the manual effort and saving costs in the long term
2. Just in time administration to decrease risk exposure
Access to be elevated only for a specified duration in cases of emergency/firefighting, post which the access assignment to be dropped back. This should be followed with the retrieval of privileged activity logs and feeding back to the system for review and adjustment of access assignments. Helps in increasing the overall security posture of the ecosystem
3. JML (Joiner/Mover/Leaver) processes to be integrated with Cloud access assignment processes to ensure no residual access for Cloud IAM accounts
A well-defined centralized Identity Administration and Governance (IGA) solution integrated with both enterprise as well as Cloud systems is paramount. It can effectively reduce the overheads and security risks carried by varied business processes and provide a single platform to manage the identity lifecycle across cloud platforms and enterprise systems.
4. Extend PAM to DevOps and CI/CD platforms
Infrastructure as code, Immutable Infrastructure, Phoenix Servers, or Drift Management concepts are on the rise and being widely adopted by organizations moving over to the cloud. CI/CD platforms and DevOps processes are helping organizations to realize these concepts. Managing privileged access should no longer be confined to IaaS entities, rather every avenue/channel germane to interact or consume Cloud services falls under the umbrella to be managed for PAM.
5. Stacked correlation with big data platforms for effective and consistent PAM monitoring
Ingesting and sifting logs and then deducing meaningful information out of it requires a solid feat of engineering and requires the adoption of big data technologies (Apache Spark, Elasticsearch, etc.). Stacking the correlation for session information is key to tie the privileged identity against the activity performed. Logs from sources including Cloud platforms, DevOps, and CI/CD processes should be streamed to big data platforms and correlated to ensure effective privileged activity monitoring.
As cloud technologies evolve, so would PAM solutions. However, the fundamental principle of Cloud PAM solution to be elastic is going to stick. Elasticity for Cloud PAM is the need of today and will be for the future too!
About The Author: As Saviynt’s Chief Cloud Officer, Vibhuti Sinha, is the owner of Saviynt’s cloud platform and products of Saviynt. As the owner of Saviynt’s cloud platform, he is responsible to deliver Saviynt’s IGA and cloud security offerings as services to its customers across the globe. He is also responsible for the strategy and innovation of products to secure various cloud providers, cloud applications and platforms. He has 16+ years of experience in defining security vision and roadmap, building security solutions, defining IAM strategy and implementing large scale security platforms for Fortune 500 organizations.
*This is a guest post. All opinions and thoughts are those of its author and do not reflect on Techaeris or its staff.
Last Updated on February 3, 2021.