Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Why Privileged Access Management (PAM) Fails Cloud Infrastructure…and What to do About it

Tenable Cloud Security

PAM, its challenges for AWS, GCP and Azure environments — and CIEM as a solution.

Privileged access management (PAM) solutions were groundbreaking in the 2000s, when they answered an acute market need to secure administrator credentials from theft. But these solutions were born off prem for off-prem needs. With growing adoption of cloud infrastructure, newer identity and access management solutions are needed to manage cloud infrastructure access by the entities that play there: human and, to a huge extent, service identities. Read on to learn aboutPAM, its challenges for AWS, GCP and Azure environments, and CIEM as a solution.

What is Privileged Access Management ?

PAM is a set of tools or systems for managing and controlling access to privileged accounts through digital password vaults. By implementing the principle of least privilege for administrator accounts, PAM reduces the risks of privileged account credentials getting stolen and perpetrators gaining access to sensitive assets in data centers.

With PAM, privileged account credentials are placed inside a centralized, secure vault on premises or in the cloud. To gain access to any sensitive asset, administrators first need to get authenticated by the PAM system. Once authorized, they can gain access to the credentials and access the assets themselves. Authentication methods like SSO and temporary credentials are implemented to improve security posture. In addition, the PAM solution monitors and logs every action, for auditing purposes and compliance regulations.

PAM was born before the cloud and answered many of the on-premises challenges that administrators and other privileged users were dealing with. It deserves credit for preventing credential theft, limiting access, tracking activities and tackling other important needs.

Five PAM challenges

Most PAM solutions on the market today were built in the pre-cloud era. As such, they answer legacy infrastructure needs but are not equipped to address the unique challenges that cloud infrastructure and its human and service identities pose.
Challenges to most of today’s PAM solutions include:

1. Lack of granularity

In enterprises, access to services and systems takes place through tens of thousands of human and service identities, and thousands of policy and configuration settings. Managing this kind of access requires granular insight into complex connections and policies -- a level of depth and breadth that PAM was neither designed nor built for.

In on-premises environments, privileged users often have a defined scope of permissions for monitoring native account and data center infrastructure. These permissions cover aspects like server configuration, cloud storage and firewall management. In the cloud, entitlements are extended to VMs, buckets, storage services, network configurations and more. In addition, in the cloud, identity access is inherited: users and services gain the same entitlements to identities they have access to. This makes things much more complex. Conventional PAM solutions cannot properly identify, manage and protect all these new entitlements.

2. Missing identity types

PAM was designed to answer a critical pain point: prevent credential theft for privileged users. However, today’s cloud environments involve many new types of human and service identities and permissions that PAM tools and technologies might not be equipped to manage.

3. Visibility gap

PAM solutions lack visibility into user and service actions inside the cloud infrastructure. Entitlements are too dynamic and fine-grained to enable effective monitoring and management through existing PAM solutions. Organizations need this visibility so they can assess their risks and vulnerabilities.

4. Overhead difficulties

PAM solutions require much time and effort to install and manage. They are legacy solutions that drain considerable IT and security resources.

5. High costs

PAM solutions are often costly, as they require multiple infrastructure pieces and much maintenance.

Introducing CIEM — PAM for the cloud

Cloud infrastructure entitlements management (CIEM) bridges the gaps of conventional PAM solutions, In fact, CIEM is essentially, among other things, PAM for the cloud. Like PAM, CIEM is a set of tools for managing and controlling access. It is built for the cloud, designed to manage access of human and service identities and entitlements to cloud infrastructure assets.

Let’s see how CIEM answers each of the PAM challenges cited above.

  • Granularity - CIEM solutions manage entitlements of identities and their permissions to resources at the most granular level, enabling detail-oriented monitoring and compliance with regulations and security standards.
  • Multiple identity types - CIEM was built for the cloud infrastructure. It did, after all, emerge as a result of a market gap. CIEM solutions manage all modern identity types - both human and service - and all their entitlements.
  • Visibility - CIEM solutions provide the deepest level of visibility into all entitlements, as well as into usage, excessive permissions and more.
  • Overhead - As SaaS solutions, CIEM is easy to get up and running, and straightforward to use. Effective CIEM solutions are designed for use by non experts in the cloud security domain. They also integrate with CI/CD pipelines, making them a seamless part of the product development flow.
  • Costs - Due to their easier set up and maintenance, and automated expertise, , CIEM solutions typically cost significantly less than PAM solutions.

You can carry out these tasks yourself or use an automated CIEM solution that will do it for you (protecting your cloud infrastructure security while you grab a cup of coffee and engage in more business-promoting activities).

Getting started with CIEM

Whether you’re a PAM user or not, using a holistic CIEM solution like Tenable Cloud Security enables secure management of the human and service identities in your cloud infrastructure. Here are six steps to get started:

  • Set up your chosen CIEM solution.
  • Identify all human and service identities in your cloud infrastructure.
  • Search for any identities that have excessive access, abnormal behavior or unused permissions.
  • Assess the risks, especially toxic combinations.
  • Continuously monitor and deliver risk-reducing, least privilege remediation through CI/CD pipelines.
  • Investigate anomalies and proactively detect threats.

Now go grab that cup of coffee!

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training