If you don’t lock your door, you can’t get too upset if someone wanders in and steals your stuff. Information security holds by a similar rule. If an IT asset is not well protected, it will get compromised. It’s almost guaranteed. Why, then, do we get so offended when intruders slip into our infrastructure through poorly guarded entrances? Perhaps we are more frustrated than angry. We want to “lock the doors,” but our tools won’t let us move fast enough.
Our tools are in a constant race to keep up with the rapid changes in IT.
Privileged account management in flux
Privileged account management is no exception to this race. For instance, as legacy systems gave way to distributed systems, privileged account management (PAM) has had to adapt to a bigger group of users. The proliferation of cloud computing platforms forced further PAM adaptation. More non-employee users and remote third party entities required access to newly exposed systems.
How do you want your PAM?The race rages on today with greater velocity and scope. One way that a PAM solution can respond to the challenge is to offer system owners multiple deployment options. Certainly, modern applications and data assets are no longer constrained by any one mode of deployment. We have applications and data in the cloud, on-premises, in colocation facilities and in a range of hybrid scenarios. PAM needs to be present and operating in any deployment environment and be flexible enough to match your evolving computing architecture.
The following are just a few examples of where the flavour of PAM deployment affects the efficacy of authentication and authorization (AU/AT) policy:
- The Mobile Revolution – PAM has been affected by the new (and likely permanent) consumer expectation that everyone will have instant, app-based access to their favourite brands. Many enterprises want to provision programmatic access to third party app developers through RESTful APIs. These APIs may be cloud-based or on premises. PAM has to keep up, ensuring that only authorized, authenticated developers can access the APIs and the underlying IT assets they expose. Having the option to deploy PAM in the cloud helps fulfil this requirement.
- Hybrid Architectures – The blending of on-premises infrastructure with cloud-based IT assets is a reality and a potentially long-term model for IT. Wishful thinking aside, it’s simply not possible to move all IT assets to the cloud, nor is that desirable in many cases. A great number of organizations are shifting some applications and data to the cloud and hosting others on-premises. Or, they are combining private cloud architectures in their own data centers with colocation provider resources and some traditional on-premises hosting. PAM must mitigate the risk of misuse of any IT asset, regardless of where it is hosted in a hybrid architecture.
- As-a-Service Offerings – The “As-a-Service” movement is still gaining momentum. In addition to the basic Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS), IT managers can now opt for such offerings as Backup-as-a-Service (BaaS), Database-as-a-Service (DBaaS) and others. The PAM issue with “As-a-Service” technologies is that they may require granting access to individuals who work at the service providers. Or, they may require granting machine-to-machine login rights in the cloud. PAM deployment cannot be an obstacle to a seamless AU/AT experience for the service provider.
- The Internet of Things (IoT) – The excitement over billions of smart sensors creating rich troves of data has obscured an unsettling reality: Most of that data needs to be secured regardless of where it is stored. Some IoT data is trivial and not in need of security, but in general, when there’s a cost to acquiring data there’s a reason to keep it out of the wrong hands. IoT can potentially create massive, constantly swelling “data lakes” in the cloud that may contain confidential or proprietary data. The PAM solution has to be able to perform its access granting role wherever that “data lake” might exist.
- Continuous Integration and DevOps – Another side effect of the cloud’s “spin up on demand” culture is the new, extremely rapid pace of software development. Driven by the agile software development methodology and further fuelled by elastic, fluid cloud architecture, software development teams now practice “Continuous Integration” (CI) of new code. Software release cycles, once measured in months or years, may now be days or even hours apart. PAM is on duty to define and enforce access policies for this brisk flow of newly coded, typically cloud-based applications.
Policy is one thing. Reality is another.
For each of the trends outlined above, there is a high probability of PAM circumvention if your PAM solution can’t keep up or prevents road-blocks to being utilized in the manner needed. Even a single circumnavigation creates a huge risk exposure. If PAM is delayed, or worse, totally ignored, as new IT assets are spun out into the cloud at high speed, the organization is vulnerable to unauthorized access. PAM only works when it is universally deployed and utilized.
Privileged account management that gets used
Wallix offers a PAM solution approach that is ready for the new ways of working in IT. It’s time to get ready. You will be changing your architecture. One way or another you will be impacted by the adoption of cloud computing, APIs, and CI.
The WallixAdmin Bastion (WAB) combines a lightweight, agentless architecture with a choice of deployment options. WAB can be hosted on-premises, in the cloud or as a fully managed cloud service. The result is an ability to easily manage admin access privileges even when the architecture or deployment scenario changes quickly.
WAB creates a single gateway with single sign-on (SSO) for access by system admins. This capability enables senior cloud provider managers to define and enforce access policies for all classes of employees who need specific access rights. WAB lets admins manage access rights and passwords to servers and other devices through a single console. They can control access even when the target devices are hosted in multiple, independent cloud and on-premises environments. The admin does not know the actual server log in, only the log in for the PAM solution. Staff turnover becomes less of an issue with this level of control, ensuring that critical servers cannot be accessed by individuals no longer authorized to do so. WAB also makes it possible for admins to work on any device without needing a local log-in, a big advantage in the cloud’s geographically abstract environment.