Privilege Access Management - What Cloud Security Peeps Need to know!

Privileged Access Management in Cloud is the blindside of your identity team but you can change that.

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic is Cloud Privileged Access Management (continue reading)

Incase, this is your 1st Cloud Security Newsletter!
Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.

Who else is here reading with you?
Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter. If you are reading this - thank you for supporting us and sharing with your friends who like to learn a new Cloud Security Topic from their industry peers every week.

This image was created by Dall-E

Cloud Security Topic of the Week 

Cloud Privileged Access Management

Welcome to this week's edition of the Cloud Security Newsletter! This week we are talking about Cloud Privileged Access Management (PAM), a critical aspect of modern cloud security that's evolving rapidly with the complexity of cloud environments.

This week's insights come from industry veterans who have implemented Privileged Access Management (PAM) at scale:

  • Tyler Warren (Lead CloudSecurity Engineer, USAA) - Leading security engineering efforts across public cloud at USAA

  • Brigid Johnson (Director, AWS Identity) - 10-year AWS identity veteran managing Access Analyzer and IAM solutions

  • Art Poghosyan (CEO, Britive) - With 20+ years in IAM, Art brings deep expertise in privilege management across cloud environments

📚 Definitions and Core Concepts

What is Privileged Access Management (PAM)?

In simple terms, PAM is a subset of Identity and Access Management (IAM) focused on managing and securing access for users with more permissions than a regular user to systems.

"PAM is this unique subset of IAM technologies in the domain that really focuses on the users and access that goes above and beyond the normal standard user, essentially admin level of access or privileged type of user... It usually correlates with higher risk of access as well."

Art Poghosyan

Cloud PAM vs Traditional PAM

Cloud PAM represents an evolution from traditional PAM, addressing unique cloud challenges:

Key differences Cloud vs Traditional PAM include:

  • 🔑 Focus on identity-based controls rather than just network perimeter that is seen in traditional PAM approach.

  • 🔄 Support for dynamic, temporary access in Cloud PAM

  • 🤖 Management of both human and non-human identities across your Cloud environments with the relevant cloud native context and scale.

  • 🌐 Scaled across Multi-cloud and multi-geographies in a dynamic fashion is now quicker to implement with Cloud PAM

"The acronym CPAM or CloudPAM is more popular now than it used to be. But essentially it is a little bit different from the traditional PAM definition because it's much broader in a sense. It does include a lot more of a broader set of technologies."

Art Poghosyan

👥 Practitioner's Perspective: Implementing Cloud PAM in Practice

🎯 Maturity Model for Cloud PAM Implementation

"We think of this as a lifecycle, …You set your permissions, you verify that they work, you verify they're not broad, and then you refine them further."

Brigid Johnson

Let's break down each maturity levels. You should be able to align yourself to perhaps one or more of the elements in each of the Levels. Each Level builds on the others and can be used as a starting point for potential gap you may need to fill with your Cloud PAM strategy.

I will be using AWS Cloud as an example here but these can be applied to any Cloud Provider.

Level 0 - Beginning State
  • No defined Cloud PAM strategy

    • Organizations operate without formal privileged access controls

    • Access is granted ad-hoc based on immediate needs

    • No standardization across teams or departments

  • Ad-hoc privilege management

    • Permissions are granted on request without formal process

    • No regular review of existing privileges

    • Multiple administrators granting access without coordination

  • Limited visibility into access patterns

    • No centralized logging of privilege usage

    • Unable to track who has what level of access

    • No monitoring of privilege escalation or unusual patterns

  • Basic AWS IAM usage

    • Simple IAM roles and policies

    • Limited use of AWS Organizations

    • No implementation of advanced features like SCPs

Level 1 - Baseline Maturity
  • Identified internal vs. external access boundaries

