The cloud continues to mature, and more and more organizations are migrating their IT infrastructures from on premises to cloud-based environments. But despite the convenience of the cloud, questions about security in the cloud persist.
One of the biggest cloud security issues I see involves managing the powerful privileged identities that are prevalent in large cloud environments. Can IaaS (Infrastructure as a Service) itself manage some intrinsic privileges, or is a third party Privileged Identity Management (PIM) solution required? And where are there overlaps?
To answer these questions let’s start by examining several different cases.
Case 1: Permanent VPN in place to the cloud, cloud assets inventoried to on-premises directories, IAM solutions treating cloud assets identically to on-premises
In the simplest case, a customer using IAAS would be unable to tell the difference between their on-premises systems and those in the cloud – with the exception of greater latency to systems in the cloud. Existing PIM solutions would work without any change.
In this scenario, a customer is seeking potential cost reduction of capital expenses in return for recurring operating expense costs. No other benefits accrue and there are no significant risks to security since the cloud provides no public IP addresses (everything goes through existing on-premises network interfaces to the public cloud).
Case 2: On demand VPN (common) with IAAS solutions where a) not (all) cloud assets appear in the on-premises directories or b) permanent VPN, but network segmentation in effect
This is a more typical IAAS deployment where a client will leverage the improved bandwidth of the cloud and use network segmentation to isolate cloud assets from on-premises assets. In this scenario most existing PIM products will not work as-is because of partial or full network isolation (in effect DMZ restrict access), lack of on-premises inventory of cloud systems, and incompatible Identity and Access Management (IAM) systems.
Specialized work has to be completed to provide direct access to PIM solutions via permanent or dynamic mapping/routing. Or instances need to be pushed to the cloud environment(s), or special VPN on demand capabilities and/or SDN capabilities must be exhibited by the PIM solution. Once network access methods are determined, then the PIM solution must be capable of discovering the topology of the cloud assets and map them for access and permissions dynamically.
Case 3: Complete isolation of cloud and on-premises assets with potential synchronization of identities and/or federation
This scenario represents complete isolation of environments where the cloud operates in a “born in the cloud” mode. IAAS is in effect but existing on premises IAM and security boundaries are separate. For this mode of operation, the PIM solution must inventory the cloud assets and on-premises assets as separate sets of identities, networks and access control systems. This requires parallel discovery of both environments and operation with a variety of in-cloud and on-premises solutions. Some crossover between environments with common tools is possible if the PIM solution presents a single pane of glass for access and abstracts out the location of the assets.
In this mode, the PIM solution must have complete and parallel stacks for both cloud and on-premises, and must support multiple concurrent IAM systems. The deployment of components of the PIM solution may be completely separate silos of operation or they can be centralized or compartmentalized depending on the architecture of the solution. To achieve transparent single pane of glass operation, the PIM solution may need to perform dynamic SDN, VPN on demand, or provide proxy technology to tunnel as necessary.
Case 4: Cloud provider’s internal PIM operation
The cloud vendors themselves operate an internal PIM environment necessary to achieve regulatory compliance for jurisdictions of geography (i.e. USA vs. EU) as well as under different public/private/government use cases. These use cases require provable and documented interactions between the host provider and the customers/governments involved.
As the provider, the infrastructure appears mostly on-premises. However, the daily operation of access control requires fully automated operation of PIM at breathtaking numbers, zero downtime, and the ability to survive against nation state attacks. To achieve the outcomes required, heavily compartmentalized implementations are used with technologies not typical of VC based firms due to the specialized nature and limited number of customers requiring extreme orchestration. Many technologies such as bastions and agents are not part of these environments for both scalability and standardization requirements. The operation costs of the cloud providers require extremely low costs of software used internally.
Case 5: Managed Security Providers
Some of the large ISPs also offer PIM as a service for managing IAAS that they provide to their customers. This is yet another hybrid where identity management follows many different paths, as does networking. In some cases, the provider will manage access via SDN configuration, agents, or separate instances of PIM per customer.
Depending on the business model, size of the customer base, and capabilities of the MSP, existing PIM solutions may be used. Or, customized versions of existing solutions may be used. In some instances, the MSP may use highly orchestrated versions of PIM solutions.
In Part II of Securing Privileged Access in IaaS, we take a look at the new credential types, authorization models and proxy scenarios you must manage in the cloud versus on premises. We’ll also cover solutions to these challenges.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.