<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

What Is Cloud PAM? Migration, Challenges & More

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Cloud migration is inevitable. And while moving data, virtual machines, and microservices to a cloud environment might seem relatively straightforward, the same cannot be said for migrating Privileged Access Management (PAM)

A PAM cloud migration poses a number of challenges, including reconciling legacy and cloud-based access control frameworks and configuring access control among a range of disparate services. At the same time, since few migrate completely to the cloud, organizations must manage access for legacy resources not running in the cloud.

The key to successfully migrating PAM from an on-prem environment to the cloud is a provisioning strategy that incorporates both access and visibility. Below, we’ll dig into what exactly that looks like.

What Is Cloud Privileged Access Management (PAM)?

Cloud Privileged Access Management (PAM) is a security framework designed for safeguarding critical data in cloud environments. It focuses on controlling and monitoring access to privileged accounts, ensuring that only authorized individuals have entry. This helps mitigate the risk of unauthorized actions and enhances overall cloud security.

Why Migrate PAM to the Cloud?

In both on-prem and cloud environments, privileged access management lets you assign defined access to critical resources based on the “privileges” associated with particular users or groups. Properly configured and managed, PAM keeps sensitive assets secure, by only allowing users to access the systems and data that they need. 

⚠️ Traditional PAM deployments have gaps. Learn how to protect your databases, the cloud, Kubernetes, and more with our legacy PAM augmentation guide.

While most companies migrate PAM as part of broader infrastructure modernization strategies, migration can free up infrastructure resources devoted to the hosting and ongoing maintenance of a legacy solution. When moved to the cloud, PAM becomes more flexible, offering benefits, including:

  • Universal configurability: Cloud-based PAM solutions can be managed from any location with an Internet connection.
  • Scalability: A PAM solution hosted in the cloud can scale to fit environments of any size. Whether you have ten users to manage or ten thousand, the same solution should work.
  • High availability: Because cloud-based infrastructure offers minimum service disruptions, PAM solutions that run in the cloud offer more uptime and, therefore, higher availability
  • Potential for reduced costs: Most cloud PAM vendors provide pricing models that allow you to pay based on the services you need. This can lead to reduced costs depending on the vendor and specifications, it can also as your stack grows and you require different pricing tiers. 
  • Automatic updates: Cloud PAM vendors handle updates, patches, upgrades, reducing the effort required by the organization to maintain hardware and software. 

These benefits help to explain why, as of 2018, 50 percent of organizations in the United States had deployed PAM solutions in cloud environments.


Challenges to PAM Cloud Migration

The lift-and-shift strategy so common to data migration isn’t necessarily the best fit for moving PAM from an on-prem to a cloud environment. In fact, PAM migration to the cloud presents some unique challenges that require a more sophisticated strategy. 

Here’s why: 

  • Different security models: Legacy PAM solutions that were designed first and foremost for on-premises environments handle security in a fundamentally different way from cloud-based, SaaS alternatives. The former lack continuous monitoring, for example, and the ability to trace interactions between different types of cloud services (such as virtual machines and serverless functions). Companies that adopt a lift-and-shift approach must therefore find ways to make their on-premises PAM solution cloud-aware, which will be difficult and (in all likelihood) expensive.
  • Shared cloud accounts: In public cloud environments, a single cloud account is often shared by multiple employees within an organization. This makes access requests and activity more difficult to track on a per-user basis. It also complicates efforts to translate on-premises access control policies into cloud environments, and to assign access privileges on a granular basis. At the same time, because cloud-based resources are typically shared by large groups, it entails a steep increase in the volume of users to manage.
  • Configuring multiple cloud services: Cloud environments are typically composed of multiple types of cloud services, such as virtual machines, storage and containers. PAM needs to be configured independently for each type of service. This configuration burden means that it may take months to set up PAM when migrating to the cloud, especially when relying on legacy PAM solutions that can’t be configured natively for cloud environments.
  • Administrative strain. From manually setting up new users to rotating credentials when new users are offboarded, PAM solutions can create a mass of administrative tasks for sysadmins and database admins. Manual management can result in inefficiencies, including account credentials stored in spreadsheets, idle provisioned accounts, and a multi-step onboarding process.

Provisioning Access With a Single Control Plane

Because of the challenges discussed above, PAM is not well-suited to the needs of organizations that have migrated to the cloud. A better strategy is to choose an access control solution that offers an alternative to PAM by provisioning access for all users, not just privileged accounts, through a single control plane. A control plane is a SaaS solution that centralizes access granting and auditing for any on-premises or cloud-based firewalled resource. Retaining benefits such as access from anywhere, high availability, and scalability, a control plane helps you move beyond privileged access to access for everyone:

  • Manage access for all users. PAM provides access only to privileged users, such as those who serve as admins. A control plane, in contrast, can manage access for all users. This approach is preferable in cloud environments where normal users require controlled access to resources.
  • Provision access in fewer steps. With cloud PAM, you’ll need to set up your solution within each individual server and database, and then, for each new hire, provision database credentials, ssh keys, and VPN passwords. A control plane eliminates this entirely. By integrating with any identity provider, it collapses all access for SSH, RDP, etc. into a single centralized point. With permissions databases and servers and applications centralized, onboarding and offboarding can be done from one interface.
  • Enable role-based access. No one needs constant, unfettered access. The built-in user and role management within the StrongDM admin allows you to give each user the correct level of access for the correct amount of time. In this way, you can configure access with as much granularity as you need, while avoiding standing privileges that can lead to loss of system integrity. 
  • Audit logs and auditing strategy. Automated audit trails cover your entire infrastructure, giving you the ability to log every permission change, database query, SSH and kubectl command. With StrongDM you can standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Offboarding. With StrongDM, there’s no need to rotate credentials and update passwords when a user is offboarded. From the control plane, you can suspend SSO access once to revoke all database and server access. 
  • Remote work access and contractor access. Most companies have a large roster of vendors and contractors who need varying levels of access to complete tasks. From a control plane, you can see exactly what they have access to, offboard them when their work is complete, and ensure you are in accordance with compliance requirements. 

The value of a single control plane is even greater if you’re among the 58 percent of companies with a hybrid cloud model, which entails using on-premises infrastructure and the cloud at the same time. With a single control plane, you can manage privileged access for all parts of your infrastructure -- and on any type of operating system or directory service -- without having to juggle multiple PAM solutions, spend months setting up your configurations, or struggling to shoehorn legacy PAM tools to fit a cloud architecture.

Simplifying Your Cloud PAM Migration with StrongDM

Virtually every organization today is using the cloud in one way or another. Traditional PAM solutions are ill-equipped to address the access-management needs of cloud environments, which require role-based access management for all users, not just those with privileged roles. StrongDM’s control plane provides flexible, centralized and easily auditable access management for the cloud.

See for yourself with a free, 14-day StrongDM trial.

Learn more about how StrongDM helps organizations with an enterprise-ready Cloud PAM solution.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

PAM Was Dead. StrongDM Just Brought it Back to Life.
PAM Was Dead. StrongDM Just Brought it Back to Life.
In essence, legacy PAM solutions over-index on access. StrongDM uses the principles of Zero Trust to evaluate and govern every action, no matter how minor - where each command, query, or configuration change is evaluated in real-time against dynamic policies that adapt to the context of the user, the sensitivity of the action, and the prevailing threat landscape.
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
The way that people work continues to evolve, and as a result, so do the ways that they must authenticate into their organization’s resources and systems. Where once you simply had to be hardwired into the local office network, now you must expand your perimeter to include remote and hybrid workforces, on-prem and cloud environments, and take into account a growing list of factors that impact how and where people access critical company resources.
9 Privileged Access Management Best Practices
9 Privileged Access Management Best Practices
Understanding the pillars of access control and following best practices for PAM gives you a roadmap to an implementation that is secure and comprehensive with no security gaps. This article contains nine essential privileged access management best practices recommended by our skilled and experienced identity and access management (IAM) experts.
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) is the systematic control and oversight of vendor access to an organization's systems, applications, and data. It involves processes such as onboarding and offboarding vendors, utilizing solutions for Just-in-Time access, ensuring security, and streamlining workflows to minimize operational inefficiencies.
How to Meet NYDFS Section 500.7 Amendment Requirements
How to Meet NYDFS Section 500.7 Amendment Requirements
The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector.