- Cloud Security Newsletter
- Posts
- Privilege Access Management - What Cloud Security Peeps Need to know!
Privilege Access Management - What Cloud Security Peeps Need to know!
Privileged Access Management in Cloud is the blindside of your identity team but you can change that.
Hello from the Cloud-verse!
This week’s Cloud Security Newsletter Topic is Cloud Privileged Access Management (continue reading)
Incase, this is your 1st Cloud Security Newsletter!
Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.
Who else is here reading with you?
Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter. If you are reading this - thank you for supporting us and sharing with your friends who like to learn a new Cloud Security Topic from their industry peers every week.
This image was created by Dall-E
Cloud Security Topic of the Week
Cloud Privileged Access Management
Welcome to this week's edition of the Cloud Security Newsletter! This week we are talking about Cloud Privileged Access Management (PAM), a critical aspect of modern cloud security that's evolving rapidly with the complexity of cloud environments.
🎤 Featured Experts This Week
This week's insights come from industry veterans who have implemented Privileged Access Management (PAM) at scale:
Tyler Warren (Lead CloudSecurity Engineer, USAA) - Leading security engineering efforts across public cloud at USAA
Brigid Johnson (Director, AWS Identity) - 10-year AWS identity veteran managing Access Analyzer and IAM solutions
Art Poghosyan (CEO, Britive) - With 20+ years in IAM, Art brings deep expertise in privilege management across cloud environments
📚 Definitions and Core Concepts
What is Privileged Access Management (PAM)?
In simple terms, PAM is a subset of Identity and Access Management (IAM) focused on managing and securing access for users with more permissions than a regular user to systems.
"PAM is this unique subset of IAM technologies in the domain that really focuses on the users and access that goes above and beyond the normal standard user, essentially admin level of access or privileged type of user... It usually correlates with higher risk of access as well."
Cloud PAM vs Traditional PAM
Cloud PAM represents an evolution from traditional PAM, addressing unique cloud challenges:
Key differences Cloud vs Traditional PAM include:
🔑 Focus on identity-based controls rather than just network perimeter that is seen in traditional PAM approach.
🔄 Support for dynamic, temporary access in Cloud PAM
🤖 Management of both human and non-human identities across your Cloud environments with the relevant cloud native context and scale.
🌐 Scaled across Multi-cloud and multi-geographies in a dynamic fashion is now quicker to implement with Cloud PAM
"The acronym CPAM or CloudPAM is more popular now than it used to be. But essentially it is a little bit different from the traditional PAM definition because it's much broader in a sense. It does include a lot more of a broader set of technologies."
👥 Practitioner's Perspective: Implementing Cloud PAM in Practice
🎯 Maturity Model for Cloud PAM Implementation
"We think of this as a lifecycle, …You set your permissions, you verify that they work, you verify they're not broad, and then you refine them further."
Let's break down each maturity levels. You should be able to align yourself to perhaps one or more of the elements in each of the Levels. Each Level builds on the others and can be used as a starting point for potential gap you may need to fill with your Cloud PAM strategy.
I will be using AWS Cloud as an example here but these can be applied to any Cloud Provider.
Level 0 - Beginning State
No defined Cloud PAM strategy
Organizations operate without formal privileged access controls
Access is granted ad-hoc based on immediate needs
No standardization across teams or departments
Ad-hoc privilege management
Permissions are granted on request without formal process
No regular review of existing privileges
Multiple administrators granting access without coordination
Limited visibility into access patterns
No centralized logging of privilege usage
Unable to track who has what level of access
No monitoring of privilege escalation or unusual patterns
Basic AWS IAM usage
Simple IAM roles and policies
Limited use of AWS Organizations
No implementation of advanced features like SCPs
Level 1 - Baseline Maturity
Identified internal vs. external access boundaries
Clear definition of organizational boundaries
Documentation of approved access patterns
Initial implementation of network segmentation
Basic SCP implementation
Implementation of foundational guardrails
Prevention of high-risk actions
Basic account protection mechanisms
Focus on crown jewel services
Identification of critical data stores
Enhanced protection for sensitive services
Specific controls for high-value assets
Manual IR playbooks
Documented response procedures
Basic incident handling processes
Clear escalation paths
Basic IaC & CI/CD integration
Initial automation of security controls
Basic policy validation in pipelines
Simple compliance checks
Initial Access Analyzer implementation
Basic configuration of Access Analyzer
Regular review of findings
Initial response to identified issues
Level 2 - Medium Maturity
Robust internal boundaries
Well-defined trust zones
Implemented least-privilege access
Regular boundary reviews
Expanded service coverage
Comprehensive service protection
Integration with multiple AWS services
Cross-account access controls
Enhanced detective controls
Advanced logging and monitoring
Automated alerting
Pattern analysis
Automated policy management
Automated policy generation
Regular policy reviews
Dynamic policy updates
Integration with CI/CD pipelines
Automated security checks
Policy validation
Compliance verification
Regular Access Analyzer findings review
Scheduled reviews
Automated remediation
Trending analysis
Level 3 - Advanced Maturity
Real-time access pattern monitoring
Continuous access analysis
Behavioral pattern recognition
Immediate anomaly detection
Automated anomaly detection
ML-based pattern analysis
Automated response to anomalies
Continuous learning and adjustment
Integration with DSPM/CIEM tools
Comprehensive security tooling
Unified visibility
Automated workflows
Semi-automated incident response
Automated initial response
Guided remediation
Learning from incidents
Comprehensive shared services strategy
Centralized service management
Cross-account access patterns
Standardized access controls
Advanced Access Analyzer policy refinement
Continuous policy optimization
Automated right-sizing
Regular effectiveness review
Our friends at Britive have made a Guide to Modern Cloud Privilege Access Management, which maybe something to check out if you would like to more about this space.
