PAM cloud security is different. Let me explain why
Joseph Carson
The 2020 Verizon Data Breach and Incident Report (DBIR) published in May gives a clear indication of where Privileged Access Management (PAM) security is going these days. And the forecast is for cloudy skies ahead. That’s because:
77% of cloud breaches are due to compromised credentials
Attacks on web applications more than doubled in 2019
With credentials as the overwhelmingly preferred attack vector and more organizations worldwide relying on cloud applications and services, protecting privileged access to the cloud has become even more of a priority. Chances are you’re already dealing with a hybrid environment where the cloud is a major portion of your IT environment. In my new eBook, Privileged Access Cloud Security for Dummies, I succinctly describe the challenges this situation poses, and how to think about controlling and securing access for all your users.
The free 16-page eBook gives you a concise overview of cloud access security along with practical tips to develop an effective cloud security strategy that protects both IT and business users, including:
- Key privileged access security challenges
- Proven approaches to securing privileged access for remote workers and third parties
- Best practices for securing cloud privileged access
Privileged Access Cloud Security for Dummies is a quick read that puts the issue of cloud security for privileged accounts in context and explains the major differences in Privileged Access Management that evolving cloud infrastructures require.
PAM without perimeters
Both human and non-human privileged accounts exist everywhere in IT environments. IT administrators, as well as business users, are using them every day to automate and manage critical data, applications, and IT services. And, they are very likely gaining privileged access to cloud services.
These privileged accounts used to be safeguarded inside a defined perimeter with firewalls, VPNs, and various other security tools. But in the always-on, Internet-connected global marketplace, the traditional perimeter has disappeared as most organizations now rely to some degree on cloud-based applications to conduct business.
I like the analogy of a vehicle parked in a garage to illustrate the differences between on-premises security and cloud security
This “new normal” requires adjusting the typical PAM mindset to the specific challenges involved in cloud security privileged access. I often use the analogy of a vehicle parked in a garage to illustrate the differences between on-premise security and cloud security.
On-premise security is when you park your car in your own garage. You protect the car with a garage door—your primary security control. You don’t need to worry about whether the car door is locked, the window is closed, or if anyone can see what’s inside the car.
A person inside your garage is an authorized privileged user who can gain access through the garage door. As long as that person has satisfied the security control—such as having the authorized key or a garage door opener, she gets access. Once she’s inside the garage, she can move around at will.
When securing a cloud environment, the garage door method simply doesn’t work. Taking your car out of your garage and parking it in a shared parking lot is similar to an account in the cloud. It’s no longer located in a traditionally guarded perimeter (your garage) and therefore needs additional security controls to protect it.
- Access control to the car (Privileged Access Management)
- The ability to see inside the car (encryption)
- Identity verification of the person accessing the car (multi-factor authentication)
Controlling access to the cloud is one of the most critical security controls a company can undertake. You need to not only protect the authentication to the cloud applications but also provide continuous validation and verifications of privileged users’ actions after they’ve been authenticated.
Consider every user a privileged user
Remote workers, third-party contractors, and business users with personal devices are now accessing privileged accounts every day, and across the globe. Thus, all cloud access is becoming privileged whether it’s due to the level of access granted in the account, or the access to sensitive information.
Making sure these users get easy and secure access to the cloud poses ever-growing cybersecurity challenges for IT security professionals. Here is a sampling of how cloud security impacts the risks for incidents and breaches:
Top causes for cloud-related security incidents and breaches
Poor access management: Default passwords, credential stuffing, phishing, and abusing stolen credentials are all too common causes of security breaches.
Insecure applications and APIs: Automation without authentication, hard-coded passwords and tokens, and even clear text authentication often lead to security incidents. DevOps has increased these security risks as well.
Misconfigured cloud storage: Public-facing database breaches have been on the rise. These instances can result from misconfigured security policies’ use of default settings, which sometimes means giving the public access to everyone. Default settings don’t always mean security is enabled.
Distributed Denial of Service (DDoS) attacks: When a cloud service becomes the target of a DDoS attack, you become a secondary victim. If you’re dependent on the cloud service, your service will also be impacted.
Overprivileged users: Organizations tend to give more privileges to users than they require, and this practice means that after an attacker has compromised an overprivileged account, he can carry out the attack in fewer steps (the number of steps is usually two to four for most security incidents).
