Cloud Changes Everything When it Comes to PAM

June 11, 2020

My role as Director of Corporate Communications at Centrify requires me to wear many hats. One of them is heading up our public relations program and making sure we get positive press coverage of our news, as well as placement of thought leadership pieces from my incredibly smart and insightful colleagues. Another is heading up our social media program, where we amplify our news, innovation, and thought leadership on LinkedIn, Twitter and Facebook.

Recently I had an interesting moment where these two roles clashed together over something positive, where usually I’d see symmetry and alignment. My colleague Darrin Homer, who heads up our Canada business at Centrify, posted the first two parts of an article series about Privileged Access Management on LinkedIn Pulse.

My first reaction (wearing my social media manager hat) was, “Wow, this is awesome! It’s so great to see Darrin proactively sharing insights gained from his vast experience with his followers on LinkedIn.”

Then my second reaction (wearing my PR hat) was, “Shoot! I wish I would have known about these before he posted them so we could have shopped them around as bylined articles, or at the very least as a Centrify blog.”

I reached out to Darrin and asked him about it, and he provided what I thought was a very interesting response: “I wanted to be impartial. I wanted to share my thoughts and insights, not Centrify’s.”

He also told me that he collaborated on the second article in the series with Chris Owen, one of our product managers.

This is the essence of thought leadership. Anyone who knows Darrin and Chris know that they work at Centrify, and their experiences working with our colleagues, customers, and partners shape how they see their jobs and Privileged Access Management. But they didn’t want to focus on Centrify – they wanted to focus on making two neutral, clear points as industry leaders:

  1. PAM ≠ Password Vault
  2. Cloud changes EVERYTHING

I asked Darrin if I could excerpt his article series for this blog, and I strongly encourage you to go read them now.

PART 1: BEYOND THE VAULT

Part 1 of the article series focuses more on the first point. Password vaulting has been around for almost 20 years and, as Darrin notes, “It IS a reliable means to secure and manage privileged credentials and a core tenant of PAM.”

But he also stresses that a password vault is not enough, and that they are being used for everything and they shouldn’t be. Furthermore, most companies are still in the midst of lengthy digital transformation efforts to modernize their IT estates, most notably hybrid on-prem and multi-cloud environments.

“IT environments look NOTHING....I repeat....NOTHING like they did 20 years ago with the MOST notable difference being cloud. CLOUD CHANGES EVERYTHING.” It’s time for cloud PAM, he concludes.

Vault

PART 2: TIME FOR LEAST PRIVILEGE

Part 2 of the article series breaks down some of the common myths with password vaults, and highlights that, “When password vaults were first designed 20 years ago, they really weren’t designed for what many companies use them for today.”

Instead, Darrin and Chris recommend a least privilege approach to PAM, especially for hybrid environments and securing access to multi-cloud environments. They point out that this is what Forrester and Gartner also recommend, with a just enough, just-in-time (JIT) approach for zero standing privileges. It’s time to put a focused effort around going beyond the vault as we start “The Decade of Cloud PAM.”

“Least Privilege allows you to reduce the risk profile of your users by enabling them to elevate applications, tasks and commands at run time therefore allowing you to remove the admin permissions.

The great thing about implementing least privilege tools is that by doing so, you greatly reduce the change in user behaviour vs a vault-centric approach. You’re also reducing risk at the same time, so this is absolutely a win-win for all.”

Darrin advises me that part 3 will post the week of June 15. If you like what you’ve read from these two PAM industry thought leaders, follow them both on LinkedIn and be on the lookout for more great insights.

UPDATE - PART 3: CLOUD ENABLES EVERYTHING

Part 3 of the article series has posted, and Darrin points out that COVID-19 has changed everything, and multi-cloud enables and empowers the change needed for organizations to adapt and remain agile and secure as world-changing events occur.

"Cloud will play an even more important role in organizations post-COVID-19. Organizations who get this and want to drive their cloud initiatives forward need to apply the same security controls and operational disciplines across both on-prem and cloud environments. The enforcement points of these controls and the risks associated with privilege however have completely changed so lets look at some of them."  

Darrin then summarizes his article series in three succinct points:

  1. Password vaults should ONLY be used for break-glass and they are NOT “PAM”
  2. Least Privilege and Just-in-Time Privilege are an essential to PAM
  3. A common process/workflow/solution approach is critical to securing multi-cloud and on-prem environments.