Cloud Privileged Access Management

Cloud Privileged Access Management

Welcome to this week's edition of the Cloud Security Newsletter! This week we are talking about Cloud Privileged Access Management (PAM), a critical aspect of modern cloud security that's evolving rapidly with the complexity of cloud environments.

🎤 Featured Experts This Week

This week's insights come from industry veterans who have implemented Privileged Access Management (PAM) at scale:

  • Tyler Warren (Lead CloudSecurity Engineer, USAA) - Leading security engineering efforts across public cloud at USAA
  • Brigid Johnson (Director, AWS Identity) - 10-year AWS identity veteran managing Access Analyzer and IAM solutions
  • Art Poghosyan (CEO, Britive) - With 20+ years in IAM, Art brings deep expertise in privilege management across cloud environments

📚 Definitions and Core Concepts

What is Privileged Access Management (PAM)?

In simple terms, PAM is a subset of Identity and Access Management (IAM) focused on managing and securing access for users with more permissions than a regular user to systems.

"PAM is this unique subset of IAM technologies in the domain that really focuses on the users and access that goes above and beyond the normal standard user, essentially admin level of access or privileged type of user... It usually correlates with higher risk of access as well." - Art Poghosyan

Cloud PAM vs Traditional PAM

Cloud PAM represents an evolution from traditional PAM, addressing unique cloud challenges:

Key differences Cloud vs Traditional PAM include:

  • 🔑 Focus on identity-based controls rather than just network perimeter that is seen in traditional PAM approach.
  • 🔄 Support for dynamic, temporary access in Cloud PAM
  • 🤖 Management of both human and non-human identities across your Cloud environments with the relevant cloud native context and scale.
  • 🌐 Scaled across Multi-cloud and multi-geographies in a dynamic fashion is now quicker to implement with Cloud PAM

"The acronym CPAM or CloudPAM is more popular now than it used to be. But essentially it is a little bit different from the traditional PAM definition because it's much broader in a sense. It does include a lot more of a broader set of technologies." - Art Poghosyan

👥 Practitioner's Perspective: Implementing Cloud PAM in Practice

🎯 Maturity Model for Cloud PAM Implementation

"We think of this as a lifecycle, …You set your permissions, you verify that they work, you verify they're not broad, and then you refine them further." -  Brigid Johnson

Let's break down each maturity levels. You should be able to align yourself to perhaps one or more of the elements in each of the Levels. Each Level builds on the others and can be used as a starting point for potential gap you may need to fill with your Cloud PAM strategy.

I will be using AWS Cloud as an example here but these can be applied to any Cloud Provider.

Level 0 - Beginning State

No defined Cloud PAM strategy

  • Organizations operate without formal privileged access controls
  • Access is granted ad-hoc based on immediate needs
  • No standardization across teams or departments

Ad-hoc privilege management

  • Permissions are granted on request without formal process
  • No regular review of existing privileges
  • Multiple administrators granting access without coordination

Limited visibility into access patterns

  • No centralized logging of privilege usage
  • Unable to track who has what level of access
  • No monitoring of privilege escalation or unusual patterns

Basic AWS IAM usage

  • Simple IAM roles and policies
  • Limited use of AWS Organizations
  • No implementation of advanced features like SCPs


Level 1 - Baseline Maturity

Identified internal vs. external access boundaries

  • Clear definition of organizational boundaries
  • Documentation of approved access patterns
  • Initial implementation of network segmentation

Basic SCP implementation

  • Implementation of foundational guardrails
  • Prevention of high-risk actions
  • Basic account protection mechanisms

Focus on crown jewel services

  • Identification of critical data stores
  • Enhanced protection for sensitive services
  • Specific controls for high-value assets

Manual IR playbooks

  • Documented response procedures
  • Basic incident handling processes
  • Clear escalation paths

Basic IaC & CI/CD integration

  • Initial automation of security controls
  • Basic policy validation in pipelines
  • Simple compliance checks

Initial Access Analyzer implementation

  • Basic configuration of Access Analyzer
  • Regular review of findings
  • Initial response to identified issues


Level 2 - Medium Maturity

Robust internal boundaries

  • Well-defined trust zones
  • Implemented least-privilege access
  • Regular boundary reviews

Expanded service coverage

  • Comprehensive service protection
  • Integration with multiple AWS services
  • Cross-account access controls

Enhanced detective controls

  • Advanced logging and monitoring
  • Automated alerting
  • Pattern analysis

Automated policy management

  • Automated policy generation
  • Regular policy reviews
  • Dynamic policy updates

Integration with CI/CD pipelines

  • Automated security checks
  • Policy validation
  • Compliance verification

Regular Access Analyzer findings review

  • Scheduled reviews
  • Automated remediation
  • Trending analysis


Level 3 - Advanced Maturity

Real-time access pattern monitoring

  • Continuous access analysis
  • Behavioral pattern recognition
  • Immediate anomaly detection

Automated anomaly detection

  • ML-based pattern analysis
  • Automated response to anomalies
  • Continuous learning and adjustment

Integration with DSPM/CIEM tools

  • Comprehensive security tooling
  • Unified visibility
  • Automated workflows

Semi-automated incident response

  • Automated initial response
  • Guided remediation
  • Learning from incidents

Comprehensive shared services strategy

  • Centralized service management
  • Cross-account access patterns
  • Standardized access controls

Advanced Access Analyzer policy refinement

Continuous policy optimization

Automated right-sizing

Regular effectiveness review


🛠️ Technical Implementation Considerations

Implementation Tips for Success

Before you start building/refining your Cloud PAM consider the following:

  1. Start with clear objectives and metrics
  2. Get early wins with critical services
  3. Build automation from the beginning
  4. Regular stakeholder communication
  5. Continuous education and training
  6. Regular review and refinement cycles


Cloud PAM Implementation Steps:

Here are the steps you should consider for your Cloud PAM implementation:

Step 1. Current Access Analysis and Refinement

Organization-level analysis

  • Enable organizational view in Access Analyzer
  • Configure multi-account scanning
  • Set up centralized findings collection
  • Implement cross-account reporting

Unused access identification

  • Regular scanning for dormant permissions
  • Automated reporting of unused roles
  • Historical access pattern analysis
  • Right-sizing recommendations

Policy recommendations

  • Automated policy generation
  • Least-privilege suggestions
  • Impact analysis of changes
  • Regular policy review cycles

Custom policy checks

  • Organization-specific guardrails
  • Industry compliance requirements
  • Best practice validations
  • Regular rule updates

Automated remediation suggestions

  • Policy right-sizing recommendations
  • Automated fix implementations
  • Change impact assessment
  • Rollback capabilities

"Access Analyzer is all about helping folks get to the right permissions. And so we do that in two ways. One is helping a central security team identify broad permissions, inspect their whole entire AWS environment, figure out where they need to go spend some time and attention. And then we are also investing in helping the developers get to the right answer earlier when it comes to permissions." - Brigid Johnson


Step 2. Is there a Shared Services Architecture in use?

Dedicated OU placement

  • Strategic OU structure
  • Clear separation of concerns
  • Hierarchical access controls
  • Scalable organization design

Hybrid access patterns

  • On-premises integration
  • Cross-cloud connectivity
  • Consistent access controls
  • Unified monitoring

Cross-account access requirements

  • Role-based access control
  • Trust relationship management
  • Permission boundaries
  • Regular access reviews

Scalability design

  • Future growth accommodation
  • Performance considerations
  • Resource optimization
  • Cost management

"Think about where you want to be in three or four years and start organizing your accounts differently." - Tyler Warren


Step 3. Build Policy Management Strategy

Coarse-grained SCPs

  • Organization-wide guardrails
  • Account-level restrictions
  • Service access controls
  • Compliance enforcement

Access Analyzer policy previews

  • Impact assessment
  • Policy simulation
  • Change validation
  • Risk evaluation

Resource-specific policies

  • Granular access controls
  • Service-specific permissions
  • Resource tagging strategy
  • Regular policy reviews

VPC endpoint policies

  • Network access control
  • Service communication rules
  • Traffic flow management
  • Security group integration

"Now you can go to that finding and it will be like, okay, now I have all these broad permissions. What do I do? Oh, you can click on a button that says preview policy and you'll see the old policy that's broad and the new policy that has removed the actions that you didn't use." - Brigid Johnson


Exception Handling

There are always going to be Exceptions so it’s important to know what to do for exceptions.

"Being able to manage exceptions at scale is really important... We have all of our controls version controlled... If they want to request access, they can go make a pull request in those repos." - Tyler Warren

Documented exception process

  • Clear request procedures
  • Approval workflows
  • Time-bound exceptions
  • Regular reviews

Self-service workflow

  • Automated request system
  • Clear documentation
  • User-friendly interface
  • Quick turnaround times

Version-controlled policies

  • Change tracking
  • Audit history
  • Rollback capabilities
  • Compliance documentation


💡 Pro Tips from Practitioners

Start Small, Think Big

  • Begin with critical services
  • Plan for scale
  • Build automation early
  • Regular review cycles

"Having your business partners on board is much of the battle." - Art Poghoshyan

Focus on Developer Experience 

  • Integrate with existing tools
  • Automate common tasks
  • Clear documentation
  • Regular feedback loops


Measure and Iterate

  • Define clear metrics
  • Regular assessments
  • Continuous improvement
  • Stakeholder updates


🔗 Related Resources


🔗 Related Podcast Episodes


Building Data Perimeter in Cloud in 2024


Streamlining AWS Cloud Access Controls for Human and Non Human Identities - AWS IAM Access Analyzer


Traditional PAM vs Cloud CPAM for a cloud first world

🤖 Are you interested in learning Cybersecurity with/for AI ?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.


👩🏽💻Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!


We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen

Cloud PAM/IAM has become an intricate landscape, posing challenges even for those with intermediate cloud expertise. In AWS alone, permissions management includes two main methods for assigning permissions (identity policies and resource policies) and three mechanisms for restricting them (permission boundaries, SCPs, and session policies). Additionally, there are unique behaviors, such as those in KMS resource policies and special permissions tied to the root account. With the widespread adoption of multi-account strategies, many large organizations now manage thousands of cloud accounts, making IAM even more complex. In such an environment, one of the most critical yet often overlooked practices is runtime access analysis—essential for accurately identifying and mitigating access risks across the organization.

Like
Reply
Patrick Welch

CRO | President | CEO | Board | Advisor

1mo

Cloud Privileged Access Management (PAM) is evolving quickly, responding to the dynamic demands of cloud environments where privileged access needs to be managed at scale across diverse teams and technologies. Art Poghosyan from Britive captures this shift well, noting, "PAM is this unique subset of IAM technologies that focuses on access that goes above and beyond the normal user, typically correlating with a higher risk." This perspective highlights the urgency of transitioning from traditional, static models to cloud-native PAM solutions that prioritize temporary, just-in-time access and multi-cloud scalability. Implementing Cloud PAM thoughtfully involves defining clear boundaries, integrating automation, and continually refining policies—a lifecycle approach emphasized by practitioners like Art. It’s crucial for organizations to align their PAM strategy with the fast-paced nature of the cloud to mitigate risk effectively and empower secure, agile operations. As more companies adopt multi-cloud infrastructures, having a robust, adaptable Cloud PAM solution will be essential to securing critical resources without inhibiting innovation."

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics