Azure Security Monitoring and Privileged Access Management (PAM)
Microsoft Azure offers broad, exciting new capabilities for enterprise IT. The new Azure IoT Hub, which enables large-scale deployment of Internet of Things devices, is just one example. The IoT Hub, however, presents a number of challenges, such as security monitoring on Azure.
Azure security monitoring requires robust security management tooling in the cloud. With the IoT, security monitoring on Microsoft Azure becomes even more demanding. The need to scale security monitoring and rapidly change configurations as IoT networks expand renders traditional security monitoring tools unsuitable. Cloud-native Privileged Access Management (PAM) solutions can contribute to solving this problem. By tracking privileged (administrative) access and admin sessions, they give security managers a clear, real-time view of which users are setting up or modifying Azure-based applications and remote IoT devices.
Understanding PAM in Azure
PAM refers to the processes and tooling that manage access to the administrative back ends of critical systems. A privileged user, for example, is authorized to log in to an email server as an administrator and delete accounts, modify system configuration and more. Careful control over privileged users is a cornerstone of information security. Accidental misuse and deliberate abuse of privileged accounts represent security threats. PAM serves as a countermeasure.
PAM acts as an additional countermeasure against the accidental and deliberate misuse of privileged accounts.
The two-tier security model used by Microsoft Azure means that privileged users accessing applications hosted on the platform must be managed and monitored by the customer. Azure takes care of securing their infrastructure and networks. Whatever happens on your Azure-based system is your problem. That is only fair. How could Azure possibly be held responsible for your user policies?
Some PAM solutions, such as WALLIX, have native instances available in Azure. With an Azure-native PAM instance, it is possible to monitor and manage privileged account sessions in the cloud. WALLIX also enables PAM across multiple clouds, edge and on-premises environments. This capability is especially useful when contemplating PAM for IoT.
PAM, Azure Security, and the Internet of Things (IoT)
The Azure IoT Hub serves as a good example of PAM challenges in the cloud due to the extreme cyber security conditions of the IoT. Three factors make the IoT an area of significant vulnerability: scale, variety, and pace of change. All infrastructure is affected by the need to scale, systemic variety, and speed of change cycles. IoT, however, takes all three of these to a truly new level.
The IoT is projected to encompass tens of billions of devices within a few years. By definition, most of them will be located far from traditional centers of InfoSec control. They will be on networks not necessarily controlled by the entities that deploy them. They represent an attack vector, an endpoint that’s tricky to secure given the scale and scope of the deployments. With multiple device types and rapid change cycles, the cloud-hosted IoT is a truly daunting security monitoring proposition.
The consequences are also significant. For example, if you’re running an electrical utility with a large number of IoT devices like remote meters and transmissions sensors, you’re subject to the NERC CIP security standards. Under NERC CIP, you are obligated to rotate device passwords and terminate access to departing employees within 48 hours of termination. Realistically, this is simply impossible with on-premises identity management and access control systems. To stay compliant (and keep yourself safe from potentially devastating security incidents), you will need powerful PAM in the cloud.
The WALLIX PAM Solution for Microsoft Azure
The WALLIX solution for Microsoft Azure is fully certified and available in the Azure marketplace. With multi-tenant design and an agentless architecture, WALLIX for Azure has the capacity to scale and change at the rate required for the IoT and other demanding cloud workloads. Key features include:
- One-click single sign-on access for privileged users.
- Protection of sensitive credentials in a certified vault
- Automated management and cycling of passwords
- Full control and tracking of all users and actions
- SSH and RDP session management and recording
- Searchable OCR recording of RDP and VNC sessions
- Easy setup up of alerts for forbidden actions and session disconnects
- Thorough audit trail
The complete WALLIX PAM solution helps organizations maintain complete control over their most critical assets.
New uses of the cloud, such as the IoT hub on Microsoft Azure, present complex security challenges. With the right tooling, however, it is possible to monitor security on Azure while defining and enforcing privileged access policy. With an agentless architecture and an Azure-native application, the WALLIX Bastion PAM solution enables security managers to establish strong controls over privileged account access for cloud-based applications. WALLIX also provides PAM for devices like IoT sensors deployed through the Azure cloud.
Want to learn more about the how the WALLIX PAM solution helps provide additional security for IoT devices deployed through the Azure cloud? Contact us.