Privileged Access Management (PAM) for MSSPs Using AWS
Amazon Web Services (AWS) present a good news story for service providers, but security challenges remain. AWS gives service providers a way to grow their businesses without having to deal with many of the hassles and costs of maintaining cloud infrastructure. A Managed Security Services Provider (MSSP), for instance, can let AWS do the heavy lifting for them, supplying an essentially infinitely scalable infrastructure.
While AWS assumes responsibility for securing the infrastructure, the service provider remains on the hook for securing its own applications. This responsibility includes the management and monitoring of privileged (admin) users, who pose a potentially significant threat if not well controlled.
AWS secures the infrastructure, but MSSPs must still secure their own applications.
The Impact of the Two-Tier Security Model
AWS, like most major cloud infrastructure providers, works on a “two-tier” security policy. They defend the infrastructure itself, including the network and underlying hardware. The service provider-client has to establish security policies and enforcement mechanisms that are adequate to fulfill their business objectives.
Service providers have to provide their solutions to individual customers on top of AWS. There are many factors involved in delivering a secure service, including operations like malware scanning and applying patches. However, management of privileged users emerges as one of the most critical tasks for security. The service provider needs to be sure that only the right people can access the administrative back ends that power their solutions. Without this kind of control, vulnerabilities abound.
The Importance of PAM for Service Providers on AWS
Privileged Access Management (PAM) involves managing, monitoring, and auditing the activities of privileged users. A privileged user has “root” access, able to perform tasks like:
- Changing system configurations.
- Installing software.
- Creating and modifying users.
- Accessing or modifying secure data.
- Modifying administrative privilege levels of others and themselves.
PAM is a big job for any organization. For service providers on AWS, the scope of PAM is doubled. The service provider has to stay on top of its own privileged users. It should also enable its customers to maintain a degree of control over their own privileged users.
For example, an MSSP has to track how its own employees set up and modify the MSSP solution on AWS. Then, when the MSSP’s clients get their own cloud-based instances of the MSSP solution, they will want to control which of their users can get root access. The MSSP client’s ability to function effectively will be determined in large part by this PAM capability. Things grow even more complicated if any of these entities utilize contractors, remote, or automated users. Their privileges are necessary for system updates and maintenance.
How PAM Works for an AWS-based Service Provider
A PAM solution provides a secure centralized solution for the authorization, re-authorization, and monitoring of all privileged users on the AWS-based solution. It enforces policies that restrict privileged users from bypassing security systems, protecting not just against “insider” threats, but also against hackers seeking upgraded privileges from hijacked account access.
PAM provides organizations with a centralized solution to authorize, reauthorize, and monitor all privileged users.
Typical PAM solution features include:
- Granting privileges to users only for systems on AWS for which they are authorized.
- Granting access to AWS only when it’s needed and revoking access when the need expires.
- Avoiding the need for privileged users to have or need passwords for systems hosted on AWS.
- Centrally and quickly managing access over a disparate set of heterogeneous systems on AWS.
- Creating an unalterable audit trail for any privileged operation occurring on AWS.
- Generating analytics and predictions about privileged users’ behavior.
The WALLIX PAM solution for service providers on AWS
WALLIX offers a PAM solution designed for service providers operating on AWS. Running on an Amazon Linux AMI environment, the WALLIX AWS solution is powered by Amazon’s AWS Elastic Compute Cloud (Amazon EC2). It’s multi-tenant, enabling each service provider customer to have their own dedicated instance with PAM features like:
- One-click single sign-on access for privileged users on AWS.
- Protection of sensitive credentials for AWS-hosted applications in a certified vault.
- Automated management and cycling of passwords used on AWS.
- Full control and tracking of all AWS users and actions.
- SSH and RDP session management and recording.
- Searchable OCR recording of RDP and VNC sessions.
- Easily setup up forbidden actions on AWS with alerts and session disconnects.
- Unimpeachable audit trail of privileged account sessions on AWS.
WALLIX PAM provides the tools organizations need to maintain control over their most critical resources.
Ensuring AWS Security with PAM
PAM is just one part of providing security for a service running on AWS, but it is arguably one of the most critical. Privileged access is at the heart of many security countermeasures and processes. It is essential that a service provider working with AWS be able to identify who in their organization, and their clients’ organizations, is authorized to administer AWS-hosted solutions. Then, they need to monitor privileged account sessions and build an audit log of activity so they can be alerted in the event of suspicious activities. Session recording helps with incident response if there is a problem. Service providers building on AWS should consider PAM as a “must have” for the security of their solutions.
Interested in learning more about how the WALLIX solution can help your organization ensure AWS security? Contact us!