<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Migrating Your Privileged Access Management (PAM) to the Cloud

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Cloud migration is inevitable. And while moving data, virtual machines, and microservices to a cloud environment might seem relatively straightforward, the same cannot be said for migrating Privileged Access Management (PAM)

 

A PAM cloud migration poses a number of challenges, including reconciling legacy and cloud-based access control frameworks and configuring access control among a range of disparate services. At the same time, since few migrate completely to the cloud, organizations must manage access for legacy resources not running in the cloud.

The key to successfully migrating PAM from an on-prem environment to the cloud is a provisioning strategy that incorporates both access and visibility. Below, we’ll dig into what exactly that looks like.

Why migrate PAM to the cloud?

In both on-prem and cloud environments, privileged access management lets you assign defined access to critical resources based on the “privileges” associated with particular users or groups. Properly configured and managed, PAM keeps sensitive assets secure, by only allowing users to access the systems and data that they need. 

While most companies migrate PAM as part of broader infrastructure modernization strategies, migration can free up infrastructure resources devoted to the hosting and ongoing maintenance of a legacy solution. When moved to the cloud, PAM becomes more flexible, offering benefits, including:

  • Universal configurability: Cloud-based PAM solutions can be managed from any location with an Internet connection.
  • Scalability: A PAM solution hosted in the cloud can scale to fit environments of any size. Whether you have ten users to manage or ten thousand, the same solution should work.
  • High availability: Because cloud-based infrastructure offers minimum service disruptions, PAM solutions that run in the cloud offer more uptime and therefore higher availability
  • Potential for reduced costs: Most cloud PAM vendors provide pricing models that allow you to pay based on the services you need. This can lead to reduced costs depending on the vendor and specifications, it can also as your stack grows and you require different pricing tiers. 
  • Automatic updates: Cloud PAM vendors handle updates, patches, upgrades, reducing the effort required by the organization to maintain hardware and software. 

These benefits help to explain why, as of 2018, 50 percent of organizations in the United States had deployed PAM solutions in cloud environments.

Challenges to PAM cloud migration

The lift-and-shift strategy so common to data migration isn’t necessarily the best fit for moving PAM from an on-prem to a cloud environment. In fact, PAM migration to the cloud presents some unique challenges that require a more sophisticated strategy. 

Here’s why: 

  • Different security models: Legacy PAM solutions that were designed first and foremost for on-premises environments handle security in a fundamentally different way from cloud-based, SaaS alternatives. The former lack continuous monitoring, for example, and the ability to trace interactions between different types of cloud services (such as virtual machines and serverless functions). Companies that adopt a lift-and-shift approach must therefore find ways to make their on-premises PAM solution cloud-aware, which will be difficult and (in all likelihood) expensive.
  • Shared cloud accounts: In public cloud environments, a single cloud account is often shared by multiple employees within an organization. This makes access requests and activity more difficult to track on a per-user basis. It also complicates efforts to translate on-premises access control policies into cloud environments, and to assign access privileges on a granular basis. At the same time, because cloud-based resources are typically shared by large groups, it entails a steep increase in the volume of users to manage.
  • Risk of standing privileges: Admins It can be difficult in the cloud to avoid the temptation of configuring “standing privileges,” or assigning access privileges on an ongoing basis. Standing privileges are easier to manage because admins have to configure them only one time. They are also easier to reproduce because the same configurations can be copied from one environment to another. Nonetheless, standing privileges pose a risk because they give users unlimited access, even in cases when they need access only at certain types.
  • Configuring multiple cloud services: Cloud environments are typically composed of multiple types of cloud services, such as virtual machines, storage and containers. PAM needs to be configured independently for each type of service. This configuration burden means that it may take months to set up PAM when migrating to the cloud, especially when relying on legacy PAM solutions that can’t be configured natively for cloud environments.
  • Administrative strain. From manually setting up new users to rotating credentials when new users are offboarded, PAM solutions can create a mass of administrative tasks for sysadmins and database admins. Manual management can result in inefficiencies, including account credentials stored in spreadsheets, idle provisioned accounts, and a multi-step onboarding process.

Provisioning Access With a Single Control Plane

Because of the challenges discussed above, PAM is not well-suited to the needs of organizations that have migrated to the cloud. A better strategy is to choose an access control solution that offers an alternative to PAM by provisioning access for all users, not just privileged accounts, through a single control plane. A control plane is a SaaS solution that centralizes access granting and auditing for any on-premises or cloud-based firewalled resource. Retaining benefits such as access from anywhere, high availability, and scalability, a control plane helps you move beyond privileged access to access for everyone:

  • Manage access for all users. PAM provides access only to privileged users, such as those who serve as admins. A control plane, in contrast, can manage access for all users. This approach is preferable in cloud environments where normal users require controlled access to resources.
  • Provision access in fewer steps. With cloud PAM, you’ll need to set up your solution within each individual server and database, and then, for each new hire, provision database credentials, ssh keys, and VPN passwords. A control plane eliminates this entirely. By integrating with any identity provider, it collapses all access for SSH, RDP, etc. into a single centralized point. With permissions databases and servers and applications centralized, onboarding and offboarding can be done from one interface.
  • Enable role-based access. No one needs constant, unfettered access. The built-in user and role management within the StrongDM admin allows you to give each user the correct level of access for the correct amount of time. In this way, you can configure access with as much granularity as you need, while avoiding standing privileges that can lead to loss of system integrity. 
  • Audit logs and auditing strategy. Automated audit trails cover your entire infrastructure, giving you the ability to log every permission change, database query, SSH and kubectl command. With StrongDM you can standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Offboarding. With StrongDM, there’s no need to rotate credentials and update passwords when a user is offboarded. From the control plane, you can suspend SSO access once to revoke all database and server access. 
  • Remote work access and contractor access. Most companies have a large roster of vendors and contractors who need varying levels of access to complete tasks. From a control plane, you can see exactly what they have access to, offboard them when their work is complete, and ensure you are in accordance with compliance requirements. 

The value of a single control plane is even greater if you’re among the 58 percent of companies with a hybrid cloud model, which entails using on-premises infrastructure and the cloud at the same time. With a single control plane, you can manage privileged access for all parts of your infrastructure -- and on any type of operating system or directory service -- without having to juggle multiple PAM solutions, spend months setting up your configurations, or struggling to shoehorn legacy PAM tools to fit a cloud architecture.

Simplifying your cloud PAM migration with StrongDM

Virtually every organization today is using the cloud in one way or another. Traditional PAM solutions are ill-equipped to address the access-management needs of cloud environments, which require role-based access management for all users, not just those with privileged roles. StrongDM’s control plane provides flexible, centralized and easily auditable access management for the cloud.

See for yourself with a free, 14-day StrongDM trial.

To learn more on how StrongDM helps companies with managing permissions, make sure to check out our Managing Permissions Use Case.


About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

PIM vs. PAM Security: Understanding the Difference
PIM vs. PAM Security: Understanding the Difference
Understanding the nuances of privileged access management vs privileged identity management can be challenging. Although PIM and PAM are often used interchangeably, there is an important difference between PIM and PAM that companies should know. In this article, we’ll explain PIM vs PAM and explore how they work to demonstrate the differences between them. By the end of this article, you’ll know what role PIM and PAM should play in your security strategy.
Top 8 Privileged Access Management (PAM) Solutions
Top 8 Privileged Access Management (PAM) Solutions in 2022
In this article, we’ll review the leading privileged access management (PAM) solutions on the market. We’ll explore the pros and cons of the top privileged access management vendors so you can easily compare the best PAM solutions. By the end of this article, you’ll feel confident choosing the right privileged access management solution for your organization.
Machine Identity Management Explained
Machine Identity Management Explained in Plain English
In this article, we'll cover machine identities and address the importance and challenges in machine identity management. You'll gain a complete understanding of how machine identity management works and see the concept in action through real-world examples. By the end of this article, you'll be able to answer in-depth: what is machine identity management?
Spring Clean Your Access Management | strongDM
Spring Clean Your Access Management
Time to spring clean your access management! Use these resources to establish healthy habits to keep your infrastructure access tidy all year long.
Agent vs. Agent-less Architecture
Agent vs. Agentless Architectures in Access Management
Agent vs. Agentless architectures is a recurring debate - covering specifics from monitoring to security. But when it comes to Access Management, some key considerations are necessary when defining the scalability of your solution and its impact on efficiency and overhead over time.