Cloud Security, Privileged Access Management

Cloud Password Management with PAM

Confidence in cloud security is growing. According to the Ponemon Institute’s 2018 Global Cloud Data Security Study, the percent of IT managers who feel that it is difficult to secure confidential or sensitive information in the cloud has fallen from 60% in 2016 to 49% today. That trend notwithstanding, many in the industry still feel cloud security is difficult to achieve. The same study reveals that 71% of IT managers believe is more difficult to apply conventional information security in the cloud computing environment, while 51% think it is more difficult to control or restrict end-user access.

While confidence in cloud security is growing, many IT managers believe it’s difficult to apply conventional information security practice to cloud computing.

Hidden in that last finding is the challenge of managing user passwords in the cloud. This is particularly true for privileged users, who can access administrative back-ends of cloud-based systems. Keeping track of password assignments and rights can be hard enough on-premises. In the cloud, it can be quite daunting. Password sharing, for example, which is already a potential risk on-premises, is more pronounced when third parties can use shared passwords to access cloud back-ends from anywhere. Now, with the use of Privileged Access Management (PAM) solutions, it becomes possible to implement strong password controls that work across on-premises, cloud, and hybrid environments.

Privileged Access Management (PAM) helps implement and enforce strong password controls across all types of computing environments.

The Cloud’s Two-Tier Security Model

To understand why security managers appear to be more confident in the overall security of the cloud but still skittish about protecting sensitive data assets in the cloud, it’s necessary to grasp the cloud’s two-tier security model. With most cloud service agreements, security responsibilities are divided between the cloud provider and the customer. The cloud provider secures the cloud infrastructure itself, including the network as well as computer and storage hardware. Clients tend to like this, as the cloud provider usually has more robust infrastructure security than even a sophisticated enterprise.

The customer, however, is responsible for the security of the data and applications it runs in the cloud. This makes sense, after all. If the customer installs a database in the cloud, for instance, how would the cloud provider know who was authorized to access it? This is where the worries about end-user access start to gain traction.

How PAM Solutions Work

A PAM solution governs privileged user access rights. Most PAM solutions are able to assign access rights to a particular system, but then revoke them when necessary. For example, an administrator may need to be able to change settings on an email server. However, when that user leaves the role (or the company), his or her right to get inside the email server should be taken away. PAM solutions may provide monitoring and even recording of privileged account sessions. That way, if there is suspicious activity or a security incident, security staffers can quickly know who has done what.

The WALLIX Bastion PAM solution lets super administrators define access for privileged users to all systems. Super admins can grant and revoke privileges centrally using rules. The solution covers full access control to devices, servers, databases, and applications using criteria like IP address, username, time frames, and protocol. Time delimited access grants are also possible. Some PAM solutions also offer password management.

A PAM solution helps administrators maintain control and oversight over who has access to what within critical systems.

Password Management and the Cloud—the Role of PAM

Password management can work in concert with PAM to deliver a high level of security for cloud data assets. While there are of course standalone password management solutions, the addition of PAM creates a more holistic set of controls and a higher level of visibility into password assignment and use.

WALLIX, for example, manages and secures all passwords and SSH keys in a certified vault using the encryption algorithm AES 256. It has an open architecture, so it can integrate with other password vaults as needed. The WALLIX Password Manager can schedule password and SSH key rotation and revocation. Application authentication comes from credentials and SSH keys validation against the WALLIX PAM solution. Hard-coded passwords and identification configuration files can be deleted from systems in the cloud.

WALLIX offers granular password management so super admins can define and enforce password policies across cloud and on-premises security workflows. In this way, WALLIX maintains control over shared accounts, service accounts, and hard-coded passwords. The risk from shared passwords being misused in the cloud is greatly reduced.

Privileged users can only access services via WALLIX. In fact, they can’t even know the actual system passwords. WALLIX then augments password management by tracking and monitoring all connections and actions taken by privileged users. The solution can record privileged account sessions in video format, showing the exact administrative actions are associated with a given password.

The WALLIX password manager gives super administrators the power to define and enforce password policies.

Cloud Password Management with WALLIX

PAM solutions like WALLIX enable improved password management in the cloud. They provide centrally-managed password controls that span cloud and on-premises infrastructure. The PAM solution augments the capabilities of the password manager, connecting password controls with account access privileges and monitoring privileged account sessions. In the case of WALLIX, the solution prevents privileged users from even knowing what their cloud passwords are. This greatly reduces the risk of unauthorized cloud access, especially from shared passwords.

Want to learn more about the complete WALLIX Bastion PAM solution including the password manager? Contact us.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Cloud Password Management with PAM

The Cloud’s Two-Tier Security Model

How PAM Solutions Work

Password Management and the Cloud—the Role of PAM

Cloud Password Management with WALLIX

Will you survive your next security audit?

Why Retailers need Privileged Access Management

Related Blogs

Related Resources

Products

Solutions

Resources

About