Why does cloud need elastic PAM?
Privileged Access Management for cloud requires a unique perspective and a creative solution because of the inherent elasticity, scalability and agility of the cloud.
Privilege access management (PAM) has been a difficult problem to solve for in the enterprise ecosystem. Solving the problem of PAM on the Cloud has its own set of unique challenges and traditional models do not fit on the Cloud.
Challenges of the cloud is comprised of:
1. Access Assignments lack context and access needs
Privileged access to cloud components include managing it for three key entities: Management Consoles/CLIs, Cloud APIs and assets/workloads. Access to these entities are provided by native IAM constructs viz. Roles, Permissions or Policies and these access assignments are static or non-elastic in nature. They don’t provide the means to evolve intelligently as and when the users job profile, assets classification or access needs change.
2. Disconnected Residual Access with plausible data breaches/leakages
Lack of well-defined user lifecycle processes often result in terminated users still having access to cloud assets/platforms via local cloud accounts, which could easily lead to potential data breaches.
3. Determining least privileged access at a point in time or continuously is challenging and expensive
The inherent challenge with determining the user’s access on cloud assets/platforms lie within thousands of native JSON based policies, permissions and roles objects. Understanding the user’s net access at a point of time requires crunching, sifting and calculating these numerous objects. Adhering to the principle of ‘Least Privileged Access’ requires not only the calculation but also refine them continuously. This is an extremely expensive affair in terms of effort and costs.
4. Traditional on premise PAM solutions are not cut out for the needs of Cloud and impacts user experience
Infrastructure as code has changed the definition of privileged access. IaaS (Infrastructure as a Service) services can interact with multiple CI/CD (Continuous Integration/Continuous Development) tools or devOps platforms (Chef, GitHub, Jenkins etc.) or avenues (console/CLI/API etc.). PAM for IaaS means not only defining the same for native IaaS services but also for devOps and CI/CD tools. Concept of shared-IDs and hardened Jumpboxes (bastion-hosts) to funnel the privileged requests fail to scale on cloud due to its elasticity.
5. Volume and Velocity — Barriers in effective privileged activity monitoring
The inherent nature of cloud’s elasticity contributes to the velocity of activity logs. Organizations can have thousands of cloud assets/workloads created/destroyed within a day.
Volume of logs is another big issue to tackle with. Volume for average size cloud ecosystem/datacenter could easily range in terms of terabytes. Thereby making usage monitoring difficult and privileged usage monitoring extremely difficult.
Further due to different implementations of session Identity information for console vs API vs workloads the correlation of privilege identity and its activity is often incorrect and inconsistent
6. Varied business processes across Cloud Accounts/Subscriptions
Reducing the blast radius on Cloud Environments/IaaS datacenters is important, but it leads to creation/setup of multiple Cloud Accounts/subscriptions for an organization. These are often managed by individual business units or groups each having their own defined processes for Identity lifecycle, access management and above all different interpretations of privileged access. Varied business processes and disjoint identity lifecycles can lead to unauthorized privileged access on critical assets.
Cloud needs a better PAM solution and it needs to be elastic!
1. Access assignment should elevate or drop based on the usage patterns, activity context and user’s profile
Combining users access patterns and usage will allow to create an intelligent system which can elevate/drop the access assignments. This is imperative to maintain the principle of least privileged access in the ecosystem. Intelligence profiling and learning allows the system to do this automatically thereby reducing the manual effort and saving costs in the long term
2. Just in time administration to decrease risk exposure
Access to be elevated only for a specified duration in cases of emergency / firefighting, post which the access assignment to be dropped back. This should be followed with retrieval of privileged activity logs and feeding back to system for review and adjustment of access assignments. Helps in increasing the overall security posture of the ecosystem
3. JML (Joiner/Mover/Leaver) processes to be integrated with Cloud access assignment processes to ensure no residual access for Cloud IAM accounts
A well-defined centralized Identity Administration and Governance (IGA) solution integrated with both enterprise as well as Cloud systems is paramount. It can effectively reduce the overheads and security risks carried by varied business process and provide a single platform to manage the identity lifecycle across cloud platforms and enterprise systems.
4. Extend PAM to devOps and CI/CD platforms
Infrastructure as code, Immutable Infrastructure, Phoenix Servers or Drift Management concepts are on the rise and being widely adopted by organizations moving over to cloud. CI/CD platforms and devOps process are helping organizations to realize these concepts. Managing privileged access should no longer be confined to IaaS entities, rather every avenue/channel germane to interact or consume Cloud services falls under the umbrella to be managed for PAM.
5. Stacked correlation with big data platforms for effective and consistent PAM monitoring
Ingesting and sifting logs and then deducing meaningful information out of it requires solid feat of engineering and requires adoption of big data technologies (Apache Spark, Elasticsearch, etc.). Stacking the correlation for session information is key to tie the privileged identity against the activity performed. Logs from sources including Cloud platforms, DevOps and CI/CD processes should be streamed to big data platform and correlated to ensure effective privileged activity monitoring.
As cloud technologies evolve, so would PAM solutions. However, the fundamental principle of Cloud PAM solution to be elastic is going to stick. Elasticity for Cloud PAM is the need of today and will be for future too!
Read the original article at CSO Online here.