Privileged Access Management (PAM) is a set of principles and practices to control, monitor, and secure access to critical resources by human and machine identities. If you google, you will see Privilege Identity Management(PIM), Identity & Access Management(IAM), Privilege Session Management (PSM), and more. In simpler terms, PAM ensures that privileged users have the right-sized permissions to access critical resources. Critical resources are infrastructures, applications, or data essential to an organization’s operations and may cause significant harm if compromised or unavailable.
Privileged Access Management (PAM) is essential for organizations to protect their critical assets, maintain data security and meet compliance requirements. The PAM market has experienced significant growth and evolution because of cloud computing. The growth of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) has been driven by several factors, including its scalability, flexibility, and cost-effectiveness. While Cloud Service Providers (AWS, GCP, Azure, and others) offer many benefits, they also present several cybersecurity challenges for enterprises.
Legacy PAM solutions lack the necessary flexibility to adapt to the cloud. Their jump-box based architecture can’t scale for cloud services.
A modern PAM needs the following key features:
1. Deep integration with Cloud Service Providers: AWS, GCP, and Azure each provide more than 10K+ permissions & API endpoints to manage. Further, each CSP has its own policy syntax. Administrators find it overwhelming to manage permissions for users and often end up providing broader access to users. The PAM solution needs to leverage APIs provided by Cloud Service Providers to programmatically provision & revoke access, create roles, create short-term credentials for time-bound access, and support cloud-native tools and support all kinds of cloud resources. Enterprises need a unified, seamless multi-cloud experience to protect data, resources, and applications and improve operational efficiency.
2. SelfService portal for developers: Okta implemented a self-service portal for SaaS applications. A typical enterprise has a few hundred SaaS applications but has tens of thousands to hundreds of thousands of cloud resources. Today, most administrators provide blanket access (for instance, use * in AWS policies) since there isn’t a simpler way to limit the number of resources per user at scale in a dynamic environment. DIY solutions take more work to build and maintain. Further, developers often share credentials(SSH keys, AWS CLI credentials, DB passwords, etc.) over Slack or communication channels to collaborate. Enterprises need an extensible self-service portal that supports:
- Just-In-Time access: Provide time-bound access to critical resources.
- Least-privileged Access: Developers can select the permissions they need for their resources.
- Sharing of resources among teams without sharing static credentials.
3. Decentralized approval systems: In centralized IT systems, administrators often end up with a request – can you add one more permission to this resource? Centralized IT systems are often backlogged with tickets. Resolving these tickets is often a laborious process with communication between the requester, resource owner, and central IT system. As a result, approvals take a few days. The solution isn’t to hire more people to handle tickets but rather a decentralized system where individual teams can easily manage access.
4. Strong User & Device identity: Contractors and employees are globally located. Security is as strong as the weakest link. So establishing a strong user & device identity is the first step in avoiding breaches. Regulations such as GDPR , CCPA, HIPAA, PCIDSS require organizations to protect personal data by implementing strong user and device identity controls, including multi-factor authentication, encryption, and identity lifecycle management. Organizations need a trail of who accessed what, when, how long, which device, and which permission. Shared static credentials make it challenging to audit who accessed what, when, and for how long. The authentication and authorization systems need to be strongly coupled with PAM solutions to mitigate the risks of Cyber attackers. Yubikeys provide a strong identity but create a cumbersome user experience. Trusted Platform Module (TPM) chip is now ubiquitous on all modern laptops that PAM solutions can use.
5. Continuous compliance: Many organizations are subject to regulatory requirements that mandate strict controls over privileged access. As the number of permissions, resources & users to manage increases, compliance becomes increasingly challenging. A modern PAM needs to automate compliance checks, provide pre-built compliance frameworks, such as PCI DSS, HIPAA, and GDPR and simplify the process of access reviews.