Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

PAM cloud security is different. Let me explain why

Written by Joseph Carson

July 28th, 2020

The 2020 Verizon Data Breach and Incident Report (DBIR) published in May gives a clear indication of where privileged access management (PAM) security is going these days. And the forecast is for cloudy skies ahead.  That’s because:

77% of cloud breaches are due to compromised credentials

Attacks on web applications more than doubled in 2019

With credentials as the overwhelmingly preferred attack vector and more organizations worldwide relying on cloud applications and services, protecting privileged access to the cloud has become even more of a priority.  Chances are you’re already dealing with a hybrid environment where the cloud is a major portion of your IT environment.  In my new eBook, Privileged Access Cloud Security for Dummies, I succinctly describe the challenges this situation poses, and how to think about controlling and securing access for all your users.

The free 16-page eBook gives you a concise overview of cloud access security along with practical tips to develop an effective cloud security strategy that protects both IT and business users, including:

Privileged Access Cloud Security for Dummies is a quick read that puts the issue of cloud security for privileged accounts in context and explains the major differences in privileged access management that evolving cloud infrastructures require.

PAM without perimeters

Both human and non-human privileged accounts exist everywhere in IT environments. IT administrators, as well as business users, are using them every day to automate and manage critical data, applications, and IT services. And, they are very likely gaining privileged access to cloud services.

These privileged accounts used to be safeguarded inside a defined perimeter with firewalls, VPNs, and various other security tools. But in the always-on, Internet-connected global marketplace, the traditional perimeter has disappeared as most organizations now rely to some degree on cloud-based applications to conduct business.

I like the analogy of a vehicle parked in a garage to illustrate the differences between on-premises security and cloud security

This “new normal” requires adjusting the typical PAM mindset to the specific challenges involved in cloud security privileged access. I often use the analogy of a vehicle parked in a garage to illustrate the differences between on-premises security and cloud security.

On-premises security is when you park your car in your own garage. You protect the car with a garage door—your primary security control. You don’t need to worry about whether the car door is locked, the window is closed, or if anyone can see what’s inside the car.

A person inside your garage is an authorized privileged user who can gain access through the garage door. As long as that person has satisfied the security control—such as having the authorized key or a garage door opener, she gets access. Once she’s inside the garage, she can move around at will.

When securing a cloud environment, the garage door method simply doesn’t work. Taking your car out of your garage and parking it in a shared parking lot is similar to an account in the cloud.  It’s no longer located in a traditionally guarded perimeter (your garage) and therefore needs additional security controls to protect it.

  • Access control to the car (privileged access management)
  • The ability to see inside the car (encryption)
  • Identity verification of the person accessing the car (multi-factor authentication)

Controlling access to the cloud is one of the most critical security controls a company can undertake. You need to not only protect the authentication to the cloud applications but also provide continuous validation and verifications of privileged users’ actions after they’ve been authenticated.

Consider every user a privileged user

Remote workers, third-party contractors, and business users with personal devices are now accessing privileged accounts every day, and across the globe. Thus, all cloud access is becoming privileged whether it’s due to the level of access granted in the account, or the access to sensitive information.

Making sure these users get easy and secure access to the cloud poses ever-growing cyber security challenges for IT security professionals.  Here is a sampling of how cloud security impacts the risks for incidents and breaches:

Top causes for cloud-related security incidents and breaches

Poor access management: Default passwords, credential stuffing, phishing, and abusing stolen credentials are all too common causes of security breaches.

Insecure applications and APIs: Automation without authentication, hard-coded passwords and tokens, and even clear text authentication often lead to security incidents. DevOps has increased these security risks as well.

Misconfigured cloud storage: Public-facing database breaches have been on the rise. These instances can result from misconfigured security policies’ use of default settings, which sometimes means giving public access to everyone. Default settings don’t always mean security is enabled.

Distributed Denial of Service (DDoS) attacks: When a cloud service becomes the target of a DDoS attack, you become a secondary victim. If you’re dependent on the cloud service, your service will also be impacted.

Overprivileged users: Organizations tend to give more privileges to users than they require, and this practice means that after an attacker has compromised an overprivileged account, he can carry out the attack in fewer steps (the number of steps is usually two to four for most security incidents).

Shared credentials: Lost visibility, poor audit trails, and no control with shared credentials result in easy-to-guess passwords or poor practices when sharing between employees.

Password only security controls: Unfortunately, many companies still rely on a single password as the only security control keeping unauthorized cyber-criminals from abusing their cloud solutions and even their security tools.

Securing third-party access and remote employees: Opening access means you lose control and visibility over the security controls on employees’ endpoints and networks. Identity access management (IAM), which is the process that combines policies and technology to enable authorized access, becomes the new perimeter.

Shadow IT: It’s all too easy for employees to procure cloud services and, yes, sometimes without the knowledge of IT or the security team. When business departments decide to obtain their own IT solutions without approval, this is called Shadow IT.

Take a PAM lifecycle approach with a cloud twist

Securing privileged cloud access begins by understanding what it means for your specific organization and how the causes for incidents listed above affect you. Don’t assume access relates only to certain roles or employees. In fact, most privileged access also involves non-human accounts that manage infrastructure, remote access, automation, service accounts, third-party access and DevOps privileged accounts.

Follow the PAM lifecycle approach to ensure that you are properly protecting your cloud infrastructure interactions

Taking a PAM lifecycle approach to security, cloud access provides a proven framework for managing privileged accounts whether on-premises or in the cloud. Following this path is the best way to ensure that you are properly protecting your cloud infrastructure interactions.

Define access – Your business functions rely on data, systems, and access, and dependencies on these entities vary from one organization to another, so make sure to define your privileged cloud access. If you aren’t sure how to get started, refer to your disaster recovery plan—it typically classifies your critical business systems, applications, and data. Then, map your privileged accounts to your business risk and business operations.

Develop IT cloud access policiesYour organization should have a policy that details acceptable use and responsibilities for privileged cloud accounts? Your working understanding of who has privileged access, and when it’s used, is vital. Treat privileged accounts separately by clearly defining a privileged account and spelling out acceptable use policies. Identify and track ownership of privileged accounts throughout their life cycle.

Discover your privileged accountsAutomated privileged access management (PAM) software identifies your privileged accounts, implements continuous discovery to curb privileged account sprawl, identifies potential insider abuse, and reveals external threats. On-going visibility of your privileged account landscape is central to combating and reducing cyber security threats.

Protect your passwordsVerify that your solution can automatically discover and store privileged accounts; schedule password rotation; audit, analyze, and manage individual privileged session activity; and monitor accounts to quickly detect and respond to malicious activity. Protecting your privileged account cloud passwords goes beyond having a password manager.

Establish Single Sign-on sessions to target systems for better operational efficiency of administrators that combine multi-factor authentication and privileged access security. Your goal is to minimize the ability for humans to create and choose passwords. This oversight reduces cyberattacks that use techniques, such as credential stuffing, while helping to eliminate exploits of bad cyber hygiene behavior, such as password reuse.

Limit IT admin accessDevelop a least-privilege policy to enforce least privilege on endpoints and to limit IT admin access to cloud applications without disrupting business operations. Privileges should only be granted on demand when required and approved. Least privilege and application-control solutions enable seamless elevation of approved, trusted, and whitelisted applications while minimizing the risk of running unauthorized applications.

Monitor and record sessionsYour PAM solution should monitor and record privileged account activity, which helps enforce proper behavior and avoid mistakes by users. Audit, record, and monitor privileged activities to assist with regulatory compliance. You must be able to manage, monitor, and restrict the administrative access of IT outsourcing vendors and managed service providers (MSPs) to cloud and internal IT systems because many incidents result from compromised third parties.

Detect abnormal usage – Visibility into the access and activity of your privileged accounts in real-time helps catch suspected account compromise and potential user abuse. Track and alert on user behavior. Early detection of security incidents significantly reduces the cost of a data breach.

Respond to incidentsInclude privileged access in your incident response plan in case an account is compromised. Simply changing privileged account passwords or disabling the privileged account isn’t adequate when a privileged account is breached. If you need help with your incidence response plan, check out Thycotic’s customizable cyber security incident response plan template.

Audit and analyzeContinuously monitoring privileged account usage via audits and analysis reports helps identify unusual behaviors that may indicate a breach or misuse. These automated reports track the cause of security incidents and demonstrate compliance with policies and regulations.

Cloud security best practices for protecting privileged access

The eBook concludes with descriptions of what I consider to be the top five best practices for managing privileged access to the cloud. Here are the highlights, with more detail in the eBook.

Enable widespread Least Privilege access security – After a user is verified, the user’s access should be limited to only what is necessary to accomplish a specific task or job. In the past, least privilege was seen by employees as an impediment to productivity and organizations often enabled local privileged access for almost every employee — a highly risky practice. The solution comes from enabling just-in-time (JIT) privileged access to the cloud with detailed security controls.  And, keep in mind that implementing least privilege on servers or endpoints isn’t enough. Least privilege security controls must encompass all privileged access, including cloud-based systems, applications, databases, and infrastructure.

Automate access to make security work for you – Security controls must be scalable, efficient, and require the least amount of resources possible — and that requires automation. Automation also mitigates the risk of human error by reducing the amount of manual effort required to complete tedious and repetitive low-level tasks.

Integrate solutions to create a “security society” – Your cloud security controls should offer automated API integration of other security tools. Integrated solutions help create a “security society” where all tools and components can enhance and complement each other to improve security posture and reduce overall cyber risks.

Minimize user friction by implementing usable security solutions – Users have too often viewed security controls as barriers to productivity. Yet, it’s productivity and ease of use that drive users to use cloud resources. Privileged access cloud security solutions must build in ease of use, operating in the background as much possible. Security tools that are too complex aren’t just difficult to use; they’re downright dangerous.

Move beyond Zero Trust to Adaptive Risk-Based Trust – As critical resources and data continue to move to the cloud, your security controls must be dynamic and able to adapt to evolving threats. For example, you can have an “always verify” and “always monitor” policy for third-party vendors or contractor identities. Internal employee classifications would be adaptive based on the sensitivity of the data being accessed.

Automated tools are available to safeguard cloud access

Managing and controlling access to privileged accounts is a continuous process as more applications utilize the advantages of cloud-first strategies. Cloud-ready, automated access control tools are essential to protecting the critical data associated with privileged accounts.

Privileged access cloud security solutions must add value to the business on multiple levels:

  • Providing an intuitive interface
  • Being quick to learn
  • Delivering immediate value
  • Contributing to making each user’s job easier

Thycotic offers access control solutions that meet all of the above criteria with the addition of three new products to our PAM portfolio: Thycotic Remote Access ControllerThycotic Cloud Access Controller, and Thycotic Database Access Controller. This extends Thycotic’s industry leadership for emerging PAM use cases protecting access to SaaS applications, IaaS infrastructure, and ensuring remote workers stay productive and secure.

Thycotic Cloud Access Controller, for example, ensures that administrators accessing IaaS platforms such as Amazon Web Services (AWS) and SaaS applications like Salesforce and Twitter maintain appropriate Role Based Access Controls (RBAC) which dictate what each user can click, read, or modify within any web application.  Administrators also have a centralized dashboard that displays what applications have been accessed, access removal, audit report production, and more, for tighter security and streamlined compliance.

Cloud security success means rejecting complexity

Privileged access cloud security must be useable and help employees achieve their goals and metrics. When security becomes too complex, IT admins and business users look for ways around controls that get in their way. For privileged access cloud security to be successful, it must focus on a business and people-first strategy. It must contribute to business efficiency, increase productivity, and enable employees to perform their jobs within a positive experience.

Download my free eBook Privileged Access Cloud Security for Dummies

Subscribe to Thycotic's YouTube Channel

Subscribe to Thycotic's YouTube Channel

Check out our new PAM products, demos and more.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS