Scaling least-privilege access with Converged Access Management
Privileged Access Management (PAM) and Identity Governance (IGA) have existed for years. The rise in hybrid work and the move to Cloud and SaaS has led to “converging” several access management functions into integrated solutions. What’s driving the importance of “Converged Access Management,” and what’s at stake if you get it wrong? What attributes do you need to consider when deciding on a solution?
This blog discusses the market drivers causing the growth in the access management space and highlights the convergence in this space. Ultimately, the market drivers and risk factors are why you should be keenly aware of identifying the right solution for your organization. A well-architected access management solution allows your organization to adopt the latest technologies in Cloud and AI while supporting your current environments without compromising security and driving superior customer experiences.
Transitioning to Cloud, PaaS, and SaaS requires a new approach
While conducting work digitally has existed for decades, our collective digital transformation has recently experienced rapid advancement. Our demand for speed, agility, and innovation has resulted in the adoption of numerous cloud infrastructure providers, PaaS providers, SaaS applications, developer and management tools, analytics services, and security platforms. Serving as a central binding element, the Identity and Access Management (IAM) solution enables users to connect seamlessly. A well-designed IAM solution empowers users to conveniently and securely access all their resources, applications, machines, and technologies. This accelerated shift requires organizations to consider a different approach to access management.
- With the adoption of the Cloud, organizations are dealing with 10x the number of resources and permissions. Legacy Access Management solutions were built for the on-premises world and are just not cutting it, as they are not adapted for the cloud and are difficult to maintain — the attempts to retrofit these platforms leave gaps in coverage and expectations.
- Cloud IaaS, PaaS, and Identity providers have powerful IAM solutions and credential management capabilities that can be leveraged heavily to provide a unifying access infrastructure across disparate environments.
- Newer Access Management solutions are purely focused on SaaS resources and have taken a siloed approach that requires several products to be stitched together - such as SaaS governance, Cloud governance, PAM, and VPN solutions.
Organizations deal with over 40,000 cloud permissions; nearly 50% of these permissions are at high risk - from Microsoft 2021 State of Cloud Permissions Risks Report
What is required is a “Converged Access Management” (CAM) solution that leverages the Cloud IAM capabilities and brings together governance workflows with decentralized administration, least-privilege access with automated credential management, the ability to access the cloud and on-premises resources securely with a great customer experience.
Modern security requires “Converged Access Management”
With the rapid transition to remote or hybrid work environments in recent years, the traditional security model centered around the network perimeter has become outdated. Identity is the new perimeter. Consequently, there has been a significant surge in sophisticated security breaches. Organizations now require improved systems, protocols, and standards to protect their data. While privacy, security, and compliance regulations have become more stringent, the investment of time, resources, and finances to meet these standards and embrace a Zero Trust security model has also escalated. In essence, as digital strategies have accelerated, risks and associated costs have likewise increased, amplifying the importance of getting things right from the outset.
A Verizon Data Breach report found that 89% of web attacks are caused by credential abuse.
With the change in working environments, users demand seamless experiences with built-in security guardrails. Organizations walk a tight line in balancing security with seamless, convenient experiences. And they have to get it right the first time because the next best option is only a click away.
Too long have organizations been plagued with siloed solutions that have resulted in poor user experience, excessive permissions, long-term credentials that are often leaked, open security groups or VPN connections resulting in network-based attacks, and hidden privilege escalations that are outside security and audit processes.
High-risk permissions are continuing to rise, with more than 90% of identities using less than 5% of permissions granted - Microsoft 2021 State of Cloud Permissions Risks Report
Converged Access Management (CAM) addresses the requirements of the modern enterprise by bringing together identity governance workflows with key elements of privileged access management while leveraging cloud IAM and Secret Stores to store and maintain credentials. Such an approach allows an organization to truly realize a Zero-Trust security model that covers all its resources and assets under one roof without stitching multiple point solutions together.
Eliminate the chronic pain associated with access management
The pain experienced by organizations in managing access is a tangible and ongoing challenge. To illustrate this, let's explore a representative scenario involving a data scientist who needs to access a database for retrieving data, which will be used for further analysis. By walking through this access journey, we can better understand the complexities and issues that arise in the process.
Before (with existing solutions):
- Locating the resource (the database name) to establish a connection is not simple. Often, no centralized catalog is available that lists all the resources accessible to users.
- After identifying the desired resource, the user must request permission to access the database. This can be done by creating a ticket or contacting the relevant authority.
- The access request ticket is then sent to a centralized team responsible for reviewing and approving such requests. However, due to a high volume of tickets, the team often faces an overwhelming workload, leading to approvals being granted without sufficient contextual information.
- Once the request is approved, the data scientist must obtain the necessary access parameters (Fully Qualified Domain Name (FQDN), port number, username, and credentials) through the ticket, email communication, or relying on shared knowledge within the organization.
- To establish a connection, the user may need to establish a VPN connection to the cloud environment where the database is hosted. Prior authorization might be required to set up the VPN connection.
- A Privileged Access Management (PAM) solution is utilized to connect to the database. Depending on the security measures in place, there might be prerequisites for authorization before accessing the database.
- Once connected, the data scientist can access the database using the required credentials specific to that database.
- Upon completing the task, the user is responsible for closing the access request ticket. This closure prompts the administrator to manually revoke the user's access to the database, ensuring appropriate access management.
The process described above leads to a cumbersome user experience and places a significant manual burden on security administrators. Administrators become crucial chokepoints, overwhelmed by a high influx of tickets, often leading to mass approvals without comprehensive reviews. Consequently, this can result in granting excessive privileges to users and unintentional exposure of long-term credentials.
After (with a CAM solution):
- The data scientist locates the desired resource in a web catalog designed to access various resources. Using a convenient communication platform like Slack, the data scientist submits a request for time-limited access (e.g., 6 hours) to the database.
- The access request is intelligently routed to the respective database owner or authorized approver(s) for distributed approval. This decentralized approval process ensures the request is reviewed with adequate context and relevant information. Valid requests are approved, while any potentially risky or unauthorized access attempts can be flagged and denied.
- Once the access request is approved, the data scientist gains access to the necessary access parameters, such as credentials, from the web resource catalog. This centralized catalog serves as a repository for retrieving essential information, enabling a streamlined and convenient user experience. With the acquired access parameters, the data scientist can connect to the database using their preferred database client or tool without the need to VPN or connect to PAM products.
- After the time-bound access period expires, the converged access solution automatically handles the cleanup process without requiring manual intervention. A record of the access is maintained to ensure compliance with auditing requirements, providing a comprehensive trail for tracking and monitoring access activities.
The access lifecycle described above applies to various types of resources, including Cloud resources like AWS RDS and AWS S3, PaaS resources like Databricks or Snowflow, SaaS apps like Salesforce, and on-premise resources such as servers.
Organizations can leverage a Converged Access Management (CAM) solution to effectively implement and oversee least-privilege access on a large scale. By providing decentralized and automated Just-in-Time access workflows, CAM offers a user-centric experience that enhances overall security measures.
Choose a cloud-native solution with broad integrations
When considering a Converged Access Management (CAM) solution, it is important to understand what it offers in terms of functional capabilities and integrations. Ubyon was built with an API-first architecture with an extensibility framework to connect to Cloud, PaaS, SaaS, and on-premises environments. Ubyon extends coverage to a diverse set of resources that sit behind firewalls by integrating a cloud-native identity-aware proxy service. The solution offers a rich policy engine to allow dynamic access policies tailored to resources, users, time-bound access, and more. Ubyon audits every access and can track interactive sessions.
Although there may be several desirable features, the primary emphasis lies on what is crucial. This discussion highlights essential attributes and their advantages and includes a few thought-provoking questions to assist you in assessing the significance of these attributes for your organization.
|Are we moving towards Just-in-time access?
|Grant permissions only on-demand with just-in-time access using an integrated approval workflow
|Can we right-size permissions by preventing over-permissive grants?
|Entitlement management with time-bound access to prevent excessive permissions.
|Does it integrate with my tech stack?
|Integrate with your IdP, collaboration tools, and ticketing systems to streamline workflows.
|Does it cover all my resources?
|Broad coverage with one solution to cloud providers, Identity Providers, PaaS, and SaaS services.
|Are resources accessed securely with identity-first access (SSO/MFA)?
|Identity-based policies with SSO/MFA integration with your IdP
|Are we adopting short-term or auto-rotated credentials?
|Use short-term credentials when possible and selectively use long-term credentials with Secrets Manager integrations.
|Can we integrate with Secrets Manager to manage long-term credentials?
|Reduce security breaches and leaking credentials.
|Are we using contextual reviews to improve the quality of approvals?
|Contextual access reviews that aid with superior and faster reviews.
|Can I get visibility into all requests, approvals with session level details?
|Reports covering access reviews and session level audits for privileged resources.
|Can I speed up compliance audits?
|Speed up compliance across all your environments.
Ease of use
|Can I centralize all resource-based policies?
|Centralized management and governance for admins.
|Can I move to self-serve administration by decentralizing administration?
|Decentralize administration by delegating approvals to resource owners or team supervisors.
|Do my users have a single place to find and access their resources?
|Users have a singe-entry point to access all their resources.
|Can I extend the platform with ease?
|Automate and extend with no or low-code options.
Summary: Drive adoption of least-privilege access
Ubyon’s Converged Access Management allows organizations to adopt and scale least-privilege permission across all Cloud, PaaS, SaaS, and on-premises environments.
- Drive adoption by providing automated guardrails with great user experience, avoiding excessive permission requests. Start small with one team or one environment and then scale operations over time.
- Right-size permissions and grant access with Just-in-Time access workflows that don’t burden your teams. This practice reduces the potential blast radius of attacks and any credential leaks. Apply more scrutiny when reviewing permissions that applications request and deciding whether to grant permissions.
- Stop the spread by ensuring attackers who cannot use excessive privileges to gain further access. When a principal asks for unnecessary permissions, it will be least likely to receive approval or denied altogether. The best way to control damage is to prevent attackers from gaining elevated privilege that increases the scope of the compromise.
Striking the right balance between security and seamless engagement poses a significant challenge for organizations. But the right access management solution can help. Converged Access Management (CAM) is a crucial component that consolidates and simplifies access across diverse environments while maintaining robust security measures, ensuring the realization of least-privileged access.
To get started or to request a demo, please contact us.