Cloud Privilege Security: Extending Identity Security to the Public Cloud

March 21, 2024 Sam Flaster

Cloud Privilege Security

Privileged access is privileged access, no matter where it exists. At enterprise scale, standardization is the key to Identity Security. Yet as the world increasingly adopts cloud services in search of operational benefits, many organizations lack consistent people, processes and technologies to secure the identities that access sensitive resources across their hybrid and multicloud environments.

In fact, 52% of organizations report that they lack Identity Security controls around cloud infrastructure and workloads, per CyberArk’s recent Identity Security Threat Landscape report.

Our vision at CyberArk is to enable and secure all identities accessing sensitive assets, DevOps pipelines, services and data in hybrid and multicloud environments.

Cloud Privilege Security is our term for the intelligent controls securing privileged access to the public cloud.

CyberArk Cloud Privilege Security solutions analyze, secure and monitor access to cloud applications, infrastructure, consoles and services. Our centralized approach is designed to secure both human and machine identities and both just-in-time and standing privileged access, across both federated access and shared account models. This holistic, Zero Trust approach allows organizations to extend Identity Security to the public cloud in three key steps.

Step 1: Analyze access patterns to identify Identity Security risks and misconfigurations

CyberArk Cloud Entitlements Manager discovers and analyzes human and machine identities in multicloud environments to identify Identity Security risks, such as excessive permissions that violate the rule of least privilege. This is known as Cloud Infrastructure Entitlements Management (CIEM).

Cloud Entitlements Manager analyzes and visualizes permissions across Amazon Web Services (AWS), AWS Elastic Kubernetes Service (AWS EKS), Microsoft Azure and Google Cloud Platform (GCP), and then provides policy recommendations to remove excessive permissions that violate least privilege access.

The solution also identifies additional assets, accounts and API keys to protect, such as shadow admin accounts with risky permissions or shared privileged accounts used by administrators that are not managed by a privileged access management (PAM) solution.

While many organizations federate access to their public cloud resources using single-sign on (SSO), 44% of organizations still use traditional usernames and passwords outside of SSO to access cloud resources, according to our Identity Security Threat Landscape Report. Cloud Entitlements Manager discovers and onboards privileged accounts to the CyberArk Vault, enabling operational efficiencies for Identity Security teams.

Step 2: Secure access to cloud resources and services

Leveraging Privileged Access Manager, organizations can securely vault and rotate credentials for break-glass and system accounts, shared accounts or application secrets. Once credentials are onboarded to the Vault for secure management, CyberArk administrators can configure them for privileged session management, isolating these sessions to help prevent the spread of malware and ransomware.

In addition to standing access, CyberArk PAM solutions also secure just-in-time privileged access to cloud resources like virtual machines (VMs) and cloud management consoles.

Dynamic Privileged Access secures privileged access in federated access models, allowing just-in-time elevation for operational privileged access to ephemeral VM instances. Just-in-time elevation based on attribute-based access control (ABAC) reduces the risk of compromised credentials with standing access, facilitating progress towards Zero Trust access models.

Secure Cloud Access, an upcoming CyberArk solution that will soon be open for Early Availability (beta), provisions just-in-time, least-privilege access to cloud consoles and services. Access for cloud management operations is elevated just in time to reduce the risk of compromised credentials, with session protection to reduce risk of browser hijacking. Secure Cloud Access also leverages least-privilege policy recommendations from Cloud Entitlements Manager to appropriately scope permissions for each session. 

Element 3: Monitor access to public cloud environments

CyberArk Cloud Privilege Security solutions enable organizations to centrally monitor access to public cloud resources and services, helping satisfy audit and compliance requirements. 

Privileged sessions involving the use of break-glass, system or shared accounts are monitored through Privileged Access Manager, providing a full audit trail. Embedded threat analytics capabilities also detect anomalous behavior that could signal credential theft or bypassing of privilege controls, while threat analytics provide risk scoring that can accelerate audit review processes.

Just-in-time privileged sessions are equivalently audited. In particular, Secure Cloud Access will provides full recordings of web sessions to the cloud console, assisting audit and compliance initiatives.  

Cloud Privilege Security controls are at the center of extending Identity Security controls to the cloud. CyberArk capabilities for Workforce & Customer Access, Endpoint Privilege Security, Secrets Management and Identity Management can also contribute to effective Identity Security programs, enabling a holistic approach to solving challenges in hybrid and multicloud environments.

Explore CyberArk solutions today

Sign up for early availability to Secure Cloud Access.

Take advantage of our limited-time offer for complimentary use of Dynamic Privileged Access.

Sign up for a free trial of Cloud Entitlements Manager.

Previous Article
CyberArk Identity 22.7 Release
CyberArk Identity 22.7 Release

CyberArk Identity 22.7 supports enhancements to delegated admin, orchestration MFA challenge sequence, gran...

Next Article
CyberArk Privileged Access Manager Self-Hosted v12.6 (LTS) Release
CyberArk Privileged Access Manager Self-Hosted v12.6 (LTS) Release

CyberArk Privileged Access Manager Self-Hosted v12.6, designated for Long-Term Support, enhances credential...