Phone Number +1-202-802-9399 (US)

A PROFESSIONAL INTRODUCTION TO cloud PAM

Privileged Access Management
for the Cloud

Realize the promise of the cloud and secure your most sensitive assets.

1.

Introduction to cloud PAM

Ninety percent of companies are embracing the cloud in some way and 80% of IT budgets are focused on cloud solutions. Companies choose the cloud for its elastic scalability as well as operational efficiencies that reduce maintenance time and cost.

In addition, the demands of the Coronavirus pandemic have created a spike in cloud usage. With most of the global, white-collar workforce shifting to working remotely, cloud technology is critical to keep businesses up and running. Cloud services are enabling people to collaborate and stay productive no matter where they work.

The explosion of cloud IT is making the PAM challenge much more complicated.

Cloud growth has increased privileged accounts and credentials to a state that is unmanageable without automated processes. More than 77% of cloud breaches involve compromised credentials. Cloud apps and platforms can easily bypass traditional security controls.

PAM designed for the cloud lets you precisely control what users can see and do in cloud platforms, services, and applications to tighten your attack surface and address the challenges of cloud security.

2.

Key cloud PAM definitions

PAM in the cloud

When we say, “Privileged Access Management in the cloud,” we’re talking about PAM as a service. Instead of hosting your PAM software on-premise and managing all of the installation work, maintenance, and updates yourself, when PAM is in the cloud, your PAM vendor takes care of all that for you. They manage a cloud environment (for example, Thycotic uses Azure and AWS depending on the solution) where your PAM software resides, and make sure it’s secure, available, and up to date. If you have your own private cloud, PAM in the cloud can mean you’re still responsible for management and hosting costs, but you still gain the elasticity and scalability that the cloud brings.

PAM for the cloud

PAM for the cloud, on the other hand, is about how you’re going to use a PAM solution to manage and secure access to systems and services that reside in the cloud. These could include critical applications or databases that are stored in the cloud, cloud platforms for application development, tools used by your business or technical teams.

Infrastructure as a Service (IaaS)

Today, 65% of organizations around the world use some form of Infrastructure-as-a-Service. Through IaaS, you can rapidly spin up servers and compute layers and manage them with elasticity. Additionally, large scale “blob stores” for data storage (like AWS S3) are globally distributed systems that allow even the smallest teams the ability to store petabytes of information.

Platform as a Service (PaaS)

Globally, 52% of organizations use some form of Platform-as-a-Service (PaaS) to develop applications. The vast majority – 94% – of IaaS/PaaS use is in Amazon Web Services (AWS). But, 78% use both AWS and Azure, which means many developers have multiple accounts that need to be managed and protected with consistency. Unfortunately, of those organizations using PaaS, 27% have experienced data theft.

Software as a Service (SaaS) and web applications

The average enterprise uses approximately two thousand cloud services, an increase of 15% over last year, mainly due to SaaS growth. About 70% of these are business applications, such as Office 365, Salesforce.com, Hubspot, project management tools, helpdesk software, online notebooks, accounting software, and collaboration, and social media platforms.

There are a number of challenges inherent to managing SaaS and web systems using the same tools you use for user identities, access and permissions. Each SaaS and web application has different ways of configuring login, authentication, access control, and management rules.

Make sure you understand key cloud definitions.

3.

Benefits of PAM in the cloud

Security products have lagged a bit in the transition to the cloud but are now migrating rapidly. In fact, Gartner says almost one third of solutions for Privileged Access Management will be in the cloud by the end of next year. Our own Thycotic survey of security professionals from Black Hat showed that 21% of companies have adopted a PAM solution hosted in the cloud or plan to do so. An additional 26% are looking to transition from their on-premise PAM solution to a cloud-based one.

Only modern PAM that resides in the cloud can meet the security demands of PAM for the cloud. A cloud-based PAM solution can scale easily. It can match the growth of your privileged accounts, applications, and users without slowing down other resources or losing control. PAM designed for the cloud enables tighter integration between secrets, cloud-based infrastructure, and cloud-based applications, which reduces your security risk.

There are also a number of operational benefits to PAM in the cloud:

  • Assure high availability and geo-redundancy – You can’t underestimate the confidence that privileged access will always be there despite service disruptions or outages.
  • Minimize upfront investments– Cloud-based solutions with pay-as-you-go models avoid the demands of increasing capital expenses in IT budgets already stretched to the limit.
  • Reduce time on maintenance– Avoiding server maintenance and software upgrades takes the burden off staff, giving them more time to devote to higher-level tasks.
  • Hit the ground running – Cloud PAM has no hardware or software to buy or maintain, so it’s easier to set up and see results quickly. You have peace of mind knowing you’ve always got the latest version installed.

