November 30, 2018

We broke the IT security perimeter

Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. A classic example is a highly-guarded military facility. In IT security, experts have spent decades building a security perimeter for a world where servers were mostly physical and the environment mostly static. Now the mandate from the bean counters is to open the perimeter – or at least a healthy chunk of it – to the cloud.

The cloud undoubtedly offers the tremendous business benefits of flexibility, scalability and, above all, cost savings. But...

We’ve been asked to go “beyond the wall.”

Is our identity and access management ready for the cloud?

Going outside the perimeter is a terrifying prospect for IT security professionals. We’ve spent 25 years building some very expensive (fire) walls and complex intrusion detection systems, and now what? We’re going to put our systems and data outside, really?

Identity management tools that have worked so well to protect the perimeter of the past are having to adapt rapidly to fit the elastic cloud of the future. However, there are challenges with identities on both sides: rapidly scaling cloud architecture and cloud-borne applications as the destinations, and an explosion in the identities of people and things need to get connected. This is what Gartner has to say about the matter: 

“The number of identities for people, things, services and robotic process automation bots keep growing,” says Gartner senior director Homan Farahmand. “And the walls between identity domains are blurring IAM architecture.”

While the domain boundaries are shifting, regulations on who has the right to access what type of information are becoming stricter. Do I even need to mention GDPR?

I thought our IAM software handled all our privileged user access!

As if all this wasn't enough, it’s only a part of the story. There's a special group of people whose identities and access are not typically handled by IAM solutions at all. They have access to the most valuable information inside the perimeter of a company.

They develop and update the services your customers use, they access critical databases, configure applications and maintain your infrastructure. They are called privileged users.

Naturally, your privileged users already have identities that are handled by directory/IAM solutions, since privileged users also use the generally available tools just like any other employee. But this can be a pitfall:

“Organizations make the mistake of assuming they can manage privileged access in the same way they manage regular access,” says Gaehtgens.

When your system administrator updates databases or your developers tweak your customer-facing application, they no longer use the same tools to access their working environments. Since these users handle mission-critical data, they are supposed to use Privileged Access Management (PAM) tools to gain entry to a server and work their magic. PAM is used to control and monitor access to make sure that these trusted users are up to legitimate business with sensitive data. This stands to reason: the activities of those people who deal with particularly sensitive data should be tracked and logged.

But are traditional PAM solutions up to the task in multi-cloud and hybrid environments?

PAM should be re-imagined

"...think about the five “W’s” of privileged access — who, when, where, why and what — and adopt a new operational model for PAM, one that emphasizes purpose-driven, just-in-time privileged access.” Felix Gaehtgens, Gartner.

I believe Felix is spot on with the term “just-in-time”. Unfortunately, most traditional PAM solutions are offering password rotation, password vaulting and permanent access keys that are cumbersome “all-the-time” ways to access a critical resource. Credentials are vulnerabilities all the time. Vaults are a single point of failure.  

How can PAM grow to handle modern boundaries?

Grow? No! Legacy Privileged Access Management software is typically bloated with bolt on features and technologies that contribute to spiralling costs, deployment times and maintenance requirements. 

We have developed a solution called PrivX to make PAM a great fit for the age of the multi-cloud and hybrid. You can read more here about lean PAM that is fast to deploy, eliminates duplicate work, automates a lot of access provisioning work and uses just-in-time, ephemeral certificates to grant privileged access. 

We had lively discussions around this topic at the IDM November event in London just recently. This was a natural place for us to be, since we are IAM/IDaaS vendor agnostic and believe our portfolios complement each other. Our Fujitsu partnership is a great example of this. By embedding PrivX, Fujitsu has bolstered their IDaaS offering to include privileged users and can offer them a superior access experience with a high level of automation and convenience.

“PAM is all about securing the keys to your kingdom,” says Gartner senior director Felix Gaehtgens. “It is one of the most critical security controls to implement.”

For more about scalable privileged access for multi-cloud, read the about the latest PrivX developments.

Sami A.

Miikka Sainio

Miikka guides the software architecture and development at SSH. He has over 20 years of experience in IT industry, building teams and developing products in startups and large enterprises.

Other posts you might be interested in