Cloud PAM benefits, challenges and adoption best practices

On-premises vs. cloud PAM

It should come as no surprise there are similarities and differences between PAM in on-premises and cloud environments.

The overall core purposes of securing privileged credentials, enforcing least privilege and monitoring privileged account activity are the same. Whether on-premises or in the cloud, PAM systems reduce risks associated with insider threats, credential theft and overprivileged accounts.

Both versions of PAM also often must comply or align with regulations, such as GDPR, HIPAA and PCI DSS, and all PAM should emphasize reporting and auditing capabilities for accountability.

Differences include the following:

• Control of systems and infrastructure. Internal PAM systems enable an organization to control and monitor privileged accounts because the hardware and software associated with PAM products and architecture models are wholly owned and maintained by the organization. In the cloud, PAM and its underlying hardware and software are operated by a provider, and it maintains any cloud-native PAM services.
• Deployment and maintenance. On-premises PAM often requires longer deployment times, manual updates and heavy reliance on IT operations teams. Cloud PAM typically is deployed as SaaS or a cloud-native service in IaaS and PaaS clouds with automatic updates, ensuring rapid deployment and reduced maintenance overhead.
• Integration. On-premises PAM might integrate more readily with legacy systems but can struggle with modern SaaS applications. Third-party cloud PAM services are designed for seamless integration with other cloud services and some on-premises products as well, enabling easier access control across hybrid environments. Some PAM services are central to only one IaaS or PaaS provider, too.

Cloud PAM benefits

Cloud-based PAM offers a number of benefits, including the following:

• Enhanced flexibility. Cloud-based PAM provides centralized control over privileged accounts, with easier accessibility and integration in hybrid or multi-cloud environments. Cloud PAM also integrates easily with SaaS applications, identity-as-a-service platforms, and cloud-native services and deployments.
• Reduced costs. While third-party cloud PAM services can rival on-premises PAM options in terms of cost, cloud-native services from providers might be less expensive overall. For example, when looking at PAM options within a single IaaS or PaaS cloud to integrate with and help secure deployments in that same environment.
• Scalability. The cloud's elastic nature supports businesses of all sizes, enabling PAM systems to grow alongside the organization without the need to deploy more systems or other components.

Cloud PAM challenges

Cloud PAM can also present some unique challenges. First is the potential for vendor lock-in, where organizations select a PAM provider central to a single cloud provider or that doesn't integrate with other clouds and on-premises systems and services.

Second is the distinct difference between classic on-premises identities and privilege models, such as Active Directory and Windows domain privileges, versus cloud-native IAM role assignments, such as AWS IAM and Azure role-based access control. Because these are distinct, a cloud PAM provider that supports hybrid cloud deployments needs to cover a much wider range of privileges and roles.

Third, cloud-based PAM services and platforms can have different privacy and data security requirements related to hosting and integration across wide geographic deployments, which could hinder adoption.

Getting started: How to adopt cloud PAM

Organizations considering a move to cloud PAM have the following decisions to make:

• Can they extend an existing on-premises PAM service to the cloud?
• Do they still need on-premises PAM coverage?
• What does PAM need to cover?

Obviously, there are many types of cloud services, and cloud-native PAM in a single IaaS cloud is a different use case than broader PAM that needs to cover more endpoints, user types and cloud services.

Start by assessing current needs and potential gaps. Conduct a comprehensive audit of privileged accounts across the organization, including on-premises, cloud, and hybrid systems and services. Couple this with determining PAM objectives and business goals and ensuring the system supports compliance requirements, operational efficiency and risk reduction.

Next, choose a service based on those use cases and risk reduction. These can range from extending an existing vendor service from on-premises to the cloud, moving to a new cloud PAM service that covers SaaS and other cloud access control and management, or implementing a cloud-native PAM service within a particular cloud, such as Microsoft Entra Privileged Identity Management or Google Cloud Privileged Access Manager.

For any service, collaborate with stakeholders, including DevOps and IAM teams, to map out a phased implementation strategy. Prioritize critical systems, services and accounts first, and then gradually expand to less critical areas. Automate provisioning and deprovisioning for privileged accounts where possible, and establish controls to enforce the principle of least privilege.

Make sure any PAM option chosen can integrate with existing IAM services, such as single sign-on and federation tools and services, and export logs and events to SIEM systems or other monitoring platforms.

Cloud PAM is a journey that takes significant time and effort to get right, especially in large, complex hybrid environments. Plan to continuously monitor privileged access activities to detect anomalies and suspicious behavior and regularly review and update PAM policies to adapt to evolving cloud security threats.

Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.