The public cloud provider business scarcely existed a decade ago. Now, this type of company is at the forefront of a revolution in IT. It’s a varied industry and one that is still evolving dramatically.
You’ve got infrastructure-as-a-services (IaaS), platform-as-a-service (PaaS), bare metal providers in the cloud, software-as-a-service (SaaS), database-as-a-service (DBaaS), disaster recovery-as-a-service (DRaaS) and others. These offerings are different but they all have one thing in common: significant exposure to security risks.
Cloud Computing Security
Cloud computing security is not inherently any worse than the security of any other infrastructure architecture. On many levels, a well-run cloud provider is more secure than most corporate data centers as they have significantly more resources than most individual corporations.
However, cloud providers do face some distinctive challenges in managing security, particularly around privileged access. Privileged access determines who can log on to the applications and infrastructure management tools that run cloud platforms. As a result, privileged access affects the security of virtually every aspect of a cloud platform, from applications to network, databases and storage.
An abuse of privileged access on the cloud infrastructure could potentially impact every customer that a cloud providers serves.
Privileged Access Management and Cloud Computing Security
Privileged Access Management, also known as Privileged Account Management (“PAM or PxM” for short) refers to the technologies and processes that govern the access levels of various users. For instance, in a cloud provider environment, a customer support technician may have a basic level of access so that he or she can see what is going on with customer systems. However, the support person will generally not be allowed to make changes to customer systems. A higher level employee will have that permission. At still higher levels, cloud provider staff will have the authority to make changes to the underlying cloud stack itself.
Tight access control and management of privileges are essential to running a secure, reliable cloud service. However, cloud providers have different, and arguably more difficult PAM challenges than the average corporate data center due to the unique nature of their operations:
Shared infrastructureSharing hardware, network and storage is the essence of cloud computing. Sharing exposes multiple clients of the service provider to risk if a malicious actor is able to penetrate the cloud platform. Data theft across multiple client instances is but one potentially negative business impact from this vulnerability. The provider must exercise maximum diligence in ensuring that only authorized people have access to the cloud platform. The instant ability to switch off access to former employees is a key countermeasure, for example.
On-demand provisioning of virtual machines
Most cloud platforms provide tools that make it easy to spin up virtual machines and databases on demand. Users can spin them down just as easily. If an unauthorized person is able to access the cloud platform, he or she can wipe out customer virtual machines or modify their configurations without permission. Similarly, users can usually reallocate memory, bandwidth and storage on demand. In the wrong hands, this ability could disrupt the availability or speed of customer systems. Access control and admin session monitoring needs to be granular enough to make sure that a malicious actor cannot modify customers systems
Compliance on behalf of clients
Cloud providers who want to adhere to compliance schemes such as PCI need to demonstrate that they manage privileged access in accordance with compliance guidelines. It is hard enough to be compliant as a standalone entity. The cloud provider faces an even more strenuous job. They have to define and enforce privileged access polices for their own people, who in turn ensure compliance for client entities.
The cloud is geographically abstract. By design, most people do not know where the cloud provider’s data centers are located. Employees of the cloud provider may not know exactly where they are, either. That’s a good thing. Geographical abstraction enhances security, especially when no one has local access rights. If an admin can walk into a cloud data center and log into a local device, that is a major vulnerability. A best practice for cloud computing security is to ensure that virtually no employees ever need direct access to admin rights on bare hardware. All transactions should flow through a PAM solution that provides auditability.
Complexity of Cloud Computing Security Demands a Simple Solution
Cloud provider operations are simply too complex and fast-moving for a solution that is difficult to deploy or use. Cloud providers require a PAM solution that is secure but also lightweight and nimble.
It’s not enough to have a PAM solution; it must be universally used. Without universal adoption of their chosen PAM solution, cloud providers will find themselves with potentially very serious security holes.
For instance, if a solution requires agents to be placed on target machines, this adds additional complexity and will retard rapid deployment and universal adoption. If this causes friction during system change cycles, PAM may be ignored or circumvented. Risk exposure grows significantly when PAM has been side-lined like this. Administrative overrides, direct local access to servers and shared passwords give malicious actors a fertile breeding ground.
PAM for Cloud Providers
The Wallix AdminBastion (WAB) is a perfect fit for cloud providers. The WAB creates a single gateway with single sign-on (SSO) for access by system admins. This capability enables senior cloud provider managers to define and enforce access policies for all classes of employees who need specific access rights. WAB lets admins manage access rights and passwords to servers and other devices through a single console. The admin does not know the actual server log in, only the log in provided via the WAB. Staff turnover becomes less of an issue with this level of control, ensuring that critical servers cannot be accessed by individuals no longer authorized to do so. WAP also makes it possible for admins to work on any device without needing a local log-in, a big advantage in the cloud’s geographically abstract environment.
WAB’s agent-less architecture is lightweight, making the solution easy to deploy and adapt in a cloud provider setting.
Wallix offers cloud providers a way to manage access privileges in a flexible, economical mode. As the cloud business continues to change and grow, WAB gives providers an adaptable solution. It can scale and flex as cloud providers alter their business models.