From Legacy to Cloud: Securing the Production Stack with API-led Access Management

This is the final of a three-part series taking a look at modern privileged access management and how its evolution to the protection of more systems and more identities leads to both security and productivity improvements. 

Article 1 discussed why PAM needs to evolve, with the second article tackling the concept of the production stack and what capabilities are needed to secure it. This article will help solidify the concept with adoption and migration recommendations.

Adoption and Migration Drivers

• Identity-Centric Attacks
• Cloud Complication
• Compliance & Productivity Optimization

Identity-centric attacks are increasing in both volume and success - with the impact supporting the exfiltration of intellectual property, PII/PHI and the disruption of service across a range of industries. Many attacks may well start with "standard" employee or customer identities, but they can easily leverage privilege escalation and lateral movement to target infrastructure administration, privilege system access and the accounts and credentials associated with engineering pipelines. The impact is broad and risks cascading.

The increasing reliance on cloud technologies for both SaaS delivered business applications as well as cloud service provider (CSP) ability to host data, compute, network and storage functions has helped organisations from a cost and operational perspective but can also hinder from a privileged control plane point of view. Visibility, blind spots, controls inconsistency and a lack of privileged discovery and management can rapidly occur.

As the need to deliver privileged access capabilities increases to more systems and more stakeholders, productivity issues for personnel such as engineers, DevOps and SecOps becomes common. The mean time to access (MTTA) becomes impacted due to manual access request and response functions for things like CI/CD credentials and the need to hardcode secrets and non-reusable privileged access control components embedded deep within applications.

Adoption and migration to a more integrated PAM-approach gathers pace with multiple parts of the technology ecosystem. But how to get there?

Modern Framework Design

• Governance
• Automation
• Control

Before embarking on an adoption or migration journey to a more API-led approach, it is important to understand the underlying concepts that underpin such a platform. This helps to identify gaps within existing controls but also to help with migration prioritization. Governance of the entire privileged ecosystem should focus on zero standing privileges (ZSP) and the use of just in time (JiT) ways of requesting those privileges. No administrative capability or credential should be assigned for long periods of time. They should be associated only based on context - such as the completion of a known task or specific time period.

As more identities and more systems need to be included in this production stack world, automation of both the integration and access and response function needs to be standardized. This should include the initial discovery of systems but also the interactions of approvers and the provisioning and deprovisioning stages needed to associate, remove and monitor access. An API-first approach here not only delivers scalability but also introduces consistency with respect to user experience (for admins and users) as well as security control assurance.

The implementation of those security controls - such as strong requester authentication, credential rotation, permissions change, monitoring and so on - should be defined via a threat informed defensive model that can strategically support the ability to handle “unknown unknown” patterns of adversarial behaviour. Those controls need to be centrally managed but implemented consistently across a distributed range of targets.

Where You Are and Where to Head To

• Understand Existing PAM Landscape
• Design Future Architecture

A key pattern to any strategic technology change is to first understand the existing landscape (current profile) whilst also working towards a future design (or target profile). Both are related and shouldn’t be created in isolation. A future design that is simply based on vendor capabilities or current trendy concepts is unlikely to deliver business value or be implemented in full. It is also important to really understand the current state of privileged access within the organisation. 

What privileged and high-risk systems are being managed today? Are they being managed by commercial products or home-grown tools and scripts? Which systems are not currently being managed? Why is that? How are privileged identities authenticated, provisioned and authorized today? A similar approach to the target profile should focus on current and future systems, areas of high risk (including both business applications and cloud infrastructure) and an understanding of the types of identities and accounts that will require access - including workload, non-human identity, agentic identity and the range of protocols and forms - such as APIs, command lines, SDKs and the like.

Migration Planning

• Pain Point Assessment
• Symptoms & Migration Triggers
• First 30, 45 & 90 days

Where to start migrations requires an ability to prioritize business requirements with risk, time, effort and reward. A set of core pain points can be identified with respect to ineffective privileged access management. This can be used to help develop a heatmap with respect to where to start the transformation process.

Example pain points for an assessment will also include why this should trigger a migration conversation; the observable and measurable symptom and the impact that this has to the business.

Further example pain points include

• Overprovisioned Access- including cloud
• Vault Centric Architecture
• Lack of NHI and Agentic-AI Coverage
• Lack of Contextual Aware Policies
• Audit Inefficiency
• Tool Fragmentation
• Manual Access Fulfilment

Pain point analysis provides a strong foundation for being able to create a “heat map” way of prioritizing business and impact and risk with respect to privileged access inefficiencies. From here measurable and targeted migrations can take place.

30, 45, 90 Planning

About The Author

Simon Moffatt has nearly 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut - a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.