Shared credentials: Lost visibility, poor audit trails, and no control with shared credentials result in easy-to-guess passwords or poor practices when sharing between employees.
Password-only security controls: Unfortunately, many companies still rely on a single password as the only security control keeping unauthorized cyber criminals from abusing their cloud solutions and even their security tools.
Securing third-party access and remote employees: Opening access means you lose control and visibility over the security controls on employees’ endpoints and networks. Identity access management (IAM), which is the process that combines policies and technology to enable authorized access, becomes the new perimeter.
Shadow IT: It’s all too easy for employees to procure cloud services and, yes, sometimes without the knowledge of IT or the security team. When business departments decide to obtain their own IT solutions without approval, this is called Shadow IT.
Take a PAM lifecycle approach with a cloud twist
Securing privileged cloud access begins by understanding what it means for your specific organization and how the causes for incidents listed above affect you. Don’t assume access relates only to certain roles or employees. In fact, most privileged access also involves non-human accounts that manage infrastructure, remote access, automation, service accounts, third-party access, and DevOps privileged accounts.
Follow the PAM lifecycle approach to ensure that you are properly protecting your cloud infrastructure interactions
Taking a PAM lifecycle approach to security, cloud access provides a proven framework for managing privileged accounts whether on-premise or in the cloud. Following this path is the best way to ensure that you are properly protecting your cloud infrastructure interactions.
Define access – Your business functions rely on data, systems, and access, and dependencies on these entities vary from one organization to another, so make sure to define your privileged cloud access. If you aren’t sure how to get started, refer to your disaster recovery plan—it typically classifies your critical business systems, applications, and data. Then, map your privileged accounts to your business risk and business operations.
Develop IT cloud access policies – Your organization should have a policy that details acceptable use and responsibilities for privileged cloud accounts? Your working understanding of who has privileged access, and when it’s used, is vital. Treat privileged accounts separately by clearly defining a privileged account and spelling out acceptable use policies. Identify and track ownership of privileged accounts throughout their life cycle.
Discover your privileged accounts – Automated Privileged Access Management (PAM) software identifies your privileged accounts, implements continuous discovery to curb privileged account sprawl, identifies potential insider abuse, and reveals external threats. Ongoing visibility of your privileged account landscape is central to combating and reducing cybersecurity threats.
Protect your passwords – Verify that your solution can automatically discover and store privileged accounts; schedule password rotation; audit, analyze, and manage individual privileged session activity; and monitor accounts to quickly detect and respond to malicious activity. Protecting your privileged account cloud passwords goes beyond having a password manager.
Establish Single Sign-on sessions to target systems for better operational efficiency of administrators that combine multi-factor authentication and privileged access security. Your goal is to minimize the ability of humans to create and choose passwords. This oversight reduces cyberattacks that use techniques, such as credential stuffing, while helping to eliminate exploits of bad cyber hygiene behavior, such as password reuse.
Limit IT admin access – Develop a least-privilege policy to enforce least privilege on endpoints and to limit IT admin access to cloud applications without disrupting business operations. Privileges should only be granted on demand when required and approved. Least privilege and application-control solutions enable seamless elevation of approved, trusted, and allowed applications while minimizing the risk of running unauthorized applications.
Monitor and record sessions – Your PAM solution should monitor and record privileged account activity, which helps enforce proper behavior and avoid mistakes by users. Audit, record, and monitor privileged activities to assist with regulatory compliance. You must be able to manage, monitor, and restrict the administrative access of IT outsourcing vendors and managed service providers (MSPs) to cloud and internal IT systems because many incidents result from compromised third parties.
Detect abnormal usage – Visibility into the access and activity of your privileged accounts in real-time helps catch suspected account compromise and potential user abuse. Track and alert on user behavior. Early detection of security incidents significantly reduces the cost of a data breach.
Respond to incidents – Include privileged access in your incident response plan in case an account is compromised. Simply changing privileged account passwords or disabling the privileged account isn’t adequate when a privileged account is breached. If you need help with your incidence response plan, check out Delinea's customizable cybersecurity incident response plan template.
Audit and analyze – Continuously monitoring privileged account usage via audits and analysis reports helps identify unusual behaviors that may indicate a breach or misuse. These automated reports track the cause of security incidents and demonstrate compliance with policies and regulations.
Cloud security best practices for protecting privileged access
The eBook concludes with descriptions of what I consider to be the top five best practices for managing privileged access to the cloud. Here are the highlights, with more detail in the eBook.
Enable widespread Least Privilege access security – After a user is verified, the user’s access should be limited to only what is necessary to accomplish a specific task or job. In the past, least privilege was seen by employees as an impediment to productivity and organizations often enabled local privileged access for almost every employee — a highly risky practice. The solution comes from enabling just-in-time (JIT) privileged access to the cloud with detailed security controls. And, keep in mind that implementing least privilege on servers or endpoints isn’t enough. Least privilege security controls must encompass all privileged access, including cloud-based systems, applications, databases, and infrastructure.
Automate access to make security work for you – Security controls must be scalable, efficient, and require the least amount of resources possible — and that requires automation. Automation also mitigates the risk of human error by reducing the amount of manual effort required to complete tedious and repetitive low-level tasks.
Integrate solutions to create a “security society” – Your cloud security controls should offer automated API integration of other security tools. Integrated solutions help create a “security society” where all tools and components can enhance and complement each other to improve security posture and reduce overall cyber risks.
Minimize user friction by implementing usable security solutions – Users have too often viewed security controls as barriers to productivity. Yet, it’s productivity and ease of use that drive users to use cloud resources. Privileged access cloud security solutions must build in ease of use, operating in the background as much as possible. Security tools that are too complex aren’t just difficult to use; they’re downright dangerous.
Move beyond Zero Trust to Adaptive Risk-Based Trust – As critical resources and data continue to move to the cloud, your security controls must be dynamic and able to adapt to evolving threats. For example, you can have an “always verify” and “always monitor” policy for third-party vendors or contractor identities. Internal employee classifications would be adaptive based on the sensitivity of the data being accessed.
Automated tools are available to safeguard cloud access
Managing and controlling access to privileged accounts is a continuous process as more applications utilize the advantages of cloud-first strategies. Cloud-ready, automated access control tools are essential to protecting the critical data associated with privileged accounts.
Privileged access cloud security solutions must add value to the business on multiple levels:
- Providing an intuitive interface
- Being quick to learn
- Delivering immediate value
- Contributing to making each user's job easier
Delinea offers access control solutions that meet all of the above criteria with Secret Server, which offers business user licenses to empower privileged business users to manage passwords securely. By including business users in a central, IT-managed vault, you reduce risk and gain oversight of business user behavior without impeding productivity. With Secret Server, business users don't need to worry about taking on responsibility for Privileged Access Management.
- With Role-Based Access Control (RBAC), you control what users can do. They can access the data they need to do their job, securely.
- For access to web-based applications, users can log in via Secret Server's Web Password Filler to get to their stored credentials without compromising the password.
- Business users can securely share secrets with accessible audit trails for admins.
- Users can easily access and manage passwords on the go, with the Delinea Mobile app, which can be accessed from the Apple Store and Google Marketplace.
- Each user has their own folder structure to store unique secrets with access approval rights.
In addition, Secret Server also allows you to create privileged accounts for AWS resources quickly and may be abandoned just as quickly. With such a fluid process, it's difficult for security teams to stay on top of how many privileged accounts have access to AWS, make sure they're set up properly, and remove them when they're no longer needed. To match the fluid nature of these accounts, continuous AWS account discovery is an essential cloud security control PAM teams need in their arsenal.
Security and IT administrators can also easily identify active resources in Google cloud since Secret Server connects to Google cloud infrastructure to detect running Windows and Linux instances and identify accounts being used on those resources. Once you know which accounts are used, you can secure Google cloud Platform IAM service accounts with Secret Server controls such as Secret creation and key rotation.
Related Reading: Secret Server for Business Users
Cloud security success means rejecting complexity
Privileged access cloud security must be useable and help employees achieve their goals and metrics. When security becomes too complex, IT admins and business users look for ways around controls that get in their way. For privileged access cloud security to be successful, it must focus on a business and people-first strategy. It must contribute to business efficiency, increase productivity, and enable employees to perform their jobs within a positive experience.
Download my free eBook Privileged Access Cloud Security for Dummies
You may also be interested in our: Cloud Security Best Practices Checklist
PAM in the Cloud. Powerful. Secure.