Virtualization Technology News and Information
Extending Privileged Identity Management To The Cloud

A Contributed Article by Dale R. Gardner, Director of Product Marketing, Xceedium

In working with customers and prospects moving to the cloud, Xceedium finds approximately 80 percent of organizations attempting to re-use privileged identity management solutions from their existing physical environments encounter problems. They quickly learn these solutions-designed for relatively static data center environments-lack the complete set of controls needed to manage privileged users in the cloud, as well as the flexible, scalable architecture the cloud demands.

Efforts to simply migrate existing privileged identity management offerings to hybrid-cloud environments result in a number of issues. These traditional solutions aren't built to gracefully adapt to the dynamic nature of the cloud-and as a consequence, slow administration and management efforts. That imposes an unacceptable drag on operations-minimizing, if not outright eliminating, one of the principal benefits of the cloud. The lack of appropriate and complete controls leave sensitive cloud-based applications and systems open to compromise and misuse. And inflexible deployment options increase costs and constrain security architectures.

In working with different types of organizations moving to the cloud, as well as in concert with virtualization and cloud providers like VMware and Amazon Web Services, Xceedium has identified five essential capabilities critical to delivering next-generation privileged identity management in emerging hybrid-cloud computing environments.

Establish a Single Point of Control

Even in traditional data centers, the task of establishing-and enforcing-a single, consistent set of controls over privileged users can be challenging. Various operational groups, each overseeing different technology silos, can implement their own version of controls. Even with time-consuming and expensive auditing and administrative processes, the actual controls enforced across the environment can vary.

Inconsistent controls can lead to breaches of inadequately protected resources, and potential compliance and audit failures. Even in a perfectly maintained environment, proving compliance with standards can be difficult since reports and information must be retrieved from across an organization.

Move such an approach to the cloud, which increases the number of existing systems as well as adding additional platforms and technologies to control, and it's easy to see how a tenuous grasp on controls can rapidly slip away. This reality tends to favor comprehensive, cross-platform privileged identity management solutions as they consolidate identity and authority in a single location, where they're easier to monitor, manage, and control.

The requirement for cross-platform support operates across a couple of different vectors. First, it's helpful to cover the broadest possible range of systems-all types of servers, rather than just Linux or Windows for example. That list also expands to encompass database management systems, networking equipment like routers and switches, and specialized applications and systems. Second, it's also essential to provide support for new technology infrastructure platforms, such as virtualization and the cloud. There are a couple of different aspects to that requirement-we'll return to the list, but for the moment the key point to keep in mind is the need to protect the underlying management consoles for virtual and cloud platforms. These powerful management facilities offer the ability to fundamentally alter an organization's computing infrastructure with next to no effort-and thus represent an important new attack vector.

Run Anywhere/Manage Anywhere

Flexibility is the sine qua non of the hybrid cloud. Many organizations first look at the cloud from a straightforward cost perspective-undoubtedly attractive in its own right. But the flexibility of the hybrid cloud promises innovation and completely new capabilities that will eventually dwarf operational and capital savings as a benefit.

Maintaining that flexibility imposes two demands on privileged identity management solutions.

The first is the ability to support native installations of the privileged identity management system across the whole of the hybrid cloud. The primary issue here is speed of deployment, and the resulting impact on operational costs and "time-to-protection." Traditionally, vendors have supplied privileged identity management solutions in one of two-and sometimes both-form factors. A standard rack-mount physical server, or as software. Both approaches offer pluses and minuses.

At Xceedium, we've favored the hardware appliance approach. We believe the alternative-specifying, ordering, configuring, and building a dedicated device-is expensive and time-consuming, and adds an ongoing maintenance burden. However, the flexibility and configurability of a "roll-your-own" approach is attractive to some organizations, tipping the scales. A dedicated appliance, in contrast, can be optimized by the vendor for both security and operations. In moving to the cloud, our customers demanded we continue to provide an appliance-based offering. As a result, we now offer pre-configured virtual appliances (OVF-compliant format for VMware and Amazon Machine Instance (AMI) for Amazon's cloud).

The second factor here is the choice of from where to manage privileged users in the overall environment. Some groups may believe the physical security and integrity of the traditional data center make the most sense. Others have come to believe the tightly locked down data centers of cloud providers offer a superior base for operations. Regardless of an organization's choice or policies, the privileged identity management system must be able to operate from the selected platform-with complete visibility and control over the remainder of the hybrid cloud. Many standalone solutions, focused on supporting specific platforms, fail to provide that comprehensive visibility.

Keep Pace With Dynamic, Highly-Scalable Hybrid Cloud Environments

We've established flexibility as an essential attribute of the hybrid cloud-and dynamism is its corollary attribute. The cloud moves fast, and that's a significant advantage. Today, many deployments of applications to the cloud are wholesale movements of apps, intended to leverage cost savings. The cloud or virtualized platforms are also the first choice for many new development projects - for example new "big data" analytics applications that were cost prohibitive or even impossible with old technology, or massive content and data sharing systems that were particularly difficult to scale globally. We are also seeing dynamic arrangements where, for example, some base level of processing is maintained in a traditional data center. Peak demands for processing power are accommodated by the rapid deployment of additional systems into the hybrid cloud. We can anticipate a time when workloads are even more fluid, moving from one environment to another in response to operational considerations such as the availability of bandwidth, processing cycles, or power.

In such a dynamic environment, it is crucial a privileged identity management system be able to keep pace with the underlying infrastructure. Designed in a simpler time, most traditional Privileged Identity Management (PIM) offerings require manual definitions of protected systems. In these rapidly changing environments, schemes which dictate would-be administrators chase emerging systems-with hands to keyboards to configure new policies-are doomed to failure. There's just no way to keep up, systems will operate unprotected, and security incidents and compliance and audit failures will inevitably follow.

As Xceedium worked with platform vendors like Amazon and VMware, care was taken to ensure emergent systems could be automatically identified, assigned to appropriate policy groups, and have the appropriate policies be established and enforced. This all happens programmatically, via recognized APIs, at machine speeds. It's the only feasible means of keeping pace.

Enable Identity as the Perimeter

For a long time, a lot of the task of controlling privileged user's access to systems consisted of physical, perimeter-based limits-once authenticated to the network, administrators could largely go where they wanted to go as long as they had the password. And for a long time, that worked reasonably well. But as perimeters have become increasingly conceptual in nature, the "guns, gates, and guards" approach is less and less effective as a basis for any sort of access control, particularly privileged identity management.

Rethinking identity as a perimeter offers benefits-associating rights and permissions with a specific individual, based on their identity, role, and group memberships, is a proven approach to access control. And it's conceptually and technologically possible for an individual identity to span all of the hybrid cloud. But the reality is it takes some heavy lifting to make it happen. An individual can be defined in multiple identity stores, some of which are ephemeral (think here about Amazon Web Services' use of federated identities which exist only for the duration of a session).

The requirement for a privileged identity management system is to federate those various definitions of identity, and assert a coherent set of access rights and permissions across the entire hybrid cloud. That requires tight integration with existing identity stores-enterprise directories like Active Directory and LDAP are obvious examples-as well as with identity as defined in new platforms like AWS' Identity and Access Management (IAM) Subsystem.

It's worth noting on this point that to the extent one begins to rely upon an individual's identity as a robust security perimeter, the level of trust required to authenticate that user rises exponentially. For this reason, we can expect to see increased reliance on technologies like smart cards and other strong, multi-factor authorization systems. Within the Federal government, for example, we already see requirements to employ PIV/CAC cards (which require independent verification of identity to secure) as the basis for system access.

These will soon become ubiquitous in the commercial sector as well. First, organizations typically subject to a higher level of risk (financial services and all the usual suspects) will adopt the technology on their own. Others will be forced as a consequence of business relationships with the government. The U.S. Federal Government recently issued an executive order requiring contractors to implement NIST 800-53 controls, which includes many new insider threat and administrative account controls, as a component of Federal Acquisition Regulations (FAR). As compliance with 800-53 becomes a term and condition of contractual relationships, adoption of the associated technologies will inevitably follow rapidly.

Protect The Extended Management Plane

From both a conceptual and literal standpoint, the hybrid cloud introduces an extended management plane, reaching across hardware platforms over which you may have no physical control-or even access. Security teams are called upon to defend that extended management plane. As a practical matter, one of the primary challenges to achieving that goal is to secure the new management consoles that come packaged with virtualization and cloud computing platforms.

These platforms introduce a high level of risk, and an extensive attack surface. Part of the issue is simply the new technology and controls they expose, but we also need to consider what an errant user can do with unfettered access to those controls. In cloud and virtual environments, management consoles can be used to bring hundreds and thousands of systems to life in a matter of moments-and to destroy them just as rapidly.

Within the cloud, each resource consumed comes with a cost. So in a very practical sense, the management console serves as a makeshift procurement console-with limited controls. All of these challenges and more require consideration of how to incorporate privileged user management protections and controls.

Bottom Line

It's clear, if not obvious, the hybrid cloud is a completely new environment. It offers both substantial cost savings-capital and operational-as well as profound potential for innovation. Safely and securely realizing that potential requires organizations re-think their approach to privileged identity management. Wholesale migrations of existing solutions, designed for a different time, have been proven not to provide the requisite protections. Security teams must look to next generation privileged identity management solutions to find the protections they need.


About the Author

Dale R. Gardner is Director of Product Marketing at Xceedium. He's developed and launched multiple network, systems, and security management products for the enterprise market. A former META Group analyst, he started his career as a programmer and networking specialist.

Published Monday, June 03, 2013 7:16 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2013>