April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Next-generation protection for the federal hybrid Cloud
Dale R. Gardner
Hybrid-Cloud computing, the combination of private, community and public Cloud infrastructures, delivers advantages. But it also introduces risks, particularly around privileged users and trusted insider threats.
Agencies already routinely develop plan of action and milestones (POAMs) to address audit findings on shared administrative accounts, weak and default passwords, and other privileged risks. And regulations mandating tighter privileged user controls have also emerged. Most recently, an updated release of NIST Special Publication 800-53 brought new requirements. More are found in Presidential CAP goals and long-standing programs, such as HSPD-12 and OMB 11-11, which reinforce the requirement for PIV card controlled logical access to systems, particularly for privileged accounts.
As a consequence of all these demands, organizations have begun to move to more modern privileged identity management systems combining privileged password management, access control, monitoring and other capabilities. These solutions attempt to combine disparate functions, replacing the assemblage of home-grown and point products with which organizations have attempted to manage privileged users in the past.
But this may not be enough, since migration to the hybrid Cloud creates fundamentally new security risks. “Administrators of private cloud and IaaS environments gain more concentrated power -- and the risk that goes with it -- than administrators for more traditional data center deployments,” notes Gartner’s research director, Nick Nikols. This is a consequence of the dynamic nature of the Cloud and powerful administrative consoles. Administrators can do much more, and they can do it much faster, and attacks scale up. The emerging security demands of the hybrid Cloud are leading federal agencies to evolve to “next-generation” privileged identity management (PIM) solutions uniquely capable of managing privileged users and mitigating insider threats within the hybrid Cloud environment.
But what is a next-generation PIM? Work with federal agencies moving to the Cloud reveals five capabilities essential to "next-generation" privileged identity management.
Establish a single point of control
The flexibility of the hybrid Cloud can work against the goal of consistent controls, since there are now many more platforms where policy can be defined and applied. Inconsistent policies lead to uneven protection, greater risk for compliance failures and administrative overhead.
Enforcing a single definition of policy across platforms is a critical requirement. Otherwise, you face gaps in coverage, increased risk and administrative overhead. Another requirement is a comprehensive set of controls, such as managing credentials, authentication, user monitoring and logging, and more. Many try to use point products to satisfy these requirements, resulting in patchwork protection.
Run anywhere/manage anywhere
It is important that a solution support native installations across the Cloud -- traditional rack-mounted hardware or virtual appliances. This makes installations faster, with fewer opportunities for failure. It also puts the onus on the solution vendor to maintain the full software stack.
Architecturally, a solution must be able to manage resources across the Cloud, regardless of where they're physically located.
Keep pace with dynamic Clouds
A next-generation privileged identity management system must be able to keep pace with rapidly changing Cloud platforms to avoid becoming a drag. Next-generation solutions must support automated discovery of resources and policy provisioning to immediately provide baseline protection.
The hybrid Cloud is increasingly used for mission critical workloads. Next-generation solutions must provide scalability and high availability features such as clustering and failover.
Enable identity as the perimeter
Traditional perimeter-based controls never worked that well for privileged users, since they equate access to authentication. They really come up short in the Cloud. Identity is emerging as a new perimeter. Basing access to resources on identity allows granular access control, flexibility, auditability and ease-of-use.
But identity is often defined in multiple locations. First-generation solutions can make this situation worse by adding another “island” of identity. A superior approach is to bridge or federate identity.
The federal sector has led the way on another important requirement, strong authentication technologies, such as PIV/CAC smartcards.
Protect the extended management plane
The hybrid Cloud strains PIM solutions by adding new resources to protect, like powerful management consoles. Protecting these resources is complicated since they expose much of their functionality via application programming interfaces (APIs). Most traditional tools are ill-equipped to provide this protection.
Bottom line: the need for next-generation PIM
The hybrid Cloud brings speed and flexibility, but these characteristics strain first-generation privileged identity management. By ensuring PIM solutions address these core requirements, managers can be assured their privileged identity management system will keep pace with and fully protect this dynamic new environment.
Dale R. Gardner is director of product marketing at Xceedium. He can be reached at: