Xceedium is now CA Technologies

Learn more>


Partners - Support - Contact Us

Part 2: New Requirements for Hybrid-Cloud Privileged Identity Management

March 18, 2013

In our last post, we discussed four changes bringing new challenges—and urgency—to the task of managing privileged identity in the hybrid cloud. They included the need to defend a significantly expanded management plane; understanding shared security responsibility models; protecting new technologies—particularly new management consoles; and the ability to scale and keep pace with dynamic environments.

In this post, we’ll begin taking a look at how to overcome these hurdles. At the highest level, organizations need to consider four issues while evaluating potential technical solutions—the depth and breadth of the technology; support for integration with infrastructure platforms (including VMware vSphere and AWS); integration with existing network, systems, and security management tools and processes; and the ability of a solution to scale and keep pace with rapidly evolving hybrid-cloud environments.

Depth and Breadth

When we talk about depth and breadth, there are really two central issues to consider—the scope of the solution’s overall privileged identity management controls, and the infrastructure coverage it provides.

A robust solution needs to provide specific privileged identity management capabilities satisfying multiple functional requirements. These include providing secure credential storage and management, strong authentication, access control, monitoring, auditing, and more. This is such an essential topic we’ll discuss it in more detail in our final post in this series.

Extended Management PlaneAs discussed, one of the defining characteristics of the hybrid cloud is the extended management plane it introduces. Spanning multiple technology platforms, management of the hybrid cloud requires access to a diverse set of interfaces and disjoint systems located in traditional data centers, within the cloud, and across virtualized servers and systems. Bringing all of those diverse infrastructure and application management systems under the control of a single logical policy enforcement regime delivers two benefits.

First, it makes it possible to exert a consistent set of controls across the environment from a single enforcement point. Individuals might be given access to a particular type of system, such as servers or databases, regardless of their location. Or control over a technology infrastructure, like a physical data center; or even some sub- or superset of resources.

Second, the flexibility inherent in working with a single point of control also boosts productivity and efficiency. Individuals can access all authorized resources from a single logical—and physical—location. Given the complexity of IT environments, this can be a significant gain. Individuals need to access multiple systems across different environments—it’s no wonder administrators resort to such insecure practices as keeping passwords in spreadsheets or files. But even with that, administrators waste time looking for the credentials they need.

Given these requirements, we believe assuring effective and efficient privileged identity management capabilities in the hybrid cloud will favor comprehensive, well-integrated offerings over individual point solutions:

Infrastructure Integration

Secure privileged identity management demands integration with IT infrastructure at multiple points. We’ll consider three that are particularly important.


Let’s begin by looking at identity itself.

One of the more significant risks of an identity management effort—privileged or otherwise—is developing “islands of identity,” multiple data stores with risks of duplicated information and wasted effort in provisioning and de-provisioning processes. These situations can also lead to inadvertent risks as users with multiple credentials are only partially excised from systems. An individual leaving a team or organization may inadvertently retain credentials to sensitive resources.

DirectoryTo avoid these risks, it’s essential that privileged identity management solutions provide an identity bridging or federation capability across different identity data stores—Active Directory, other LDAP directories, or RADIUS.

Since most organizations rely on AD, or some other directory, to define both identity and access rights and permissions, integration here can deliver support for much traditional and virtualized infrastructure. It’s incomplete though when it comes to the cloud—AWS operates its own Identity and Access Management system. It’s elegant, comprehensive, and provides a great layer of protection for privileged users working with the AWS Management Console. But AWS Identity and Access Management can be complex, and could become another identity island requiring constant management. The ability to federate identities in existing directories with AWS Identity and Access Management enables organizations to enforce granular policy control over the use of the AWS Management Console, while simplifying the management of identities across multiple architectures.

Identity bridging and federation also come into play while working to eliminate the use of shared, essentially anonymous, administrative accounts like root. Since many individuals share a single account, it’s never possible to determine precisely who performed a given action. Maintaining strong links to identity, combined with command control and monitoring capabilities, helps eliminate these questions, and the associated risks.

Multi-Factor Authentication and Secure Storage

Given the sensitivity of the systems they’re managing, it’s not surprising privileged users are increasingly required to utilize multi-factor techniques for authentication. The US Federal government has taken a leadership position in this regard. Mandates, such as the forthcoming NIST 800-53 r4 standards, dictate the use of strong authentication and access controls for privilege users, while HSPD-12 and OMB Memo 11-11 mandate the use of privileged identity verification/common access card (PIV/CAC) cards for all types of system access, not just privileged individuals. Commercial entities are also adopting smartcard technologies.

SmartcardsIn addition to smartcards, a substantial installed base of hardware-based security tokens, like SecureID, exists and is in widespread use for all types of users.

Technologically related to this infrastructure integration requirement is the growing reliance on Hardware Security Modules (HSM) for the storage of cryptographic keys protecting privileged credentials. HSMs leverage sophisticated hardware-accelerated encryption techniques to support high assurance security implementations. The passwords and other credentials maintained by a privileged identity management solution are the most sensitive ones within the organization, and an HSM-based storage option is a meaningful precaution.

Cloud-Class Scalability

Finally, we’ve already discussed the scale and dynamism of the hybrid cloud. In these rapidly changing environments, the ability to automatically discover resources as they’re created—and automatically apply policy to them—is an essential capability in maintaining control.

Consider a typical scenario where a retailer might need to rapidly deploy dozens, or hundreds, of additional servers around the holidays to satisfy customer demand. Traditionally, privileged identity management vendors have provided some basic level of automated discovery of resources. But those capabilities provide only limited help when new devices start appearing by the hundreds. Manual, hands on keyboards, approaches to identifying target systems and defining appropriate policies significantly, and unacceptably delay deployments. That costs revenue. And the manual policy provisioning process can easily lead to errors and oversights. That results in the deployment of un- or improperly protected resources, and all the associated risk. In the dynamic hybrid-cloud environments auto-discovery, combined with auto provisioning of policies is an important new requirement for privileged identity management products.

Network, Systems, and Security Management Support

Most organizations have established, mature processes and tools for activities like network and systems management, and security operations. It’s important privileged identity management solutions deliver seamless integration with these systems, to ensure support for these critical processes. In most cases, the required integration can be achieved with relative simplicity, leveraging technologies and protocols like SNMP traps, or syslog sharing. Sometimes, more robust, purpose-built integration is desirable.

Scalability and Reliability

As with other enterprise technologies, privileged identity management solutions need to deliver high levels of reliability and availability. This typically translates into requirements for rapid throughput and efficiency, as well as more traditional high-availability capabilities such as clustering, failover, and load balancing.

Our experience with large-scale customers reveals a number of specific requirements:

Bottom Line

New environments inevitably bring new requirements for all types of management solutions, including privileged identity management. Four are particularly critical for effective identity management, including depth and breadth—measured by functionality and platform coverage; infrastructure integration with existing Identity and Access Management, security, and IT infrastructure; links to network, systems, and security management tools and processes; and enterprise-class scalability and reliability.

In our next post we’ll take a look at key capabilities required for effective privileged identity management in the hybrid cloud.

View Part 1.

Dale R. Gardner
Director of Product Marketing
Google+ | LinkedIn | Twitter


Blog: Xsuite: Privileged Identity Management for Modern...

Next In The Xceedium Webcast Series We’ve all seen it. A seemingly never-ending... Read More

CDM Phase II is Here

Xsuite delivers support for CDM Phase 2 Least Privilege and Infrastructure Integrity Requirements...Read More

Video: 2-Minute Explainer

This quick video, just two minutes in length, will rapidly deliver insights into the risks posed by privileged users, and how Xsuite circumvents the risks.Read More