The world is becoming more cloud-native every day. Infrastructure spending is estimated to rise by 19.3 percent in 2024, partly driven by ‘new and existing mission-critical workloads.’ Investment and innovation is going hand-in-hand, as new and established businesses race to modernize architecture and provision applications. At the same time, many are demanding hyperscale and high-performance cloud providers to run AI and machine learning services.
Consumers of these new models, from monolithic institutions down to end users, have one thing in common: they expect agility, portability and freedom of choice. That’s why organizations are increasingly opting for multi-cloud and hybrid cloud strategies.
By combining and unifying on-premises and cloud, organizations can mix and match to suit their needs. That’s the goal – until you run into the age-old question of interoperability. Different cloud services have their own sets of roles, permissions and privileges, some that come secure-by-design, and others requiring degrees of hardening.
Organizations need proven ways to ensure privileged access can be managed without sprawl, increasing consistency while also boosting efficiency. Otherwise, scalability and visibility remain limited, while the attack surface expands. To achieve this reality with PAM for cloud, we recommend starting with the following five PAM best practices.
1. Centralized visibility and control
PAM in hybrid and multi-cloud environments is dynamic, and so requires a simplified and centralized solution. Correct configuration leads to advantages such as being able to record SaaS application usage to build logs for auditing and analyzing events, actions and activities. Also being able to record user sessions, isolating specific users when you want to limit lateral movement and prevent unauthorized access.
A single pane of glass becomes the focal point for implementing Role-Based Access Control (RBAC) and integrating with Microsoft Entra ID. It’s then easier to secure with auto-login through credential injection. Local server account passwords can be vaulted centrally, to be deployed and rotated in real-time, rather than kept on-premises with local deployment on one device at a time.
The reduced manual input makes it easier to scale with fewer resources, in terms of both hardware and human labor. Plus, managing access from one location helps minimize the inconsistencies and potential errors when managing multiple dashboards, each with proprietary definitions of roles to be remembered.
2. Consistent policy enforcement
Securing a PAM hybrid environment doesn’t happen in isolation. It calls for a unified approach across people, process and technology. Achieve visibility across these three components, and it becomes easier to manage real-time security and protection as part of the wider identity and access management strategy. The solution can then offer just-in-time (JIT) access for privileged accounts, with systems and networks segmented. Privileges can be granted at the point they’re required, reducing exposure to risks from perpetual privileged access.
The time-based access controls ensure a dynamic balance of usability and security, without lengthy approvals that can bring down productivity. This becomes an enabler for enforcing the principle of Least Privilege, and an alternative to other enforcement methods such as RBAC or ABAC.
Certain elements will be repeatable, and so become potential candidates for automation. For example, canceling privileges and taking actions when malicious behavior is detected. More routine activities can include predefining access rules, allowing faster self-service access at scale. Reducing the reliance on manual approvals results in a reduced risk of access errors and privilege creep, a constant threat in growing enterprises where new employees and newly merged departments are common.
3. Adopting Zero Trust architecture
Hybrid and multi-cloud are outside the traditional perimeter – a place of remote users, threats from BYOD and a security model of ‘never trust, always verify’. By default, all network devices are regarded as potential threats, and require constant verification to stay connected. The Zero Trust model is designed for this complex business environment, where no clear edge means the protective focus is on individual users, assets and resources.
NIST SP 800-207 sets out Zero Trust principles as a set “for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level.” For a Zero Trust architecture this covers:
- Locations and devices:
“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” - Sessions:
“Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.” - Resources:
"Protecting assets, services, workflows and networks accounts because “the network location is no longer seen as the prime component to the security posture of the resource.”
Identity is key to successful hybrid and multi-cloud-based Zero Trust implementation. Configuring means there can be fine-grained policies and rulesets for devices, with separate versions for applications. This allows teams to add more context to approval paths, including relevant mechanisms and alerts for anomalies, unusual behaviors and intrusion detections.