Companies migrating to PAM in the cloud are quickly realizing the benefits.

4.

Cloud risks and vulnerabilities

As your organization shifts to the cloud, security practices and controls need to support new use cases and risks to privileged accounts. Working from anywhere they like, your technical users are managing critical infrastructure and development platforms, and business users are accessing a constantly changing set of web applications.

Without adequate policies and oversight, cloud users can skirt security best practices; they may share credentials, neglect to change them regularly, or leave them exposed.

As a result, over 80% of organizations operating in the cloud experience at least one compromised account each month, stemming from external actors, malicious insiders, or unintentional mistakes, according to MacAfee.

In the past year, 77% of cloud breaches involved compromised credentials, as reported in the 2020 Verizon Data Breach Report.

Most cloud breaches will be the customer’s fault

In a cloud environment, managing privileged access to workloads, services and applications remain your responsibility, not the cloud provider’s. It’s also your responsibility to make sure data going to and from the cloud (via Web browsers, Email, File exchanges such as SFTP, APIs, SaaS products, and streaming protocols) is properly secured.

Unfortunately, many organizations aren’t adequately implementing and enforcing these policies around privileged access. The vast majority of cloud misconfigurations and inconsistent controls are the customer’s fault, not the cloud providers. As Gartner warns, “The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology.”

Learn more about emerging PAM use cases to protect access to SaaS applications, cloud infrastructure, and databases.

5.

Securing privileged accounts with PAM for the cloud

Privileged Access Management (PAM) reduces cloud risk with controls for authentication, authorization, and auditing.

As your business becomes more reliant on the cloud for infrastructure, application development, and business process automation, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and DevOps toolchains are vulnerable to privileged account attacks.

Even with multiple business and technical functions utilizing different types of cloud resources, it’s possible to have a consolidated view of privileged access across your organization and manage those privileges according to consistent policies. Look for PAM tools that fit seamlessly into different cloud scenarios. Prioritize automation and simple, policy-based control over human intervention and complexity.

PAM for IaaS and PaaS

Privilege access management protects credentials and accounts associated with cloud platforms such as AWS, Azure, and Google Cloud. Specifically, PAM protects root accounts for servers you set up in the cloud, limits privileged access to the cloud control panel, and governs ongoing access to privileged resources in the cloud.

PAM solutions allow people and resources to use cloud systems, while limiting the actions they can take. With PAM for the cloud, teams can automatically establish new compute instances, connecting securely to a vault with SSH or Remote Desktop Protocol (RDP) to automatically retrieve credentials. In DevOps organizations, where a broad range of cloud resources are continuously created, used, and retired at large scale, PAM automates high-speed secret creation, archiving, retrieval and rotation.

PAM for SaaS and web-based applications

PAM removes the human element from securing SaaS credentials. Instead of multiple, insecure passwords, PAM tools allow a single secret to be kept under tight control in a central, secure vault. From a central hub, you can control access to web applications and actions users can take at a granular level.

Learn more about how PAM protects cloud-based systems.

6.

Securing privileged accounts with PAM for the cloud

With some advanced planning and a close partnership, it’s possible to migrate smoothly and efficiently, with near-zero loss of PAM availability and functionality during the move. When the migration is done, you’re likely to end up with a more organized, streamlined instance that gives you more visibility and easier PAM management than before.

Learn more about migrating on-premise PAM to PAM in the cloud

Test out Thycotic’s PAM solutions to solve your cloud security challenges

Lock Symbol

Thycotic Secret Server

Discover privileged accounts, vault credentials, ensure password complexity, delegate access, and manage sessions.

Shield Symbol

Thycotic Privilege Manager

Remove local admin rights and implement policy-based application control in a single solution.

Cloud Access Control Icon

Cloud Access Controller (CAC)

Increase security for cloud resources such as web applications.

Remote Access Control Icon

Remote Access Controller (RAC)

Empower remote workers and third parties to be secure and productive.

Remote Access Control Icon

Privileged Behavior Analytics

Increase accountability and oversight of service account management.

Connect Symbol

Connection Manager

Access a single interface to initiate and manage privileged sessions.