"In preparing for battle I have always found that plans are useless, but planning is indispensable.”
Dwight D. Eisenhower
Ike would have made a great CISO. He would have understood that business is war and that war requires planning. He also knew that plans are useless. Having fought and won in World War II, this great American general knew that a paper plan was no match for the fog of battle. The process of planning, however, was indispensable.
Plans, Planning, and Cloud Security
IT operations are moving to the cloud. Exactly when, which systems, and into what type of infrastructure, we may not yet know. The deployments will inevitably change over time, too. If you’re responsible for cloud security, you need to plan with a lot of unknowns.
For privileged access management (PAM) in the cloud, the Eisenhower approach works well. Plan like crazy but don’t count on your plan. Things change. You need an approach to privileged access management that will adapt to the guaranteed-to-change realities of the cloud.
One problem is that the cloud is not monolithic. There is no “cloud” per se, especially in corporate IT. The cloud is a software architecture that can be realized through several different infrastructure designs. Most organizations will maintain some sort of mix of deployment options over the coming years. According to a survey by Science Logic, maker of cloud monitoring software, 81% of enterprises have embraced public clouds as of 2016 and already have some sort of hybrid IT environment established. Of those, a third have more than 25% of their IT in the cloud.
Hybrid IT means keeping some IT assets on premise while moving others to public and private clouds. This approach makes a lot of sense. Not everything will benefit from immediate cloud migration. Some apps will never make it. They’ll be end-of-lifed before they’re needed in the cloud. Some applications may span both domains. For example, an application might have storage located both on-premise and in the cloud.
This sounds like an effective, adaptive approach that keeps things real while taking advantage of the best the cloud has to offer. Still, you have to enforce all of your security policies no matter where your IT assets are located. Easier said than done. According to Science Logic, a third of the people who manage hybrid cloud systems are not adequately trained, with 62% “flying blind,” with little visibility into many aspects of their hybrid IT.
PAM and the Cloud
How will you deal with privileged users in this kind of environment, when you may not even know what’s going on at a basic infrastructure level?
Privileged users can get at the “back end” of your systems, making changes and setting up accounts. Privileged users are necessary, but potentially dangerous. By simple errors or intentional mischief, these users can cause huge problems through data breaches and non-compliance.
Cloud scenarios tend to reduce your administrative control over your systems. As a result, PAM related risks increase as you move operations into the cloud.
You may not always know who is accessing your systems because your PAM solution may not be set up to efficiently cover cloud-based applications. It is likely that you will lack clarity on which of your employees, as well as those of the cloud service provider have privileged access to cloud-based systems.
Is your PAM Solution Ready for Cloud Security?
As an example of PAM risk in the cloud, consider the following scenario:
An admin, who may or may not work for you, needs access to a cloud-based system. Going through the cloud provider’s management portal, he is able to get direct access to the back end. (He may even be able to get direct physical access to a server.) You may or may not be aware of his admin session and what he did. If he made a mistake and exposed the system to attack or if he in fact stole some of your IP, you might only learn about it when it hits the 9 o’clock news.
A PAM solution will mitigate this kind of risk if it is implemented correctly. PAM solutions control and monitor cloud access by privileged users. But, they have to be used in order to work. That may sound obvious but it’s a truth that’s ignored more than you might imagine. Not all PAM solutions are flexible enough to handle the tumult of moving systems out of the on-premises data center, into private clouds, then public clouds and so forth. In this case, the PAM implementation will be inconsistent. Gaps in PAM expose the enterprise to risk.
The more complex the PAM deployment process, the more likely that there will be dangerous gaps in coverage—especially in the cloud. These gaps are especially dangerous because of the complacency created by the perception that PAM is not place—when the reality is that it is not.
Moving to the cloud demands a consistent, ubiquitous PAM solution. PAM has to be easy to deploy, simple and efficient to maintain. It needs to be able to work with any privileged account on any platform. The Wallix AdminBastion (WAB) Suite is designed to play this role.
WALLIX PAM and the Cloud
WALLIX’s WAB Suite enables pervasive, sustainable deployment across cloud and on-premises infrastructure. It sets up a single gateway with single sign-on for access by system admins. This capability enables the IT department to define and enforce access policies for admins as well as for the employees who need system access. It works for systems in the public cloud and private cloud. It can span hybrid cloud and on-premise system deployments.
WAB Suite’s agent-less architecture is ideal for the cloud. WALLIX’s agentless approach eliminates the risk that changes in protected systems will require extensive revamping of the PAM solution. This is in direct contrast to most competing solutions which require a dedicated software agent on each administered device or workstation—a recipe for cloud non-compliance given the lack of control over public cloud systems.
WAB Suite gives you the tools to make PAM an enduring, pervasive and consistent part of your cloud security program. Ike would be proud of it. It enables you to make a plan for PAM that can adapt to the fog of the INFOSEC war.
For more information about the Wallix AdminBastion Suite, click below: