Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. A classic example is a highly-guarded military facility.
In IT security, experts have spent decades building a security perimeter for a world where servers were mostly physical and the environment mostly static. Now the mandate from the bean counters is to open the perimeter – or at least a healthy chunk of it – to the cloud. The cloud undoubtedly offers the tremendous business benefits of flexibility, scalability and, above all, cost savings.
We’ve been asked to go “beyond the wall.”
Is our identity and access management ready for the cloud?
Going outside the perimeter is a terrifying prospect for IT security professionals. We’ve spent 25 years building some very expensive (fire) walls and complex intrusion detection systems, and now what? We’re going to put our systems and data outside, really?
Identity management tools that have worked so well to protect the perimeter of the past are having to adapt rapidly to fit the elastic cloud of the future. However, there are challenges with identities on both sides: rapidly scaling cloud architecture and cloud-borne applications as the destinations, and an explosion in the identities of people and things need to get connected. This is what Gartner has to say about the matter:
“The number of identities for people, things, services and robotic process automation bots keep growing,” says Gartner senior director Homan Farahmand. “And the walls between identity domains are blurring IAM architecture.”
While the domain boundaries are shifting, regulations on who has the right to access what type of information are becoming stricter. Do I even need to mention GDPR?
I thought our IAM software handles all our privileged user access
As if all this was not enough, it’s only a part of the story. There is a special group of people whose identities and access are not typically handled by IAM solutions at all. They have access to the most valuable information inside the perimeter of a company, since they develop and update the services your customers use, access critical databases, configure applications and maintain your infrastructure. They are called privileged users.
Naturally, your privileged users already have identities that are handled by directory/IAM solutions, since privileged users also use the generally available tools just like any other employee. But this can be a pitfall:
“Organizations make the mistake of assuming they can manage privileged access in the same way they manage regular access,” says Gaehtgens.
When your system administrator updates databases or your developers tweak your customer-facing application, they no longer use the same tools to access their working environments. Since these users handle mission-critical data, they typically use a Privileged Access Management (PAM) tools to gain entry to a server and work their magic. PAM is used to control and monitor access to make sure that these trusted users are up to legitimate business with sensitive data. This stands to reason: the activities of those people who deal with particularly sensitive data should be tracked and logged. But are traditional PAM solutions up to the task in multi-cloud and hybrid environments?
PAM should be re-imagined
“Instead they must think about the five “W’s” of privileged access — who, when, where, why and what — and adopt a new operational model for PAM, one that emphasizes purpose-driven, just-in-time privileged access.” Felix Gaehtgens, Gartner.
We at SSH.COM believe that Gartner is spot on with the term “just-in-time”. Unfortunately, most traditional PAM solutions are offering password rotation, password vaulting and permanent access keys that are cumbersome “all-the-time” ways to access a critical resource. Some other problems with traditional PAM include:
- 7-figure cost
- deployment time in months or years and still resulting in unfinished deployments
- unmaintainable endpoint agents on clients and hosts
- creating and maintaining a duplicate directory for privileged users
- poor fit for multi-cloud and DevOps
- poor fit for sysadmins, DBAs, technicians and software developers
We have developed a solution called PrivX to make PAM a great fit for the age of the multi-cloud and hybrid. You can read more about lean PAM that is fast to deploy, eliminates duplicate work, automates a lot of access provisioning work and uses just-in-time, ephemeral certificates to grant privileged access.
We had lively discussions around this topic at the IDM November event in London just recently. This was a natural place for us to be, since we are IAM/IDaaS vendor agnostic and believe our portfolios complement each other. Our Fujitsu partnership is a great example of this. By embedding PrivX, Fujitsu has bolstered their IDaaS offering to include privileged users and can offer them superior access experience with a high level of automation and convenience.
“PAM is all about securing the keys to your kingdom,” says Gartner senior director Felix Gaehtgens. “It is one of the most critical security controls to implement.”l
PS. You can meet us at Gartner IAM Summit 2018 Las Vegas on Monday, December 3rd 2018. Book a meeting right here.