Here’s where a protocol such as multi-factor authentication (MFA) is an integral part of hardening the security posture. The distributed nature of cloud means users need to connect from anywhere – with least-privilege access only granted after identities are authenticated, authorized and encrypted. MFA turns cloud-based complexity into a security strength, because it’s less likely an attacker will be able to access all authentication factors at once.
Implementation can go beyond simply granting privileged access based on a specific factor. For example, adding granularity to validate the factor only at specific times or geolocations. Plus, there’s improved user experience for genuine first-time logins, with no need to repeatedly produce all authentication factors.
4. Regular auditing and compliance
Alongside security and Zero Trust, further drivers come from compliance and governance. There’s the rise in ‘cloud sovereignty’, where government agencies will need to meet strict requirements around data localization and access. For hybrid and multi-cloud environments, this means understanding where and how data is collected and stored, ensuring processes comply with the relevant jurisdiction and industry requirements. One example is HIPAA’s Security Rule in relation to access controls, where “rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement.”
Of course, as cloud evolves so does the definition of ‘user’. Organizations have to manage privileged access for hybrid and multiple forms of devices and applications. These entities require their own identities, much like human employees. Of course, unlike human employees, these machine identities can’t simply hand in their credentials and exit the building when it’s time to depart. Instead, the solution is to implement robust Identity Lifecycle Management to support compliance and auditing. This gives visibility of all entities, and allows automated provisioning and deprovisioning, even for elevated privileges, at scale.
5. Training and awareness
Training and awareness are essential – with rationale to explain why and encourage buy-in, rather than simply “do this, and don’t do that.” For example, educating staff to be aware of the Separation of Duties concept, and how compliance is why they may need to approve, or wait to be approved, access to resources. This can also be extended to admins, making sure there is segregation between who assigns and who receives privileged access.
For a topic framework accessible to non-technical audiences, look no further than Gartner’s four pillars of PAM:
- Track and secure every privileged account:
Tracking needs to be continuous, to mitigate attackers that only need to be lucky once - Govern and control access:
Lifecycle management is business-critical, with JIT the recommended method of ensuring no standing privileged access - Record and audit privileged activity:
Gain visibility into what privileged users are doing or changing - Operationalize privileged tasks:
This pillar highlights the importance of automation. For DevOps and RPA initiatives, delegating privileged access, plus predictable and repeatable tasks, configurations, and installations
By raising security awareness across these pillars of PAM, organizations can ensure the right balance between enabling access, mitigating risks and minimizing friction.
Cloud migration and PAM migration: Leading the way with a hybrid approach
The cloud enables businesses to enter the future. At the same time, many of these businesses were built in the past. That’s why a hybrid approach, for a ‘best of all worlds’ strategy, is often the way to go. It’s also why, “efforts to modernize will likely carry on for another five to 10 years,” according to Forrester. A PAM solution that allows this more composable approach will be business-critical for both strategic and security reasons.
Threat actors are all too aware of the gaps that can be exploited, with the CISA and NDA highlighting default configurations and improper separation of user/administrator privileges as the two most common systemic weaknesses in many large organizations, including those with mature cyber postures. This impacts everyone from IT security and operations, to DevOps and compliance, through to business leaders and decision-makers. In fact, it impacts anyone within an enterprise that needs access to an application, service or system.
Following the best practices above are a step towards successful PAM. It starts with centralizing processes, for consistent control across cloud environments. The resulting foundation provides the platform for enforcing policies and introducing or accelerating automation. Of course, that is, as long as automation comes with the strict controls for adopting Zero Trust architecture.
The continuous monitoring and adaptive controls secure the business and create an auditable trail to satisfy compliance and regulatory requirements. An added protective layer comes from equipping human workers with PAM expertise, educating and training. Combining these best practices means enhanced security for hybrid and multi-cloud environments, with the flexibility, scalability and visibility that’s needed for PAM.
By now you may be wondering about next steps for PAM in hybrid and multi-cloud. You can get started right here, with a free trial of our PAM solutions.