➡️ Link here ⬅️
🛠️ Technical Implementation Considerations
Implementation Tips for Success
Before you start building/refining your Cloud PAM consider the following:
Start with clear objectives and metrics
Get early wins with critical services
Build automation from the beginning
Regular stakeholder communication
Continuous education and training
Regular review and refinement cycles
Cloud PAM Implementation Steps:
Here are the steps you should consider for your Cloud PAM implementation:
Step 1. Current Access Analysis and Refinement
Organization-level analysis
Enable organizational view in Access Analyzer
Configure multi-account scanning
Set up centralized findings collection
Implement cross-account reporting
Unused access identification
Regular scanning for dormant permissions
Automated reporting of unused roles
Historical access pattern analysis
Right-sizing recommendations
Policy recommendations
Automated policy generation
Least-privilege suggestions
Impact analysis of changes
Regular policy review cycles
Custom policy checks
Organization-specific guardrails
Industry compliance requirements
Best practice validations
Regular rule updates
Automated remediation suggestions
Policy right-sizing recommendations
Automated fix implementations
Change impact assessment
Rollback capabilities
"Access Analyzer is all about helping folks get to the right permissions. And so we do that in two ways. One is helping a central security team identify broad permissions, inspect their whole entire AWS environment, figure out where they need to go spend some time and attention. And then we are also investing in helping the developers get to the right answer earlier when it comes to permissions."
Dedicated OU placement
Strategic OU structure
Clear separation of concerns
Hierarchical access controls
Scalable organization design
Hybrid access patterns
On-premises integration
Cross-cloud connectivity
Consistent access controls
Unified monitoring
Cross-account access requirements
Role-based access control
Trust relationship management
Permission boundaries
Regular access reviews
Scalability design
Future growth accommodation
Performance considerations
Resource optimization
Cost management
"Think about where you want to be in three or four years and start organizing your accounts differently."
Step 3. Build Policy Management Strategy
Coarse-grained SCPs
Organization-wide guardrails
Account-level restrictions
Service access controls
Compliance enforcement
Access Analyzer policy previews
Impact assessment
Policy simulation
Change validation
Risk evaluation
Resource-specific policies
Granular access controls
Service-specific permissions
Resource tagging strategy
Regular policy reviews
VPC endpoint policies
Network access control
Service communication rules
Traffic flow management
Security group integration
"Now you can go to that finding and it will be like, okay, now I have all these broad permissions. What do I do? Oh, you can click on a button that says preview policy and you'll see the old policy that's broad and the new policy that has removed the actions that you didn't use."
Exception Handling
There are always going to be Exceptions so it’s important to know what to do for exceptions.
"Being able to manage exceptions at scale is really important... We have all of our controls version controlled... If they want to request access, they can go make a pull request in those repos."
Documented exception process
Clear request procedures
Approval workflows
Time-bound exceptions
Regular reviews
Self-service workflow
Automated request system
Clear documentation
User-friendly interface
Quick turnaround times
Version-controlled policies
Change tracking
Audit history
Rollback capabilities
Compliance documentation
💡 Pro Tips from Practitioners
Start Small, Think Big
Begin with critical services
Plan for scale
Build automation early
Regular review cycles
"Having your business partners on board is much of the battle."
Focus on Developer Experience
Integrate with existing tools
Automate common tasks
Clear documentation
Regular feedback loops
Measure and Iterate
Define clear metrics
Regular assessments
Continuous improvement
Stakeholder updates
Our friends at Britive have made a Guide to Modern Cloud Privilege Access Management, which maybe something to check out if you would like to more about this space.
➡️ Link here ⬅️
🤖 Are you interested in learning Cybersecurity with/for AI ?
Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.
👩🏽💻Cloud Security Training from Practitioners!
Want to learn more about Cloud Security or know someone who wants to, we got you !
If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.
Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!
We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.
Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙
Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.
Peace!
Was this forwarded to you? You can Sign up here, if this was helpful for you.
Want to sponsor the next newsletter edition! Lets make it happen