Why Privileged Access Management (PAM) Fails Cloud Infrastructure…and What to do About it

PAM, its challenges for AWS, GCP and Azure environments — and CIEM as a solution.

Privileged access management (PAM) solutions were groundbreaking in the 2000s, when they answered an acute market need to secure administrator credentials from theft. But these solutions were born off prem for off-prem needs. With growing adoption of cloud infrastructure, newer identity and access management solutions are needed to manage cloud infrastructure access by the entities that play there: human and, to a huge extent, service identities. Read on to learn aboutPAM, its challenges for AWS, GCP and Azure environments, and CIEM as a solution.

What is Privileged Access Management ?

PAM is a set of tools or systems for managing and controlling access to privileged accounts through digital password vaults. By implementing the principle of least privilege for administrator accounts, PAM reduces the risks of privileged account credentials getting stolen and perpetrators gaining access to sensitive assets in data centers.

With PAM, privileged account credentials are placed inside a centralized, secure vault on premises or in the cloud. To gain access to any sensitive asset, administrators first need to get authenticated by the PAM system. Once authorized, they can gain access to the credentials and access the assets themselves. Authentication methods like SSO and temporary credentials are implemented to improve security posture. In addition, the PAM solution monitors and logs every action, for auditing purposes and compliance regulations.

PAM was born before the cloud and answered many of the on-premises challenges that administrators and other privileged users were dealing with. It deserves credit for preventing credential theft, limiting access, tracking activities and tackling other important needs.

Five PAM challenges

Most PAM solutions on the market today were built in the pre-cloud era. As such, they answer legacy infrastructure needs but are not equipped to address the unique challenges that cloud infrastructure and its human and service identities pose.
Challenges to most of today’s PAM solutions include:

1. Lack of granularity

In enterprises, access to services and systems takes place through tens of thousands of human and service identities, and thousands of policy and configuration settings. Managing this kind of access requires granular insight into complex connections and policies -- a level of depth and breadth that PAM was neither designed nor built for.

In on-premises environments, privileged users often have a defined scope of permissions for monitoring native account and data center infrastructure. These permissions cover aspects like server configuration, cloud storage and firewall management. In the cloud, entitlements are extended to VMs, buckets, storage services, network configurations and more. In addition, in the cloud, identity access is inherited: users and services gain the same entitlements to identities they have access to. This makes things much more complex. Conventional PAM solutions cannot properly identify, manage and protect all these new entitlements.

2. Missing identity types

PAM was designed to answer a critical pain point: prevent credential theft for privileged users. However, today’s cloud environments involve many new types of human and service identities and permissions that PAM tools and technologies might not be equipped to manage.

3. Visibility gap

PAM solutions lack visibility into user and service actions inside the cloud infrastructure. Entitlements are too dynamic and fine-grained to enable effective monitoring and management through existing PAM solutions. Organizations need this visibility so they can assess their risks and vulnerabilities.

4. Overhead difficulties

PAM solutions require much time and effort to install and manage. They are legacy solutions that drain considerable IT and security resources.

5. High costs

PAM solutions are often costly, as they require multiple infrastructure pieces and much maintenance.

Introducing CIEM — PAM for the cloud

Cloud infrastructure entitlements management (CIEM) bridges the gaps of conventional PAM solutions, In fact, CIEM is essentially, among other things, PAM for the cloud. Like PAM, CIEM is a set of tools for managing and controlling access. It is built for the cloud, designed to manage access of human and service identities and entitlements to cloud infrastructure assets.

Let’s see how CIEM answers each of the PAM challenges cited above.

• Granularity - CIEM solutions manage entitlements of identities and their permissions to resources at the most granular level, enabling detail-oriented monitoring and compliance with regulations and security standards.
• Multiple identity types - CIEM was built for the cloud infrastructure. It did, after all, emerge as a result of a market gap. CIEM solutions manage all modern identity types - both human and service - and all their entitlements.
• Visibility - CIEM solutions provide the deepest level of visibility into all entitlements, as well as into usage, excessive permissions and more.
• Overhead - As SaaS solutions, CIEM is easy to get up and running, and straightforward to use. Effective CIEM solutions are designed for use by non experts in the cloud security domain. They also integrate with CI/CD pipelines, making them a seamless part of the product development flow.
• Costs - Due to their easier set up and maintenance, and automated expertise, , CIEM solutions typically cost significantly less than PAM solutions.

You can carry out these tasks yourself or use an automated CIEM solution that will do it for you (protecting your cloud infrastructure security while you grab a cup of coffee and engage in more business-promoting activities).

Getting started with CIEM

Whether you’re a PAM user or not, using a holistic CIEM solution like Tenable Cloud Security enables secure management of the human and service identities in your cloud infrastructure. Here are six steps to get started:

• Set up your chosen CIEM solution.
• Identify all human and service identities in your cloud infrastructure.
• Search for any identities that have excessive access, abnormal behavior or unused permissions.
• Assess the risks, especially toxic combinations.
• Continuously monitor and deliver risk-reducing, least privilege remediation through CI/CD pipelines.
• Investigate anomalies and proactively detect threats.

Now go grab that cup of coffee!