Event Recording

Rohit Nambiar: Cloud PAM: Challenges, Considerations And Approach


As Enterprises transitions to IaaS, Cloud Security and specifically IAM strategy and execution becomes crucial. IAM controls for IaaS/Public Cloud need to identify, secure and monitor Privilege Assets at the same time deal with the inherent elasticity, scalability and agility of the Public Cloud . As such a Privileged Access Management Program for Cloud i.e Cloud PAM is required to meet the increasingly stringent compliance and audit regulations and keep enterprises secure.

And today I'm going to talk about Equifax journey into the cloud transformation and the challenges in the privilege, access management in the public cloud as we call it cloud panel. So next slide please. Thank you. So a brief introduction and background about ifax ifax is a global data analytics and the technology company. We have operations across 27 countries. We were founded in 80 99 and we are one of the top three consumer reporting agencies. We not only provide consumer report to, to our customers, but we provide important analytics and get important financial data to our hands in our customers so that they can make important financial decisions. So a couple of years back Cofax went through data security and the cloud technology transformation. It was a three year transformation. We spent around about 1.2, 5 billion, and we, we are envisioning this cloud transformation to make Cofax and industry leader in security. Now, we, we, we are doing this not only because of Compli reasons, but because this is the right thing to do for our customers and also to the global economy. And we have a cloud native approach where all our it applications, which are on our on-premise legacy data centers are being moved into the public cloud in a, in a cloud native way. They are, they're using the cloud native APIs and they are they're scaled well so that we can provide meaningful and, and, and fast, fast customer data to our customers. So next slide, please.
Thank you. So as we, as we go into the cloud transformation, eco realizes the importance of having innovative approach to security. And, and there are stats, which, which tell us that the global public market is growing three poles in another three years by 2023, it'll be three poles from what, what it is now. Majority of the companies are in some shape of form in public cloud, and majority of the it experts and enterprises fair data protection and compliance in public clouds. And hence they're little hesitant to move their infrastructure, applications and services into the public cloud. Not to mention two thirds of the market is, is for public cloud is through the three major providers, which is GCP, AWS and Azure facts. We embrace all, all clouds. We, we embrace a multi-cloud approach. However, GCP is our go-to platform for our cloud transformation. So all our applications, newer applications and critical applications are moving into GCP at a very rapid pace.
So we, we realize as, as we go through our cloud transformation, that we are in need of identity and access management controls, specifically privileged access management, so that we can ensure that our privileged accounts, our accesses and our associated entitlements are properly identified. They're secured, they're managed and they're monitored. And that too, in a multi-cloud environment, because we, we can't, we can't have our approach in a silo for a single cloud. You have to think through all the, all the controls which you put are consistent across identities, across multi-cloud environment. So as, as we, as we approach that next slide, please, I want to, I want to, I want to touch base on couple of challenges, which, which we thought through. So our approach was when you're going into the multicloud in, in a cloud environment, what are the various challenges? What are the various requirements that we would have to meet as per, as per security and, and, and to confirm to the compliance and regulatory bodies and what would be your approach to such to such journey to the public cloud?
So some of the challenges on the public cloud is to ability to detect and protect and monitor the privileged accounts. If you do not know what your identity are, if you don't know, if you cannot differentiate your human identities from the non-human identities or the federated identities for that matter, which may not reside in your public cloud and may reside in a SaaS or in, or a separate directory, you, you lose, you lose that ability to monitor and protect your privileged accounts. So you, you have to have a, a robust tools and processes to identify those, those privileged accounts and, and, and man, and have them managed in the proper way. The other challenges we faced in the public cloud are longstanding privileges, right? In a traditional infrastructure or in a, in a traditional identity management tool. You tend to give your access through ad groups, perhaps, and, and those are static, persistent access, which live through the life of it.
And, and those, those are, those are exploitable for, and can be exploited by a militia factor. So you have to limit your privileges for a very limited duration, and you also should not have excessive privileges. You, you cannot have over privileges for, for, for a particular user, as an example, a misconfigured graph and, and a malicious insider on a public cloud can, can cause, cause a massive security data breach and, and, and has, has happened in the past. So you have to limit those coverages, which, which are there and exist in the public cloud. And this all boils down to the lack of governance, which, which, which, which you need to have, you need to identify what your identities have access to, what are those entitlements, how they're ma and how you control them. So they should be a proper impa governance in, in the public cloud. And, and, and to add to that, you need to have a, a control, which pans across multi-cloud. You cannot be specifically to a particular cloud provider because their, their roles at their infrastructure services and APIs are different, and you have different challenges in different, different multicloud. So all these challenges are, are, are very specific and unique to the public cloud. And it is, it is a, it is a, it is a uphill task to, to think, to, to look at all these attack vectors and challenges and put controls around it. Next slide, please.
