Delinea | Privileged Access Management Blog

Privileged Access Management: IN the cloud vs. FOR the cloud

Written by Chris Smith | Nov 26, 2019 5:00:00 AM

Are you talking about PAM in the cloud or PAM for the cloud?

“Wait, what’s the difference?” We hear these questions a lot from our customers. And, we have to admit the “PAM in the cloud vs. PAM for the cloud” debate has caused some confusion even in our internal meetings.

Cloud has exploded. Simply inserting the word “cloud” into conversation seems to indicate a modern, Agile approach to IT. Most companies are no longer debating the security of the cloud, but rather figuring out how quickly they can adopt its benefits.

When it comes to PAM and the cloud, however, one little word makes a big difference. So, let’s get our definitions straight so everyone’s on the same page.

PAM in the cloud

When we say, “Privileged Access Management in the cloud,” we’re talking about SaaS—PAM as a service. Instead of hosting your PAM software on-premise and managing all of the installation work, maintenance and updates yourself, your PAM vendor takes care of all that for you. They manage a cloud environment (for example, we use Azure and AWS depending on the solution) where your PAM software resides, and make sure it’s secure, available, and up to date.

Companies choose Privileged Access Management in the cloud for several reasons:

  • Fast start. Privileged Access Management in the cloud is easy to set up and provides rapid time to value. When you implement Delinea's cloud PAM solutions, you can get results right away after logging into our browser-based console for the first time.

  • Pay-as-you-go pricing. With Delinea's PAM in the cloud, you have total control over licensing costs via a flexible, subscription-based price model.

  • Less time, money, and resources. PAM in the cloud provides expert maintenance for patches, upgrades, and new feature rollouts, and avoids hardware costs and management headaches.

  • Reduced risk. PAM in the cloud offers secure architecture, data encryption, and advanced threat management.

  • Greater stability. PAM in the cloud can easily scale to thousands of users and applications without slowing down or losing control.

  • High availability. PAM in the cloud offers geo-redundancy, autoscaling, uptime SLA, and 24×7 monitoring.

If you have your own private cloud, PAM in the cloud can mean you’re still responsible for management and hosting costs, but you still gain the elasticity and scalability that the cloud brings.

Every flavor of cloud implementation is possible. Some Privileged Access Management (PAM) functionality and components can be hosted on-premise and others in the cloud. The proliferation of cloud data centers around the world has made it possible for companies to comply with laws that require data to remain in-country. Additionally, private clouds can also be combined with public clouds to create a hybrid cloud for PAM.

Until recently, true PAM in the cloud wasn’t even an option—or cloud versions of PAM didn’t have the full Privileged Access Management capabilities available with PAM on-premise. But, today, modern PAM cloud deployments include all the same functionality—and often more—than PAM on-premise, from vaulting, rotating and session management to least privilege policies and application control.

So, now the choice is yours: PAM in the cloud or PAM on-premise, or any combination, without giving up any security or functionality.

 

Delinea's survey of 200 security professionals at the 2019 RSA Conference found that 21% of companies have already adopted Privileged Access Management in the cloud or plan to do so. An additional 26% are looking to transition from PAM on-premise to a cloud-based PAM solution.

Companies migrating to PAM in the cloud are quickly realizing the benefits.

The Annie E. Casey Foundation has found the cost of PAM in the cloud is significantly less than having it on premises. “We reduced our servers by 85%,” reports Senior Network Administrator Chigozie Okorie.

University of San Diego is much less worried about a breach. According to Manager of Systems Support, Michael Somerville, “Our students expect 100% uptime and that’s synonymous with cloud. It’s secure, with checks and balances.”

Loyola University of Maryland had the Secret Server cloud environment set up in about a week and conducted the migration in only one day. Tim Enders, Senior System Engineer, told us, “I was able to shift my workload from mechanical maintenance to spending more time providing service to my users.”

Ok, so what’s PAM for the cloud?

PAM for the cloud, on the other hand, is about how you’re going to use a PAM solution to manage and secure access to systems and services that reside in the cloud. These could include critical applications or databases that are stored in the cloud, cloud platforms for application development, or SaaS tools used by your business or technical teams.

Pretty much all of us have some dependence on the cloud for critical resources. Ninety percent of companies will have some portion of their apps or infrastructure in the cloud by 2020, according to IDG. In fact, 80% of IT budgets are committed to cloud solutions, says Gartner.

The move to the cloud complicates PAM challenges. The explosion of cloud services has driven the proliferation of privileged accounts and credentials to a state that, for most organizations, is unmanageable without processes and tools, Gartner warns.

We’re already seeing the consequences of unmanaged privileged accounts tied to cloud resources. According to McAfee:

  • 27% of organizations using platform-as-a-service (PaaS) have experienced data theft from their cloud infrastructure.
  • 92% of companies have cloud credentials for sale on the Dark Web.
  • On average, companies using AWS and/or Azure have 14 misconfigurations in their infrastructure-as-a-service (IaaS) platforms, many of which involve poor privilege management.

Bringing the PAM cloud stories together

Yes, you can address these cloud Privileged Access Management challenges with an on-premise solution. However, the volume and velocity at which cloud resources can be provisioned and deprovisioned makes them difficult for legacy PAM solutions to keep up with.

That’s why we believe the best way to manage and secure cloud-based privileged accounts is with a cloud-based PAM solution. Put another way, PAM in the cloud is best for PAM for the cloud.

You can read more about how PAM solves cloud challenges in the whitepapeCritical Controls for Modern Cloud Security.

Here’s what we’re doing about it

In our product strategy, we’ve taken on both parts of the cloud conversation—PAM in the cloud and PAM for the cloud—and we’re bringing them together.

On the PAM in the cloud side of the story, we launched the industry’s first full-featured PAM-as-a-service solution last summer. Since then, we’ve seen 342% YoY cloud business growth, with over 1,000 cloud customers and counting.

Cyber Management Alliance also had nice things to say: “Delinea (formerly Thycotic) is the clear leader with a Cloud-Native PAM solution that can be implemented today and that features discovery, vaulting, monitoring and control capabilities on par with its flagship on-premise offerings.” You can read more in their report: Securing Your Organization with Cloud-based Privileged Access Management (PAM).

We take a cloud-first approach to new product development. Features like encryption, hourly backups, SOC 2 audits, geo-redundancy, and GDPR compliance are included. In addition to our core products, Secret Server cloud, Privilege Manager cloud, and Privileged Behavior Analytics, our latest innovations, Account Lifecycle Manager and DevOps Secrets Vault, are cloud-based and designed to solve cloud challenges. (Links to these products are provided at the end of this post.)

To address the challenges of PAM for the cloud, we’ve focused on four main use cases:

  • Securing access to cloud apps and infrastructures.
  • Managing the full lifecycle of provisioning and de-provisioning access and accounts, particularly to curb service account sprawl.
  • Privileged activity monitoring and reporting for cloud platforms like AWS.
  • High-speed vaulting and secrets management in DevOps environments and CI/CD pipelines.

Cloud is the way forward for Privileged Access Management

With this explanation of the differences between PAM in the cloud and PAM for the cloud, you should be able to lead discussions inside your own organization—with security, IT, developers, executives, and partners—about the right solution to meet your cloud challenges.

To test out Delinea cloud PAM for yourself, try one of our cloud products:

Secret Server for Cloud

Privilege Manager

Privileged Behavior Analytics

Account Lifecycle Manager

DevOps Secrets Vault

Related Reading: PAM cloud security is different. Let me explain why