Privileged Access for Cloud-Native Workloads (Cloud PAM): Securing Identities in dynamic environments; on-premise, hybrid & public cloud
Many factors from cost savings, convenience, zero trust, remote access, and work from home have most organizations fully immersed in cloud migration. It is now a question of how much technology and assets to deploy in the cloud and how fast. Organizations are leveraging a combination of SaaS, IaaS, or PaaS models and hosting their applications in a public or private cloud. Their employees are almost certainly operating by utilizing some form of cloud applications and services.
Based on numerous State of the cloud Reports, organizations are embracing multi-cloud and not locking themselves into one public cloud provider. A multi-cloud approach is still the de facto standard among organizations. Eighty-nine percent of organizations have a multi-cloud strategy, and 80 percent take a hybrid approach by combining public and private clouds. And most organizations employ three or more public clouds from leading providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
The security that companies enjoy on-premises is often not portable to cloud environments
The transition to multi-cloud environments has helped organizations adapt quickly to needs for better remote access and work from home. Unfortunately, the security that companies enjoy on-premise is often not portable to cloud environments. Or the security necessary for one cloud environment may not be adequate or compatible with another cloud environment.
It is not surprising that access control solutions are often taken for granted. Many concepts and technologies we are using now were introduced a couple of decades ago. In many cases, roles and privilege management are prebuilt within the software and platform providers. However, with the way businesses today depend on the modern computing environment as a primary tool for competitive advantage, there's increased weight to the security risks these older technologies introduce.
The four major challenges
Let's explore the four major challenges which are present in the modern cloud and cloud-native environments for access control.
1. Increased power of privileged accounts
The power of API-based interaction (and DevSecOps) has increased the sensitivity of privileged accounts in modern environments. The cloud and cloud-native environments give superpowers to teams that want to manage highly available, consistent, and scalable environments. These superpowers come with risks, however, and can also be misused by adversaries.
2. Expanded Attack Surface
Today, the responsibility of infrastructure management has shifted from IT departments to individual teams that deploy and manage their infrastructure. According to research, there are on average, 40-60 SaaS apps used per department and more than 200 different SaaS apps used by the company as a whole. The attack surface has also increased due to cloud platform local accounts being created (e.g., AWS IAM accounts) plus those API keys for remote programmatic access plus additional local accounts on Linux and Windows instances provisioned in the cloud. That is a huge attack surface for privileged accounts.
Compare that with traditional environments where most security concerns consisted of managing privileged accounts in a handful of Windows and Linux servers, SharePoint, databases, and hardware appliances, including router firewalls and switches. Additionally, the level of access shared with third-party apps and contractors in the supply chain is constantly growing, which is far more challenging to track and control.
3. Keeping up with fast-paced and automated workflows
Another significant difference between traditional and modern environments is how the workflows have evolved, with more focus on automation, machine-to-machine access, use of modern tools for communication, and the level of automation. This means that a traditional centralized model of manual approval and assignment of privileged access is hard to scale in the modern workflow. Administrators often fall into the harmful practice of assigning permissively scoped, long-standing, and long-lived credentials to keep pace with modern workflows, which creates a very risky scenario prone to security compromise.
4. Mixed environments
Many enterprises, especially businesses that have been operating since the data center era, have mixed environments, using traditional self-managed or co-located data centers, cloud infrastructure, and cloud-native infrastructure. It is challenging to consolidate Privileged Access Management (PAM) across different environments as many available PAM solutions are not designed to address the use cases of these environments at the same time.
Major public cloud providers understand that their environments require unique privileged access requirements
As previously mentioned, the security that companies enjoy on-premises is often not portable to cloud environments. Or the security necessary for one cloud environment may not be adequate or compatible with another cloud environment. The major public cloud providers understood that their environments require unique privileged access requirements and therefore released their own (albeit with limited features) PAM solutions. These solutions only support their unique environments and not multi-cloud or hybrid cloud infrastructures.
Four ways to approach modern PAM
The following are four ways we should be approaching modern PAM for cloud and cloud-native environments, which requires an integrated next-generation solution.
1. Prioritize PAM
Just like how application security is now being treated as a priority in the software development process, PAM should be at the forefront of the infrastructure design process. Traditionally, teams design infrastructure, implement an access management solution and add privileged access control solutions. For maximum ROI in terms of security and cost, PAM solutions should be natively integrated with infrastructure operation workflows, creating a seamless experience for users.
2. Consolidate privileged access across all environments
Enterprises should think about how to consolidate privileged accounts across all environments. PAM is more challenging for teams that operate all three types of infrastructure: traditional co-located data centers, cloud infrastructure, and cloud-native infrastructure. Without a proper consolidation of privileged accounts and access across all these environments, there is no way to standardize and enforce PAM best practices.
3. Adapt to modern infrastructure management workflows
The modern infrastructure management workflow comprised of infrastructure as code, GitOps, and ChatOps for communication and alert makes it easy to enforce and standardize security management at scale. The level of automation provided with API-based configuration makes it handy to contain threats in the case of compromise of privileged accounts. The credential and access management process should also be automated and scriptable on demand.
4. Assign zero standing privileges with auto-expiring credentials
Zero standing privilege reduces the window of potential misuse of sensitive accounts. You can further reduce this window by implementing auto-expiring credentials such as certificates with short TTL. Combining zero standing privilege with auto-expiring credentials is the recommended way to minimize the chance of account compromise and limit the blast radius of the compromised credentials.