9 Questions to Ask a Privileged Access Provider
Rom Carmel
January 7, 2024
Most resources, such as databases or machines, are running in the cloud today and need privileged access. Yet few teams can effectively manage identities in the cloud at scale, with Gartner estimating that by 2023, 75 percent of cloud security failures will occur due to inadequate management of identities and accesses.
As a result, controlling, monitoring and auditing privileged access has become even more critical for protecting against both external and internal threat vectors, human error and a growing list of compliance requirements.
The following are nine of the most important questions to ask a potential privileged access provider.
1. What levels of access granularity is the solution capable of granting over sensitive resources?
Why it matters for privileged access
Granularity is key when it comes to privilege access governance. It involves defining access permissions at a very detailed level. It considers individual databases, machines, folders, buckets, namespaces, and more that a user needs to access, ensuring that no unnecessary privileges are granted. When managing access to production, customer data or other sensitive applications , it is important to grant “just enough” access to perform the task at hand.
What to look for
It’s important to find a solution that leverages native integrations to all your critical services, apps, and data repositories and is able to grant permissions in as high or low of granularity as is required. For example, a self-hosted and cloud-hosted PostgreSQL, MySQL, and Mongo integration can manage access to clusters, databases, collections, schemas, and more, whereas traditional PAM solutions usually stop at the cluster or database level.
The solution must be able to integrate directly with the services and the changing of the permissions at the integration level itself and speak the policy language of each one, bringing a unified privilege control plane to the admin, with workflows and audit capabilities on top.
2. How does the solution integrate with the organization’s environment?
Why it matters
It is important that the solution integrates with the way the environment is set up. For example, if the organization has an integration between AWS and Okta (for example, leveraging Okta SSO), it is important that the solution grants the privileged access over that integration rather than creating a different way to get access. Similarly, if an organization leverages Terraform for some of the permission management, it is important to understand how the solution would fit on top of that.
What to look for
A solution that suits many different ways of authenticating, for example in AWS whether it is via your SAML integration, AWS Identity Center or assume role that the organization uses to give privileges to users in AWS, Apono will work in that way over the integrations you already have in place.
Similarly look for a solution that leverages TF and is fully controlled from a TF provider if your organization prefers to work with TF. These are just two small examples, but as a product the solution should understand how important it is to integrate with the way the organization works and the existing tools and processes.
3. Does the solution support time-bound, just-in-time access?
Why it matters for privileged access
Just-in-Time Access Management is important because it aligns access privileges with actual needs, reduces security risks, ensures compliance, and enhances operational efficiency in a rapidly evolving digital landscape. It helps organizations maintain a robust security posture while enabling efficient and effective access to resources for authorized users.
What to look for
It’s important to make sure the solution has the capabilities to dynamically grant and revoke permissions to all the critical resources and services to which it governs access. In addition, the solution should strive to offer robust and dynamic IFTTT scenarios, by leveraging context about on-call shifts, IdP groups, managers, work hours, and more to make sure Just-in-Time access is refined to the specific business use case.
4. Which cloud providers does the solution integrate with?
Why it matters for privileged access
Many companies today are opting to be multi-cloud, and it’s important to make sure your solution will support them all at a granular level and not just at the IAM level. Similarly, some companies have workloads running in Kubernetes or on-prem, for example with a mixture of cloud-hosted and self-hosted Kubernetes clusters and databases, and you need to make sure the solution supports both types of deployments.
What to look for
You want to make sure the solution integrates with your cloud provider and all major cloud providers such as AWS, Google Cloud Platform and Microsoft Azure, as well as Kubernetes and supporting self-hosted database integrations at the same level of granularity.
We witness many companies switching providers during the course of their lifetime for better financial incentives and you would want to make sure the solution does not need to be replaced once multiple cloud providers are in use.
5. How do end users receive the access they are granted with the solution?
Why it matters for privileged access
It’s important the solution is easy to use, or else it won’t be adopted company-wide. To make it easy-to-use, it’s imperative the solution integrates with your tech stack and doesn’t require internal maintenance, for example by using home-grown solutions with automation tools, workflow builders, Slack bots and GitHub PRs. It should allow for quick, automated and simple ways to request and be granted access.
What to look for
Look for a solution that your end users are familiar with and use on a daily basis. Messaging or existing IT support / ticketing applications are often a great option, but cross reference with your organization’s specific tech stack.
6. What is the overall end-user experience using the platform?
Why it matters for privileged access
It’s very important that the experience from the end user side is intuitive and simple, as a large part of access governance includes a human element. To adopt a privileged access solution it must be intuitive, and it must integrate easily with the way users are already used to working. If not, it will create friction and inevitably fail to be adopted, or worse, adopted and then misused by some individuals who bypass the system and just impersonate an application token or create automations, like cron jobs.
What to look for
A policy-based access governance solution that doesn’t change the way end users work and allows them to seamlessly use any client they would like to access resources and services, like cloud resources or databases.
Users should have clear visibility of their request status in their platform of choice, understand why requests were approved or rejected and time- saving mechanisms for frequently needed access.
7. What access governance automations can the solution provide?
Why it matters for privileged access
Automation is an important part of any access governance solution that offers self-serve capabilities or just-in-time permissions. Not automating the revocation of permissions leads to standing privileges, resulting in a larger attack surface and potential security issues. In addition, it’s also important to set up workflows with automated responses for repetitive or emergency requests.
What to look for
It’s important to make sure the solution has the following:
1. OnCall shift integration so that developers on-duty can request and be granted access as soon as possible if there’s an incident, at any hour of the day.
2. Break-glass scenarios to allow different teams to gain sensitive access temporarily, for example for production maintenance, customer support, and more.
3. Automation based on Cloud/Kubernetes resource tags/labels, so that new resources can be automatically included in existing access workflows
8. What access approval workflows can be defined in the solution?
Why it matters for privileged access
Automatic approval workflows are huge time-savers. The user is able to seamlessly ask for and receive the access needed to do their jobs.
What to look for
1. Automatic granting with full audit and reporting mechanisms in place
2. Approval workflows leveraging context based approvals like on-call shifts, IdP groups and managers, and more
3. Different approval flows based on resource sensitivity, i.e. data sensitivity, customer environments, or cloud account
4. Approval escalation policies with multiple approvers to make sure requests are handled swiftly, and multiple approvers for very sensitive access
9. How granular is the solution inside databases or other sensitive resources?
Why it matters
To keep your resources secure, it’s important to limit access to each one. Granular provisioning allows you to “check out” one book instead of the whole shelf.
What to look for
The solution must be able to integrate directly with the specific service or resource type. This allows the solution to change the permissions at the resource level itself, for example a specific collection or table in your data repository instead of the entire cluster. The solution should allow for control of specific roles and permissions of each resource type and service from one central tool, bringing a unified privilege control plane to the admin, with workflows and audit capabilities on top.