Thank you. As, as, as, as I mentioned, the challenges, once we identify those challenges, we wanted to see what are the requirements, which will solve our, I aim controls. So we wanted to get into the tools and, and, and processes, which will, which will help us getting those time controls in the, in the public cloud. So one of the critical things is we wanted to have Pam as a service. We don't, we didn't want our infrastructure to be a burden because we don't want to manage the services and the infrastructure behind it, and do patching and, and, and, and have a lot of overhead. So one of the critical things is manage the controls and you manage the controls in a SaaS environment. Also, you have to identify all your privileged access and how those privileged access are accessed in the, in the public cloud, for example, in a public cloud, it's, it's not that server access.
You have access through APIs, you have access through the console. So you have to have different mechanisms of putting in controls, multiple controls in some scenarios, and, and monitor the activity through those access channels. And you need to have a mindset of risk reduction. It's, it's impossible to have full proof security, but you, if you identify these access points, you can reduce the risk. And thus you can minimize the attack service. And in order to have governance, you can have, you need to have a converged and identity governance or an idea platform, which can interoperate with each other. This is very important because you need to have idea of what your identities be human or non varieties are and how they are accessed and how the entitlements are granted, etcetera. One of the major challenges, other than that would be the DevOps. You have your C I C D pipelines, your GitHub, repositories, your containers.
All those are attack vectors, and you have to have access controls around them with, without limiting the developer velocity, you cannot, you have to balance security with providing flexibility to your developers and public cloud provides a lot of native cloud IM capabilities. You should leverage the native cloud I capabilities and try to integrate and merge those with the vendor tools. Having one vendor tool will not solve your problem in, in the public cloud. And as I said, you, you need to have tools and processes, but there are other complimentary tools such as you can do cloud control through a cloud security portion management tool, or a cloud compliance tool. These tools give you an overarching view of the misconfigurations in cloud IAM and, and, and, and help you create a consolidated view of what accesses need to control and how you can control it. So that all these considerations in mind, Cofax chose saving as their Pam and IDM solutions for the Google cloud platform.
Now, what, what good features about Sian we liked was the, the convergence of Pam, as well as IGA in one particular platform, have that as a service and also the product, which was buried very specifically for public cloud, which, which was cloud native. It, it, it, it uses all the cloud APIs have web hooks, et cetera, which are very important and can, can be integrated into an IBM platform. So ENT through, we were by deploying Sian and looking, utilizing the default GCT connector, we were able to correlate and aggregate around 96,000 accounts and around 700 and in the Google cloud platform. So based on that, we were, we have converted all those accounts and entitlements into, into the platform and provided the required Pam and IG capabilities inside one two. So in the next slide, I'm gonna tell you the approach that we took in, in making, making through this journey.
Next slide, please. Thank you. So, as, as I said, once, once we identified, what, what those, what those factors are, the challenges are, whatever requirements were, and when we had the right tools and processes, the first thing was we, we, we, we were able to identify the, the, the privileged accounts, which were, and, and we were able to control the control access. We were able to control the compute engine access, IM access, the databases access, and also some DevOps accesses. We were able to utilize the native capability of GCP, such as stack driver and cloud function, and merge that with saving tool to have an automatic dynamic event based discovery of, of the VMs, as well as the accounts. And also we, we utilized our cloud compliance tools, and you can also utilize your default native cloud entitlement analyzes like Google has that policy analyzer.
AWS has its IM Analyst, and you can discover all these IAM access tools and you, you can, you can know what the user has access to what. So we were able to do that a great discovery, as I said, event based discovery through the saving auto discovery processes. And then once, once we discovered all these accounts, as I said, you have to have a mindset of risk reduction. So in, in order to prevent long lasting privileges, we employed just in time, credential, credential, less access for, for access to, to the GCP consoles. And as well as to SSH and databases access, we also vaulted all the privileged credentials in SAP's world, and also have BA gateway through which we do the session management of the end users. Now, these, these past gateways are deployed on microservices, Kubernetes clusters. They, they use the native cloud scalability, which, which we, we don't get in the, in the, on the on-prem and the legacy of Pam products.
