Cloud Privileged Access Management (PAM): 7 Considerations
Here’s a bold prediction: more services will move to the cloud. Not that bold, huh? That’s OK – it’s an obvious and safe bet. The real question is...how does that impact your PAM vendor selection process?
Implications for IAM leaders
In IAM, we’ve seen web access management based on open standards move to the cloud in rapid fashion. Although the move of IGA has been slower, the migration is definitely happening. All indicators point to the conclusion that the next wave will be Privileged Access Management. I make this safe bet as an implication of seeing the rapid adoption of infrastructure and platform as a service (IaaS and PaaS). These new services and the predominantly cloud-based dev ops tools used to support these environments will necessitate the management of access.
That being said, the movement of PAM to the cloud will likely be slower for technology vendors than web access management and IGA. Automating the discovery and auto-registration of PAM services will have vendor support as a prerequisite. IaaS vendors such as Amazon AWS and Microsoft Azure will likely lead the way by creating APIs to enable auto discovery. The drive to support these features will be driven by customer demand.
The current reality of hybrid cloud will likely be the norm for years to come. PAM vendors will need to support both on-prem infrastructures and platforms. This won’t be easy as the variety of access methods and APIs required will create a landscape where PAM solutions focus on solving only part of the problem (e.g. focused on a single or limited number of vendors and use cases), all or most of the problem (think of the heterogeneous-support approach big IAM suites take), or customers will require multiple tools. Despite these challenges, cloud-delivered PAM will come as the use-cases and customer desire increases.
Some of the other features to consider when selecting a PAM solution include the management of the dev ops space. If your organization develops its own applications or has a containerization infrastructure or strategy, look for a tool that can help you manage access to these environments. While you may trust those who maintain this infrastructure, the underlying principle of PAM is that nobody should be allotted blind trust and every organization wants to minimize the damage if privileged access is compromised.
If you’re in the market for a PAM solution, make sure to dig into the following areas:
- What is the vendor’s strategy for delivering their solution as a service? Will the solution be a SaaS or hosted solution? Will it be delivered by the vendor themselves or by a partner?
- What is the vendor’s support for cloud infrastructure and platform services like Amazon AWS, Microsoft Azure, and Google Cloud?
- How does the vendor’s solution integrate with cloud web access management solutions (such as Ping or Okta) and IGA solutions? What is the effort required to deploy this integration?
- What support does the vendor have for dev ops tools that your organization uses (e.g. Docker, GitHub, Chef, etc.). Talk to your development and infrastructure teams to understand what other tools they’re considering using in the future.
- Can the vendor support your hybrid cloud strategy? You may need to involve your IT architects here but that is probably obvious already.
- What capabilities does the vendor have for auto discovery and registration in those IaaS and PaaS your company uses or plans to use? This is important especially when your consider auto scaling your environment which may involve spinning up dozens or even hundreds of new servers to meet your business’ peak seasons.
- What migration strategies can the vendor recommend to transition from your current PAM strategy to one based on their solution?
Identropy can help your organization develop requirements and understand the PAM vendor landscape through our vendor agnostic advisory services. We believe the money invested in proper planning and analysis will yield cost saving in the short and long term.