In Part I of Securing Privileged Access in IaaS we looked at various scenarios of when IaaS itself can be used to manage privileges versus when a third party Privileged Identity Management (PIM) solution is required.
Now, we’ll explore how existing PIM paradigms can miss new core security and management boundaries in the cloud.
In the cloud (public/private) there are a lot of new credential types, authorization models, and proxy scenarios due to the completely new consumption, compute, network perimeters, provisioning and security models.
If you look at Infrastructure as a Service (IaaS), privileged access to the infrastructure means PIM must also manage and fully understand the following technologies for proper deployment and operation:
1) Subscription management
2) Billing management
3) Quota management
4) Host management
5) License management
6) Network management
7) Perimeter protection management
8) VPN management
9) Security management
10) And more…
Each of the above has web service interfaces (REST/JSON), PowerShell (Azure), and a web site for remote management. The existing infrastructure management has very primitive built-in privileged management. But credential management has become a major challenge for both the web access and APIs.
Each of the cloud providers has its own native identity management system (i.e. Azure AD) that can be discovered, credentials that are regularly rotated and checked out for use in a bastion environment (application launch of web browser to portal with credentials provided by secure storage of current credential), as well as for programmatic real-time access.
Here at Lieberman Software we use the native web service APIs to interact with cloud identities (AUTHN) that are necessary to provide access to the management interfaces of the cloud provider. The APIs for identity management, as well as graph interfaces (AUTHZ), provide access to delegation.
The interfaces are in a state of flux with regular changes causing those that integrate to update their integrations. Authentication is typically OAUTH2 and OpenID. SAML is no longer considered a primary interface (SAML is now a deprecated authentication/authorization – with OAUTH2 and per-vendor graph interfaces now dominating).
Operating System Management
Once you get past the cloud management interfaces, the management of the actual machines themselves has its own set of challenges. When spun up, cloud-based systems are generated from fixed images with the only element of uniqueness being the root account credential, SSH key, and Windows administrator password.
In some cases, the cloud vendor will generate an initial credential or provide a method for the customer to generate their own unique credential/key for the instantiation of their system. This process is via the web service interfaces as well as via the human-driven web portal.
Vendors such as Microsoft and Amazon take different approaches to who generates the initial credential/keys. These initial credentials are generated by the PIM solution, script, or cloud provider. However, the privileged identity management solution will typically take over the lifecycle management of the credential once the VM is running.
Network Management is Key
Management of the per-platform instance has unique challenges since subscribers are responsible for network/port management. The initial creation of VM instances require unique platform/network decisions as to how remote PIM management is to be done on the system.
In some cases, direct access to SSH may be available via direct port access, or mapped port access. In other cases, clients will require the use of a VPN to provide access to SSH surfaces and or low-level RPC APIs such as Windows SMB/CIFS, as well as other protocols like database ports for MySQL, Oracle, and Microsoft that may not be published, accessible or usable except via a VPN.
VPN management is a key element of PIM since this may exist as an on-demand service or exist as a permanent point-to-point connection between the corporate site and cloud vendor. There are also special network paths known as direct-connect offered between co-location (co-lo) vendors/centers and cloud vendors such as Amazon and Microsoft. This last method of connection provides a very secure private path to the co-lo that is appropriate for extreme-scale hybrid cloud deployments.
In the managed services business, where the carrier also provides PIM as a service, the sealed environments of VMs hosted on behalf of customers has its own unique set of challenges. Solutions such as the insertion of remote access servers into each client (agents per client environment), VPN on demand, and the use of Software Defined Network management is used.
The location of PIM tools may be at the client, server provider, or third party – depending on the network model chosen. PIM products may need to be co-hosted with a client’s environment as a VM sharing a common network, or via the use of appropriate tunneling on demand or via permanent connections.
Each piece of the IAAS puzzle has a PIM element to it that has not changed from its on-premises equivalent deployment. Existing tools will work transparently if the cloud environment runs on the same network or if all traffic from the existing network can transparently flow to the cloud environments (i.e. via permanent VPNs).
The issue of speed and scalability, especially with discovery technologies, is a significant challenge due to latency introduced by the remote nature of IAAS resources. Latency can be partially resolved via minimal remote discovery with excellent integration between deployment scripts and management tools. Deployment of discovery VMs running locally on IAAS networks can be used to achieve high-performance discovery and propagation of changes. However, this requires n-tier distributed architectures rare among PIM vendors.
Exploiting Cloud Advantages
The model of IAAS has to be considered via its generational maturity. First generation deployment of IAAS mimics existing on-premises servers seeking to reduce risk and costs via the use of cloud provider economies of scale and generally better Devops and DevSecOps processes.
First generation deployments achieve few benefits until the client moves to use IAAS as an elastic resource (2nd Generation IAAS) which requires maturation of client operations for their own DevOps and DevSecOps (PIM) to achieve scalability and security at extremely low costs with breathtaking scalability, as needed.
Cloud Application Level Management
The infrastructure deployed in the cloud generally matures its identity management from on-premises LDAP directories associated with NTLM and Kerberos authentication. Existing vendor solutions work in this environment.
But the task of securing privileged access has extended to the management of the internal stack running on the cloud infrastructure. It also now encompasses the privileged access management and identity management of “born in the cloud” systems, as well as new and unique infrastructures that are just as important to secure, but don’t currently have much coverage in the PIM space.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.