Cloud Password Management with PAM
Confidence in cloud security is growing. According to the Ponemon Institute’s 2018 Global Cloud Data Security Study, the percent of IT managers who feel that it is difficult to secure confidential or sensitive information in the cloud has fallen from 60% in 2016 to 49% today. That trend notwithstanding, many in the industry still feel cloud security is difficult to achieve. The same study reveals that 71% of IT managers believe is more difficult to apply conventional information security in the cloud computing environment, while 51% think it is more difficult to control or restrict end-user access.
While confidence in cloud security is growing, many IT managers believe it’s difficult to apply conventional information security practice to cloud computing.
Hidden in that last finding is the challenge of managing user passwords in the cloud. This is particularly true for privileged users, who can access administrative back-ends of cloud-based systems. Keeping track of password assignments and rights can be hard enough on-premises. In the cloud, it can be quite daunting. Password sharing, for example, which is already a potential risk on-premises, is more pronounced when third parties can use shared passwords to access cloud back-ends from anywhere. Now, with the use of Privileged Access Management (PAM) solutions, it becomes possible to implement strong password controls that work across on-premises, cloud and hybrid environments.
Privileged Access Management (PAM) helps implement and enforce strong password controls across all types of computing environments.
The Cloud’s Two-Tier Security Model
To understand why security managers appear to be more confident in the overall security of the cloud but still skittish about protecting sensitive data assets in the cloud, it’s necessary to grasp the cloud’s two-tier security model. With most cloud service agreements, security responsibilities are divided between the cloud provider and the customer. The cloud provider secures the cloud infrastructure itself, including the network as well as computer and storage hardware. Clients tend to like this, as the cloud provider usually has more robust infrastructure security than even a sophisticated enterprise.
The customer, however, is responsible for the security of the data and applications it runs in the cloud. This makes sense, after all. If the customer installs a database in the cloud, for instance, how would the cloud provider know who was authorized to access it? This is where the worries about end-user access start to gain traction.
How PAM Solutions Work
A PAM solution governs privileged user access rights. Most PAM solutions are able to assign access rights to a particular system, but then revoke them when necessary. For example, an administrator may need to be able to change settings on an email server. However, when that user leaves the role (or the company), his or her right to get inside the email server should be taken away. PAM solutions may provide monitoring and even recording of privileged account sessions. That way, if there is suspicious activity or a security incident, security staffers can quickly know who has done what.
The WALLIX Bastion PAM solution lets super administrators define access for privileged users to all systems. Super admins can grant and revoke privileges centrally using rules. The solution covers full access control to devices, servers, databases, and applications using criteria like IP address, username, time frames, and protocol. Time delimited access grants are also possible. Some PAM solutions also offer password management.
A PAM solution helps administrators maintain control and oversight over who has access to what within critical systems.
Password Management and the Cloud—the Role of PAM
Password management can work in concert with PAM to deliver a high level of security for cloud data assets. While there are of course standalone password management solutions, the addition of PAM creates a more holistic set of controls and a higher level of visibility into password assignment and use.
WALLIX, for example, manages and secures all passwords and SSH keys in a certified vault using the encryption algorithm AES 256. It has an open architecture, so it can integrate with other password vaults as needed. The WALLIX Password Manager can schedule password and SSH key rotation and revocation. Application authentication comes from credentials and SSH keys validation against the WALLIX PAM solution. Hard-coded passwords and identification configuration files can be deleted from systems in the cloud.
WALLIX offers granular password management so super admins can define and enforce password policies across cloud and on-premises security workflows. In this way, WALLIX maintains control over shared accounts, service accounts, and hard-coded passwords. The risk from shared passwords being misused in the cloud is greatly reduced.
Privileged users can only access services via WALLIX. In fact, they can’t even know the actual system passwords. WALLIX then augments password management by tracking and monitoring all connections and actions taken by privileged users. The solution can record privileged account sessions in video format, showing the exact administrative actions are associated with a given password.
The WALLIX password manager gives super administrators the power to define and enforce password policies.
Cloud Password Management with WALLIX
PAM solutions like WALLIX enable improved password management in the cloud. The provide centrally-managed password controls that span cloud and on-premises infrastructure. The PAM solution augments the capabilities of the password manager, connecting password controls with account access privileges and monitoring of privileged account sessions. In the case of WALLIX, the solution prevents privileged users from even knowing what they cloud passwords are. This greatly reduces the risk of unauthorized cloud access, especially from shared passwords.
Want to learn more about the complete WALLIX Bastion PAM solution including the password manager? Contact us.