Privileged Access Management Challenges When Moving to the Cloud

August 4, 2021

The move to broad-based remote work has accelerated many organizations business requirements to move more infrastructure and services into the cloud. Gartner estimates that 80% of organizations are predicted to migrate toward cloud, hosting, and colocation services by 2025, creating new attack surfaces and greater security vulnerabilities.

However, our research showed that between March 2020 and March 2021, 65% or organizations saw attempted attacks on their cloud environments, with 80% being successfully compromised.

The cloud has emerged as a considerable expansion of the attack surface, and has added new complexities that organizations are still adapting to outside of on-premises data centers. Cyber-attackers have taken notice, and are capitalizing on accelerated cloud transformation where security may not get the time or attention needed to be effective.

Privileged Access

This is especially troublesome when it comes to privileged access. The same survey revealed that 90% of cyberattacks on these cloud environments involved compromised privileged credentials. Cyber criminals are going after the “keys to the kingdom” to get as much access as possible, find data to compromise, and profit off their devious deeds.

What are some of the complexities that the cloud and other transformative technologies are introducing to IT environments? Cloud workloads are no longer just being accessed by humans, but access can also be requested by machines, services, APIs, and more. Credentials and entitlement enforcement has gone from using shared accounts to now using individual identities for more accountability. The control posture can no longer be static, but must be dynamic, AI-driven, and risk-aware.

When it comes to the cloud, specifically, one big challenge is that different groups inside the organization will have their own requirements. The needs of the infrastructure and compliance teams are going to be much different than those of the engineering and development teams, the security and identity teams, or even the cloud architecture teams.

For example, identity sprawl can be a huge challenge when moving to the cloud. For each cloud provider you add into the mix, you’re going to need a way to authenticate users to access those workloads. This can mean spinning up a completely new set of identities, which all need to be managed including their privileges and entitlements.

Some teams will say that’s fine, or they will want all of the credentials to be stored in a password vault. But that doesn’t solve the management challenges, or ensure compliance and accountability. This becomes increasingly relevant once organizations start using multiple cloud providers.

Solving Cloud PAM Challenges

One way to solve this challenge is with a multi-directory brokering solution, where all identities’ entitlements and privileges are still kept in the main identity repository of choice, and then access privileges are brokered out to cloud providers and workloads.

When combined with multi-factor authentication and federated access without exposing the password, this solution presents an optimized, secure, and productive method of ensuring only the right identities get access to the cloud workloads they are allowed to.

Furthermore, by basing privileged access on each individual identity, least privilege access controls can enforce just enough access, just-in-time, for long enough to get the job done. Then the access rights are removed, leaving zero standing privileges and closing potential exposure points.

To fully benefit from rapid technological transformation, it is imperative that enterprises embrace strategies for safeguarding their infrastructure and services both during and after cloud migration. Managing a secure transformation to the cloud can be much smoother by centralizing identities, leveraging existing technology, simplifying complexity whenever possible, and always enforcing a least privilege approach to identity and access controls.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.