The infrastructure landscape has evolved drastically in how applications are hosted, developed, and accessed. This evolution presents new challenges for CISOs, Security and cloud infrastructure teams to implement security measures that keep information safe. However, it also offers an opportunity for both customers and vendors to rethink security with a greater focus on cyber prevention—a proactive mindset.
“Doing the Right Things Right”
Securing access to critical infrastructure, both for humans and non-humans, is the first step that must be bulletproof. As the saying goes:
“Hackers don’t break in; they simply log in.”
While credential-based identity access and MFAs are essential, CISOs are looking beyond these approaches to ensure privileged access to critical infrastructure entitlements is handled intelligently, drastically reducing business risk. Modern cybersecurity wisdom encourages decoupling authentication from authorization to implement defense-in-depth security strategies.
Here are six foundational pillars of modern Cloud Privileged Access Management (CPAM) to guide your evaluation of privileged access strategies and any vendor solutions for the hybrid multi-cloud landscape.
1. PROGRAMMATIC Access Harnessing Cloud Agility
The key value proposition of the cloud and modern application development is agility. Enforce a CPAM strategy that allows for programmatic access tightly integrated into CI/CD workflows. Developers and admins must find it simple to check-in and check-out privileged access through CLI or APIs to operate with precision and speed.
2. READY-for-Integration with a Plug-n-Play Approach
CPAM is a critical component of a Zero Trust security posture and must integrate with other key components of the cybersecurity stack, such as CNAPP, Observability, SIEM, and IT service desk tools. Ensure this integration is simple with minimal overhead for your operations team.
3. ANYWHERE and Consistent CPAM Approach
Develop a strategy that allows DevOps, Security, and Identity teams to build policies and visualize access in a unified manner across any cloud, SaaS, Kubernetes, or on-premises locations, to ensure operational consistency.
4. IN-TIME Zero Trust Authorization
Decouple authentication from authorization and move beyond relying solely on credentials and keys to secure identities. Provide Just-In-Time (JIT) ephemeral access to applications, infrastructure, and data only when needed and for the duration required. This approach to JIT is pivotal in maintaining zero standing privileges (ZSP).
For example, a Snowflake administrator should be authenticated through an identity provider (IDP) with multi-factor authentication (MFA), but they only assume the role of administrator when privileged access is checked out for administrative tasks.
Similarly, developers pushing a change in production must request and check out the role needed to make changes for the required duration, drastically reducing attack vectors and minimizing risks due to elevated permissions.
5. SMART and Flexible for Cloud-Dominant Landscape
Modern cloud and DevSecOps teams avoid agent installations, especially in the cloud, due to administrative and operational challenges. New approaches increasingly leverage cloud native constructs and API driven infrastructure configurations providing privileged access management across hybrid, multi-cloud landscape.
Lead with APIs in the cloud as much as possible and extend the cloud model to on-prem with an intelligent broker approach, where there is no other option. Avoid legacy systems with rigid agent-based and proxy approaches in the cloud to minimize unnecessary operational overhead and performance degradation.
6. ENTITLEMENTS for Cloud Infrastructure Resources
Cloud-native solutions understand the granular permissions needed for cloud infrastructure resources. These solutions keep up with CSP innovations, ensuring your posture remains cutting-edge.
For instance, CSPs have over 40,000 permissions, with nearly 50% being highly sensitive. A CPAM strategy must ensure granular management of these roles with intelligently crafted policies to implement the best possible Zero Trust authorization architecture.
These six pillars form the acronym “PRAISE” for easy reference:
- Programmatic
- Ready-for-Integration
- Anywhere and Consistent Approach
- In-Time Ephemeral Access
- Smart for Cloud and Agentless
- Entitlements for Cloud Infrastructure Resources
