Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. A classic example is a highly-guarded military facility. In IT security, experts have spent decades building a security perimeter for a world where servers were mostly physical and the environment mostly static. Now the mandate from the bean counters is to open the perimeter – or at least a healthy chunk of it – to the cloud.

The cloud undoubtedly offers the tremendous business benefits of flexibility, scalability and, above all, cost savings. But...

We’ve been asked to go “beyond the wall.”

Is our identity and access management ready for the cloud?

Going outside the perimeter is a terrifying prospect for IT security professionals. We’ve spent 25 years building some very expensive (fire) walls and complex intrusion detection systems, and now what? We’re going to put our systems and data outside, really?

Identity management tools that have worked so well to protect the perimeter of the past are having to adapt rapidly to fit the elastic cloud of the future. However, there are challenges with identities on both sides: rapidly scaling cloud architecture and cloud-borne applications as the destinations, and an explosion in the identities of people and things need to get connected. This is what Gartner has to say about the matter: 

“The number of identities for people, things, services and robotic process automation bots keep growing,” says Gartner senior director Homan Farahmand. “And the walls between identity domains are blurring IAM architecture.”

While the domain boundaries are shifting, regulations on who has the right to access what type of information are becoming stricter. Do I even need to mention GDPR?

I thought our IAM software handled all our privileged user access!

As if all this wasn't enough, it’s only a part of the story. There's a special group of people whose identities and access are not typically handled by IAM solutions at all. They have access to the most valuable information inside the perimeter of a company.

They develop and update the services your customers use, they access critical databases, configure applications and maintain your infrastructure. They are called privileged users.

Naturally, your privileged users already have identities that are handled by directory/IAM solutions, since privileged users also use the generally available tools just like any other employee. But this can be a pitfall:

“Organizations make the mistake of assuming they can manage privileged access in the same way they manage regular access,” says Gaehtgens.

When your system administrator updates databases or your developers tweak your customer-facing application, they no longer use the same tools to access their working environments. Since these users handle mission-critical data, they are supposed to use Privileged Access Management (PAM) tools to gain entry to a server and work their magic. PAM is used to control and monitor access to make sure that these trusted users are up to legitimate business with sensitive data. This stands to reason: the activities of those people who deal with particularly sensitive data should be tracked and logged.

But are traditional PAM solutions up to the task in multi-cloud and hybrid environments?

PAM should be re-imagined

"...think about the five “W’s” of privileged access — who, when, where, why and what — and adopt a new operational model for PAM, one that emphasizes purpose-driven, just-in-time privileged access.” Felix Gaehtgens, Gartner.

I believe Felix is spot on with the term “just-in-time”. Unfortunately, most traditional PAM solutions are offering password rotation, password vaulting and permanent access keys that are cumbersome “all-the-time” ways to access a critical resource. Credentials are vulnerabilities all the time. Vaults are a single point of failure.  

How can PAM grow to handle modern boundaries?

Grow? No! Legacy Privileged Access Management software is typically bloated with bolt on features and technologies that contribute to spiralling costs, deployment times and maintenance requirements. 

We have developed a solution called PrivX to make PAM a great fit for the age of the multi-cloud and hybrid. You can read more here about lean PAM that is fast to deploy, eliminates duplicate work, automates a lot of access provisioning work and uses just-in-time, ephemeral certificates to grant privileged access. 

We had lively discussions around this topic at the IDM November event in London just recently. This was a natural place for us to be, since we are IAM/IDaaS vendor agnostic and believe our portfolios complement each other. Our Fujitsu partnership is a great example of this. By embedding PrivX, Fujitsu has bolstered their IDaaS offering to include privileged users and can offer them a superior access experience with a high level of automation and convenience.

“PAM is all about securing the keys to your kingdom,” says Gartner senior director Felix Gaehtgens. “It is one of the most critical security controls to implement.”

For more about scalable privileged access for multi-cloud, read the about the latest PrivX developments.

Sami A.

AuthorSami Ahvenniemi

Sami is a software industry veteran with over 20 years of experience from global sales, business development, and product management. Sami knows SSH well, having worked at SSH in executive positions in 1998-2002 and 2012-2015 both in Finland and the US. Sami has also served as an executive, chairman, or board member in several successful technology companies such as Behaviosec, Bluegiga Technologies, Neo4j, Sensinode, and as a co-founder at Kontena. Sami has also been a partner and board member in one of the most successful Finnish venture capital firms, Conor Venture Partners.

Want to be the first to know about new blog posts?

Fill in you email address and be the first to know about it. 

Subscribe to Email Updates

SSH.COM is one of the most trusted brands in cyber security.

We help major enterprises solve the security challenges of digital transformation. We design best-of-breed commercial solutions for secure access that help our customers win in the global data economy.

Read more about our SSH.COM

Related posts from the SSH.COM blog