    • Clear definition of organizational boundaries

    • Documentation of approved access patterns

    • Initial implementation of network segmentation

  • Basic SCP implementation

    • Implementation of foundational guardrails

    • Prevention of high-risk actions

    • Basic account protection mechanisms

  • Focus on crown jewel services

    • Identification of critical data stores

    • Enhanced protection for sensitive services

    • Specific controls for high-value assets

  • Manual IR playbooks

    • Documented response procedures

    • Basic incident handling processes

    • Clear escalation paths

  • Basic IaC & CI/CD integration

    • Initial automation of security controls

    • Basic policy validation in pipelines

    • Simple compliance checks

  • Initial Access Analyzer implementation 

    • Basic configuration of Access Analyzer

    • Regular review of findings

    • Initial response to identified issues

Level 2 - Medium Maturity
  • Robust internal boundaries

    • Well-defined trust zones

    • Implemented least-privilege access

    • Regular boundary reviews

  • Expanded service coverage

    • Comprehensive service protection

    • Integration with multiple AWS services

    • Cross-account access controls

  • Enhanced detective controls

    • Advanced logging and monitoring

    • Automated alerting

    • Pattern analysis

  • Automated policy management 

    • Automated policy generation

    • Regular policy reviews

    • Dynamic policy updates

  • Integration with CI/CD pipelines

    • Automated security checks

    • Policy validation

    • Compliance verification

  • Regular Access Analyzer findings review

    • Scheduled reviews

    • Automated remediation

    • Trending analysis

Level 3 - Advanced Maturity
  • Real-time access pattern monitoring

    • Continuous access analysis

    • Behavioral pattern recognition

    • Immediate anomaly detection

  • Automated anomaly detection 

    • ML-based pattern analysis

    • Automated response to anomalies

    • Continuous learning and adjustment

  • Integration with DSPM/CIEM tools

    • Comprehensive security tooling

    • Unified visibility

    • Automated workflows

  • Semi-automated incident response

    • Automated initial response

    • Guided remediation

    • Learning from incidents

  • Comprehensive shared services strategy 

    • Centralized service management

    • Cross-account access patterns

    • Standardized access controls

  • Advanced Access Analyzer policy refinement

    • Continuous policy optimization

    • Automated right-sizing

    • Regular effectiveness review

Our friends at Britive have made a Guide to Modern Cloud Privilege Access Management, which maybe something to check out if you would like to more about this space.

➡️ Link here ⬅️

🛠️ Technical Implementation Considerations

Implementation Tips for Success

Before you start building/refining your Cloud PAM consider the following:

  1. Start with clear objectives and metrics

  2. Get early wins with critical services

  3. Build automation from the beginning

  4. Regular stakeholder communication

  5. Continuous education and training

  6. Regular review and refinement cycles

Cloud PAM Implementation Steps:

Here are the steps you should consider for your Cloud PAM implementation:

Step 1. Current Access Analysis and Refinement
  • Organization-level analysis

    • Enable organizational view in Access Analyzer

    • Configure multi-account scanning

    • Set up centralized findings collection

    • Implement cross-account reporting

  • Unused access identification

    • Regular scanning for dormant permissions

    • Automated reporting of unused roles

    • Historical access pattern analysis

    • Right-sizing recommendations

  • Policy recommendations

    • Automated policy generation

    • Least-privilege suggestions

    • Impact analysis of changes

    • Regular policy review cycles

  • Custom policy checks

    • Organization-specific guardrails

    • Industry compliance requirements

    • Best practice validations

    • Regular rule updates

  • Automated remediation suggestions

    • Policy right-sizing recommendations

    • Automated fix implementations

    • Change impact assessment

    • Rollback capabilities

"Access Analyzer is all about helping folks get to the right permissions. And so we do that in two ways. One is helping a central security team identify broad permissions, inspect their whole entire AWS environment, figure out where they need to go spend some time and attention. And then we are also investing in helping the developers get to the right answer earlier when it comes to permissions."

Brigid Johnson
Step 2. Is there a Shared Services Architecture in use?
  • Dedicated OU placement

    • Strategic OU structure

    • Clear separation of concerns

    • Hierarchical access controls

    • Scalable organization design

  • Hybrid access patterns

    • On-premises integration

    • Cross-cloud connectivity

    • Consistent access controls

    • Unified monitoring

  • Cross-account access requirements

    • Role-based access control

    • Trust relationship management

    • Permission boundaries

    • Regular access reviews

  • Scalability design

    • Future growth accommodation

    • Performance considerations

    • Resource optimization

    • Cost management

"Think about where you want to be in three or four years and start organizing your accounts differently."

Tyler Warren
Step 3. Build Policy Management Strategy
  • Coarse-grained SCPs

    • Organization-wide guardrails

    • Account-level restrictions

    • Service access controls

    • Compliance enforcement

  • Access Analyzer policy previews

    • Impact assessment

    • Policy simulation

    • Change validation

    • Risk evaluation

  • Resource-specific policies

    • Granular access controls

    • Service-specific permissions

    • Resource tagging strategy

    • Regular policy reviews

  • VPC endpoint policies

    • Network access control

    • Service communication rules

    • Traffic flow management

    • Security group integration

"Now you can go to that finding and it will be like, okay, now I have all these broad permissions. What do I do? Oh, you can click on a button that says preview policy and you'll see the old policy that's broad and the new policy that has removed the actions that you didn't use."

Brigid Johnson

Exception Handling

There are always going to be Exceptions so it’s important to know what to do for exceptions.

"Being able to manage exceptions at scale is really important... We have all of our controls version controlled... If they want to request access, they can go make a pull request in those repos."

Tyler Warren
  • Documented exception process

    • Clear request procedures

    • Approval workflows

    • Time-bound exceptions

    • Regular reviews

  • Self-service workflow

    • Automated request system

    • Clear documentation

    • User-friendly interface

    • Quick turnaround times

  • Version-controlled policies

    • Change tracking

    • Audit history

    • Rollback capabilities

    • Compliance documentation

💡 Pro Tips from Practitioners

  • Start Small, Think Big

    • Begin with critical services

    • Plan for scale

    • Build automation early

    • Regular review cycles

"Having your business partners on board is much of the battle."

Art Poghoshyan
  • Focus on Developer Experience 

    • Integrate with existing tools

    • Automate common tasks

    • Clear documentation

    • Regular feedback loops

  • Measure and Iterate

    • Define clear metrics

    • Regular assessments

    • Continuous improvement

    • Stakeholder updates

Our friends at Britive have made a Guide to Modern Cloud Privilege Access Management, which maybe something to check out if you would like to more about this space.

➡️ Link here ⬅️

🤖 Are you interested in learning Cybersecurity with/for AI ?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.

👩🏽‍💻Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.

Peace!

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen