Part 2: New Requirements for Hybrid-Cloud Privileged Identity Management
In our last post, we discussed four changes bringing new challenges—and urgency—to the task of managing privileged identity in the hybrid cloud. They included the need to defend a significantly expanded management plane; understanding shared security responsibility models; protecting new technologies—particularly new management consoles; and the ability to scale and keep pace with dynamic environments.
In this post, we’ll begin taking a look at how to overcome these hurdles. At the highest level, organizations need to consider four issues while evaluating potential technical solutions—the depth and breadth of the technology; support for integration with infrastructure platforms (including VMware vSphere and AWS); integration with existing network, systems, and security management tools and processes; and the ability of a solution to scale and keep pace with rapidly evolving hybrid-cloud environments.
Depth and Breadth
When we talk about depth and breadth, there are really two central issues to consider—the scope of the solution’s overall privileged identity management controls, and the infrastructure coverage it provides.
A robust solution needs to provide specific privileged identity management capabilities satisfying multiple functional requirements. These include providing secure credential storage and management, strong authentication, access control, monitoring, auditing, and more. This is such an essential topic we’ll discuss it in more detail in our final post in this series.
As discussed, one of the defining characteristics of the hybrid cloud is the extended management plane it introduces. Spanning multiple technology platforms, management of the hybrid cloud requires access to a diverse set of interfaces and disjoint systems located in traditional data centers, within the cloud, and across virtualized servers and systems. Bringing all of those diverse infrastructure and application management systems under the control of a single logical policy enforcement regime delivers two benefits.
First, it makes it possible to exert a consistent set of controls across the environment from a single enforcement point. Individuals might be given access to a particular type of system, such as servers or databases, regardless of their location. Or control over a technology infrastructure, like a physical data center; or even some sub- or superset of resources.
Second, the flexibility inherent in working with a single point of control also boosts productivity and efficiency. Individuals can access all authorized resources from a single logical—and physical—location. Given the complexity of IT environments, this can be a significant gain. Individuals need to access multiple systems across different environments—it’s no wonder administrators resort to such insecure practices as keeping passwords in spreadsheets or files. But even with that, administrators waste time looking for the credentials they need.
Given these requirements, we believe assuring effective and efficient privileged identity management capabilities in the hybrid cloud will favor comprehensive, well-integrated offerings over individual point solutions:
- Different privileged identity management technologies across different platforms and environments, each implementing controls in a different way, can lead to inconsistent policy definition and enforcement. That results in less effective security, and gaps in coverage.
- And with multiple tools, the task of demonstrating compliance with the host of regulatory mandates most organizations must satisfy becomes significantly more complex. Multiple systems means multiple data stores for policies and operational logs. That data must be collected and consolidated before it’s consumable by audit and enforcement teams.
- Finally, multiple solutions boost administrative complexity and operational costs. With a comprehensive system, there’s a single point for defining and enforcing policy, gaining access to systems, and monitoring and reporting on results.
Secure privileged identity management demands integration with IT infrastructure at multiple points. We’ll consider three that are particularly important.
Let’s begin by looking at identity itself.
One of the more significant risks of an identity management effort—privileged or otherwise—is developing “islands of identity,” multiple data stores with risks of duplicated information and wasted effort in provisioning and de-provisioning processes. These situations can also lead to inadvertent risks as users with multiple credentials are only partially excised from systems. An individual leaving a team or organization may inadvertently retain credentials to sensitive resources.
To avoid these risks, it’s essential that privileged identity management solutions provide an identity bridging or federation capability across different identity data stores—Active Directory, other LDAP directories, or RADIUS.
Since most organizations rely on AD, or some other directory, to define both identity and access rights and permissions, integration here can deliver support for much traditional and virtualized infrastructure. It’s incomplete though when it comes to the cloud—AWS operates its own Identity and Access Management system. It’s elegant, comprehensive, and provides a great layer of protection for privileged users working with the AWS Management Console. But AWS Identity and Access Management can be complex, and could become another identity island requiring constant management. The ability to federate identities in existing directories with AWS Identity and Access Management enables organizations to enforce granular policy control over the use of the AWS Management Console, while simplifying the management of identities across multiple architectures.
Identity bridging and federation also come into play while working to eliminate the use of shared, essentially anonymous, administrative accounts like root. Since many individuals share a single account, it’s never possible to determine precisely who performed a given action. Maintaining strong links to identity, combined with command control and monitoring capabilities, helps eliminate these questions, and the associated risks.
Multi-Factor Authentication and Secure Storage
Given the sensitivity of the systems they’re managing, it’s not surprising privileged users are increasingly required to utilize multi-factor techniques for authentication. The US Federal government has taken a leadership position in this regard. Mandates, such as the forthcoming NIST 800-53 r4 standards, dictate the use of strong authentication and access controls for privilege users, while HSPD-12 and OMB Memo 11-11 mandate the use of privileged identity verification/common access card (PIV/CAC) cards for all types of system access, not just privileged individuals. Commercial entities are also adopting smartcard technologies.
In addition to smartcards, a substantial installed base of hardware-based security tokens, like SecureID, exists and is in widespread use for all types of users.
Technologically related to this infrastructure integration requirement is the growing reliance on Hardware Security Modules (HSM) for the storage of cryptographic keys protecting privileged credentials. HSMs leverage sophisticated hardware-accelerated encryption techniques to support high assurance security implementations. The passwords and other credentials maintained by a privileged identity management solution are the most sensitive ones within the organization, and an HSM-based storage option is a meaningful precaution.
Finally, we’ve already discussed the scale and dynamism of the hybrid cloud. In these rapidly changing environments, the ability to automatically discover resources as they’re created—and automatically apply policy to them—is an essential capability in maintaining control.
Consider a typical scenario where a retailer might need to rapidly deploy dozens, or hundreds, of additional servers around the holidays to satisfy customer demand. Traditionally, privileged identity management vendors have provided some basic level of automated discovery of resources. But those capabilities provide only limited help when new devices start appearing by the hundreds. Manual, hands on keyboards, approaches to identifying target systems and defining appropriate policies significantly, and unacceptably delay deployments. That costs revenue. And the manual policy provisioning process can easily lead to errors and oversights. That results in the deployment of un- or improperly protected resources, and all the associated risk. In the dynamic hybrid-cloud environments auto-discovery, combined with auto provisioning of policies is an important new requirement for privileged identity management products.
Network, Systems, and Security Management Support
Most organizations have established, mature processes and tools for activities like network and systems management, and security operations. It’s important privileged identity management solutions deliver seamless integration with these systems, to ensure support for these critical processes. In most cases, the required integration can be achieved with relative simplicity, leveraging technologies and protocols like SNMP traps, or syslog sharing. Sometimes, more robust, purpose-built integration is desirable.
Scalability and Reliability
As with other enterprise technologies, privileged identity management solutions need to deliver high levels of reliability and availability. This typically translates into requirements for rapid throughput and efficiency, as well as more traditional high-availability capabilities such as clustering, failover, and load balancing.
Our experience with large-scale customers reveals a number of specific requirements:
- The ability to manage tens- or hundreds-of-thousands of servers and hundreds or thousands of individual users.
- The ability to support hundreds of simultaneous user sessions from a single server. Approaches which top out after establishing a couple of dozen sessions will demand the continuous addition of new servers—consuming time, energy, and budget.
- Leverage built-in scalability features, rather than requiring the addition of additional servers, databases, and high-availability infrastructure from other vendors—at significant additional cost.
- Ease of use, particularly when defining or re-configuring policies.
- Avoid the requirement to install software on target systems. While this can sometimes be a worthwhile effort, the requirement to support a heavy client on each new node quickly becomes a burden and adds friction to operations. Trying to install software at startup time is inefficient, while the alternative—limiting users to specific images with agents already installed—constrains flexibility and constrains the speed advantage that cloud and virtualization offer.
New environments inevitably bring new requirements for all types of management solutions, including privileged identity management. Four are particularly critical for effective identity management, including depth and breadth—measured by functionality and platform coverage; infrastructure integration with existing Identity and Access Management, security, and IT infrastructure; links to network, systems, and security management tools and processes; and enterprise-class scalability and reliability.
In our next post we’ll take a look at key capabilities required for effective privileged identity management in the hybrid cloud.
View Part 1.