Also one of the ways to reduce the risk is to add access to the users through roles and entitlements and, and go through an approval workflow. Now, as I said, since ENT has the conversed IG platform, we are able to mine the roles, the GCP roles, and bring them up for, for entitlement access, which goes through multi-level approvals so that you know, what the user has access. And it is granted the right way. Other, other, other things, which, which we were able to resolve was the securing the DevOps channel. Right? And I would say it all boils down to the secret managements, right? You have your CD pipelines, you have your gate repositories. Those have hard coded credentials, which need to be managed. These are privileged credentials and secret management is, is not just waling of the accounts, but it's also management of those accounts have an authorized based access.
So when, when we manage the secrets, we have an authorization flow, which provides access to only the folks who, who can, who are authorized and, and, and, and owner approves it. So that, that, that not only provides auditing capabilities, but also you can report when, when a auditor comes in on, on, on compliance as to how you manage your secret and not last, but not the least, there are other native cloud solutions for secret managers like GCP has its own secret manager. And AWS has a secret manager. You can utilize them if, if you, if you don't have any compliance, compliance, regulatory requirements, which, which you're not concerned about, but, but it's at least it's better than not having any solutions. So, so secure your DevOps channels through managing those hard coded credentials into a, into, into a world in a public cloud. And important thing in, in, in pub in public cloud is to have a zero trust model.
So you don't, you don't trust inside of an outsider. Everything has to be granted through and access approval mechanism. And we do that utilizing the native, we have a least privileged model where we utilize the native cloud IM GCP roles and abstract them, as I said, through the connector and, and, and show the abstract and grant the smallest role to the user. So the user does not have over privileges. We know exactly what, what role we have, the IAM roles, which are, which are abstracted into from the GCP two se and the user uses entitlement request and an approval model to, to, to get access to those rules. You also have, you, can you have sod violations for which you, you, you limit the access of a particular user. For example, we have an sod policy that users cannot have access into, into production period, but for some reasons they may need emergency access.
So we were able to create entitlements such that certain set of authorized users can request a file call entitlement for a time based time based limit. And then that access gets automatically once that time allows. So you have those, these privileged zero trusts model, which, which you get when you are using a converge platform of IG and Pam. And that is very, that is very important in a public club and, and the identity of governance, the lifecycle management of all identities meet a human I or a non-human. I maybe it's a service account. All those get correlated and, and you can get a good governance around, around your writing piece of what they have access when those access were granted. And you can also review those access through access certification last, but not released in a governance for, for having an effective governance. You need to go outside your tools and tools and have processes wherein wherein you, your, your enterprise should adopt a, a process outside, which, which goes through a security advisement and where, where there is, there are architectural reviews.
So we are, we are tightly coupled for all our IA controls into that, into that enterprise security advisement policies. So that, that, that overall gives you overall, I am governments and security governance, and you, the, the maturity of Pam in, in a, in a, in a public cloud can be the next level of maturity is trend based analytics. You can, you can have toxic entitlement, which a user should not have, and you can, you can grant or, or score them based on the risk. If a user has access to a console across AWS and GCP, and also has access to the databases. So those, those kind of entitlements can, can, can, can, can be termed as toxic entitlements, which, which increases the risks of the user. So you can, you can do risk scoring and, and have, have some analytics, which, which all these tools provide and, and get the, get the risk of what the user can or cannot do.
Also, your analytics should include a proper report of report, and also send those, send those analytic logs into a SIM so that your counter measures or the soft team can bring cases out it. So these, these are, these are some of the, some of the things which we, we have done in our GCP environment. And, and, and, and we, we plan to do the same things in our other, other public cloud environments and hope this, this was this, this gave you an overview of what, what we have gone through the, and the journey. And we, we, we are, we are constantly looking for new opportunities on, on, on improving our pan capabilities and IM capabilities overall. And we, we have constantly maturing on the, on the security aspect of it. So that's pretty much it. And hopefully, hopefully this give you an insight of what, what our journey was through the cloud transformation, as well as our cloud time journey effects. Thank you.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00