This document discusses best practices for managing privileged access in the cloud. It outlines some gaps in applying traditional privileged access management (PAM) tools to cloud environments, including not identifying all types of privileged identities and not reducing the attack surface. It presents some design principles for cloud-native PAM, including risk and governance awareness and converging identity governance and administration (IGA) and PAM. It also provides examples of PAM requirements for infrastructure as a service (IaaS) and software as a service (SaaS) and recommends design patterns to address PAM needs in cloud environments.
2. intelligent identity. smarter security.
Overview
• Managing privileged access in the cloud
• What legacy PAM doesn’t address on AWS
• Best practices & Design principles to solve for Cloud
PAM needs
• PAM for IaaS – Deep Dive
3. Gaps in applying
legacy PAM to
Cloud
Lift and shift of traditional and legacy PAM
products on cloud
Not identifying all types of privileged identities on
the cloud
Solutioning PAM for SaaS apps like traditional
apps
Not reducing the attack surface
Risk and Governance as an afterthought
4. Design principles
Solving PAM needs of Cloud
Cloud Native Risk and
Governance Aware
As a Service -
IGA and PAM
Convergence
5. intelligent identity. smarter security.
SSH and Credential Vault
Available on Saviynt Cloud and On-premises
Audit Vault
Analytics Engine
Containerized SSH
AWS ECS
Cloud native technology approach
Confidential 5
• Passwordless deployment architecture
• Automated account discovery and onboarding
• Auditability via logs and keystroke capture
• Centralized control of environmental access
• Integrated service account lifecycle management
7. intelligent identity. smarter security.
7
#1 - Privileged Access Visibility for Federated/Local
Identities
Federated
Role
PolicyIdentity
Provider
Federated Group
Enterprise
Permissions
Cloud Services and Resources
Organization’s access visibility AWS Access Visibility
8. intelligent identity. smarter security.
8
IT General Controls
SOX
FedRAMP
HIPAA / HITECH
PCI
ITAR
NERC / CIP & more…
CIS
S3
VPN
Policies
ALB
Elastic-
search
RedShif
t
Profiles,
Permission
Sets
Kinesis
EBS
SFDC
Object
s
EC2
RDS
ELB
Cloud
formation
AWS
IAM
VPC
TerraformViolations
Remediate
RISK
IaaS, SaaS & DevOps Resources
#2 - Map privileged access and security analytics to
Compliance Frameworks
9. intelligent identity. smarter security.
Users
Cloud Services and Resources
Privileges
Enterprise
Joiner
Mover
Leaver
9
#3 - Integrate HR systems with privileged access
processes
x
63% of organizations remove privileged access of terminated employees
only after 24 hours
10. intelligent identity. smarter security.
10
HR
Joiner
Mover
Leaver
Intelligent Self-Service / Delegated
Access Request
Preventive policy evaluation including
license violation
Risk-based Access Certification
(event-based, periodic)
Birthright Provisioning
Role / Group Transport & Management
Link Federated Access
Segregation of Duty Management
Least
Privileged
Access
RISK
EVALUATION
Outlier | SOD | Business Policy | License
#4 - Manage and govern privileged access lifecycle management by
converging IGA and PAM as one solution/platform
11. intelligent identity. smarter security.
#5 - Identify the Cloud conduits/interfaces and
types of privileged identities
11
Mgmt.
Console
Instances/
Containers
Command Line
Serverless
Cloud databases APIs
DevOps tools
12. intelligent identity. smarter security.
PAM requirements for IaaS
1
2
Mgmt.
Console
Instances/
Workloads
Determining continuous access visibility
Separate IDs for regular and privileged
access
Management of privileged access due to
ephemeral nature of cloud
Management of local OS user accounts
13. intelligent identity. smarter security.
PAM requirements for IaaS contd.
1
3
Just-in-time Access assignment to Serverless
functions
Consuming lambda functions & services
Alternative to managing long term API keys
Determine access to APIs
Serverless
14. intelligent identity. smarter security.
Privileged access in AWS
1
4
Manage lifecycle of privileged identities
Identifying accounts with super privileges
Monitoring User-defined session names
Visibility into usage of long term keys
Cloud databases
Command Line
devOps tools
Governance extensions across the IaaS ecosystem
Inclusion of DevOps tools in IGA & PAM solutions
15. intelligent identity. smarter security.
SEPARATE IGA
THICK SSH/RDP CLIENT
• Temporal access elevation + privileged ID
assignment
• Workload discovery and auto-registration
• SSH key distribution and credential vaulting
as a Service
• Privileged session manager with inline
command management
• Integrated service account lifecycle
management
JUMPBOX
PERSISTENT ACCOUNTS
SOD RISK AWARE
IMPLICIT GOVERNANCE
CLOUD NATIVE
Design patterns to solve PAM needs for
IaaS and SaaS
1
5
16. intelligent identity. smarter security. 16
Cloud
Security
DevSecOps
IGA
PAM
Key Solution Drivers
Modular
Single Platform
Out-of-box controls
Business-friendly
Risk-driven
Easy to
integrate
As a Service
Usage-driven
Analytics
Benefits of a converged platform
17. Thank you
Saviynt is located at booth #807
Have Further Questions –
cpam@saviynt.com,
cpam-sales@saviynt.com