Security is all encompassing. As we’ve said before, there’s no such thing as partial security. You’re either secure or you’re not. This is why sometimes it’s the little things that can be an organization’s undoing – and sometimes the internal factors as well. Often we’re so focused on cybercrime and hackers that we forget about threats from the inside.
Take your administrators. In any organization, you have trusted people who protect and manage your data. Ideally they’re skilled and honest employees – but because we live in the real world, you still need oversight. People are just people, after all, and that means checks and balances are always a good thing.
Edward Snowden is a classic example. As a highly privileged user in his job, he wasn’t closely monitored and could freely impersonate other users. As a result, he was able to obtain information he didn’t have clearance for. While this may seem like an extreme example, it does illustrate why every organization needs to make sure even their most trusted staff aren’t exceeding the limits of their authority.
Monitoring systems admins can be difficult. For organizations with dozens or even hundreds of support people, it just isn’t feasible to maintain individual admin accounts for all of them. Often these companies will create one administrative account and let multiple people share a single login and password. Consequently, a system admin can go in and tinker with a system or access data, either as a malicious act or an innocent mistake. It is very difficult and time-consuming to determine which employee was responsible or what the motivation was – or if it will continue to happen. While this is as risky as it sounds, a surprising number of providers tolerate this.
That’s where Privileged Access Management (PAM) comes in. PAM provides visibility into each admin’s work on a cloud infrastructure. This allows for quick and easy identification of any mistake or problem. By essentially allowing you to watch the watchers, a good PAM system provides the control and visibility needed to protect against internal threats. The problem? Not all companies have this capability built into their IT infrastructures.
Cloud providers with an insecurity complex are especially notorious for glossing over the need to manage inside risk. It is one of the dark secrets of the cloud provider industry. Do you know who is touching your infrastructure? If you can’t answer that question, how sheepish would a cloud provider look saying, “I don’t know” to a customer with sensitive data and applications? There really is no excuse for not knowing how an infrastructure is being touched.
As you might have guessed, Armor not only insists on PAM. It is just one of many important ingredients that go into our recipe for providing a secure cloud to our customers.