<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

Blog

Subscribe to Email Updates

We promise to send you awesome stuff you'll want to read more than once.

Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. A classic example is a highly-guarded military facility.

In IT security, experts have spent decades building a security perimeter for a world where servers were mostly physical and the environment mostly static. Now the mandate from the bean counters is to open the perimeter – or at least a healthy chunk of it – to the cloud. The cloud undoubtedly offers the tremendous business benefits of flexibility, scalability and, above all, cost savings.

We’ve been asked to go “beyond the wall.”

Is our identity and access management ready for the cloud?

Going outside the perimeter is a terrifying prospect for IT security professionals. We’ve spent 25 years building some very expensive (fire) walls and complex intrusion detection systems, and now what? We’re going to put our systems and data outside, really?

Identity management tools that have worked so well to protect the perimeter of the past are having to adapt rapidly to fit the elastic cloud of the future. However, there are challenges with identities on both sides: rapidly scaling cloud architecture and cloud-borne applications as the destinations, and an explosion in the identities of people and things need to get connected. This is what Gartner has to say about the matter: 

“The number of identities for people, things, services and robotic process automation bots keep growing,” says Gartner senior director Homan Farahmand. “And the walls between identity domains are blurring IAM architecture.”

While the domain boundaries are shifting, regulations on who has the right to access what type of information are becoming stricter. Do I even need to mention GDPR?

I thought our IAM software handles all our privileged user access

As if all this was not enough, it’s only a part of the story. There is a special group of people whose identities and access are not typically handled by IAM solutions at all. They have access to the most valuable information inside the perimeter of a company, since they develop and update the services your customers use, access critical databases, configure applications and maintain your infrastructure. They are called privileged users.

Naturally, your privileged users already have identities that are handled by directory/IAM solutions, since privileged users also use the generally available tools just like any other employee. But this can be a pitfall:

“Organizations make the mistake of assuming they can manage privileged access in the same way they manage regular access,” says Gaehtgens.

When your system administrator updates databases or your developers tweak your customer-facing application, they no longer use the same tools to access their working environments. Since these users handle mission-critical data, they typically use a Privileged Access Management (PAM) tools to gain entry to a server and work their magic. PAM is used to control and monitor access to make sure that these trusted users are up to legitimate business with sensitive data. This stands to reason: the activities of those people who deal with particularly sensitive data should be tracked and logged. But are traditional PAM solutions up to the task in multi-cloud and hybrid environments?

PAM should be re-imagined

“Instead they must think about the five “W’s” of privileged access — who, when, where, why and what — and adopt a new operational model for PAM, one that emphasizes purpose-driven, just-in-time privileged access.” Felix Gaehtgens, Gartner.

We at SSH.COM believe that Gartner is spot on with the term “just-in-time”. Unfortunately, most traditional PAM solutions are offering password rotation, password vaulting and permanent access keys that are cumbersome “all-the-time” ways to access a critical resource. Some other problems with traditional PAM include:

  • 7-figure cost
  • deployment time in months or years and still resulting in unfinished deployments
  • unmaintainable endpoint agents on clients and hosts
  • creating and maintaining a duplicate directory for privileged users
  • poor fit for multi-cloud and DevOps
  • poor fit for sysadmins, DBAs, technicians and software developers

We have developed a solution called PrivX to make PAM a great fit for the age of the multi-cloud and hybrid. You can read more about lean PAM that is fast to deploy, eliminates duplicate work, automates a lot of access provisioning work and uses just-in-time, ephemeral certificates to grant privileged access. 

We had lively discussions around this topic at the IDM November event in London just recently. This was a natural place for us to be, since we are IAM/IDaaS vendor agnostic and believe our portfolios complement each other. Our Fujitsu partnership is a great example of this. By embedding PrivX, Fujitsu has bolstered their IDaaS offering to include privileged users and can offer them superior access experience with a high level of automation and convenience.

“PAM is all about securing the keys to your kingdom,” says Gartner senior director Felix Gaehtgens. “It is one of the most critical security controls to implement.”l

PS. You can meet us at Gartner IAM Summit 2018 Las Vegas on Monday, December 3rd 2018. Book a meeting right here.

Start the PrivX Test Drive now

AuthorSami Ahvenniemi

Sami is a software industry veteran with over 20 years of experience from global sales, business development, and product management. Sami knows SSH well, having worked at SSH in executive positions in 1998-2002 and 2012-2015 both in Finland and the US. Sami has also served as an executive, chairman, or board member in several successful technology companies such as Behaviosec, Bluegiga Technologies, Neo4j, Sensinode, and as a co-founder at Kontena. Sami has also been a partner and board member in one of the most successful Finnish venture capital firms, Conor Venture Partners.

Want to be the first to know about new blog posts?

Fill in you email address and be the first to know about it. 

Subscribe to Email Updates

SSH.COM is one of the most trusted brands in cyber security.

We help major enterprises solve the security challenges of digital transformation. We design best-of-breed commercial solutions for secure access that help our customers win in the global data economy.

Read more about our SSH.COM

Related posts from the SSH.COM blog