<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

North South East West People & Machines - Privileged Access Management for the Cloud Does Not Have to Be Painful

By Matthew McKenna on March, 11 2015
Matthew McKenna

Chief Operations Officer

Matthew brings over 10 years of high technology sales, marketing and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader. Prior to joining the company, Matthew served as a member of the executive management team of Automaster Oyj which was successfully acquired by ADP Dealer Services Nordic. Before this, Matthew played professional soccer in Germany and Finland. Matthew holds a BA in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.

When considering privileged access management challenges organizations face today, you can simply spin around in circles considering all the angles that need to be considered from a privileged user and M2M perspective. There is no doubt, a great infrastructural transformation is ongoing seeing more and more critical business application functions being moved to private, public and hybrid clouds. With this in mind, the consideration of how we monitor, control and audit our encrypted traffic and privileged access to and from the cloud, and between and within clouds is becoming a security necessity forcing us to rethink how we approach this matter.

The challenge with traditional PAM solutions is that their architectures are based on the consideration of standard perimeter security and jump host architecture. This essentially forms a bottleneck on access to cloud based environments, disrupts administrator work by having to access through inconvenient, slow moving portals, only focuses on one part of the equation administrator access, and captures only the concept of north south traffic, access entering and leaving the data center. 

As noted in Cisco’s Munawar Hoissains, May 2014 blog, “Cisco’s Global Cloud Index tells us that, unlike in campus networks, the dominant volume of traffic in the DC traverses in an “East-West” direction (76%), followed by “North-South” traffic (17%), and finally, inter-DC traffic, which is currently comprises only at 7%, but is gradually growing. In campus networks, traffic is primarily (90+%) “North-South ”traffic.”

With 76% of the traffic now moving in east west flow, a new approach to access as well as monitoring encrypted data flows is needed and considered at the L2 and L3 (switch and router) layers. Traditional PAM solutions that claim cloud capabilities are essentially engaging what is known as hair-pinning which is essentially redirecting the intended east-west traffic into a north-south configuration.   This adds unnecessary architecture complications, introduces new challenges with provision of applications, easily becomes a performance bottleneck and increases additional unnecessary latency, and just makes security simply more challenging.


CryptoAuditor, because it functions as an inline appliance at Layer 2 (bridge) and Layer 3 (router) transparently, now provides a minimally invasive approach to privileged access management in the cloud, capturing not only north-south traffic in and out of the data centers, but also the east-west traffic within the data center and between data centers. SSH also are taking privileged access management to next level by being in line. Not just focused on SSH, RDP and SSL remote administration traffic, CryptoAuditor can be used to inspect automated machine to machine SFTP and other file transfer connections to inspect them for malicious payloads in tandem with already existing Antivirus, and  Intrusion and Data Loss Prevention (IPS, DLP) solutions to become preventative rather than just another after the fact monitoring tool.

An inline approach to privileged access management is a beautiful thing whereas it provides six significant benefits to customers who deploy this type of technology in the cloud:

1) there is zero impact to end user work flows or what tools they use. They can simply continue to work with their standard day to day remote access and file transfer tools.

2) an inline solution is quicker and easier to deploy and setup than traditional PAM solutions 

3) an Inline solution is end point and target environment  agnostic making it an ideal, lowest operation overhead approach for elastic, constantly changing cloud environments 

4)being inline also provides a unique capability to inspect automated machine to machine file transfers and traffic.

5) being inline actually provides us the possibility to become preventative since the sessions data can be unencrypted and controlledin real time and can be used in tandem with real time analytics.

6)  Being inline in the network stream prevents bypassing IAM tools and provides a true 3rd party for auditing and forensics.

When we consider the future, with more and more IOT related devices coming to market, with more movement to converged infrastructures and cloud based data models, the capabilities to inspect remote administration as  well as machine to machine connections is essential. Traditional PAM does not get us there due the north south limitations, but an inline approach such as CryptoAuditor may just change the game.

Submit a Comment

Stay up to date