Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCybersecurity News

Securing multi-cloud environments: Why DIY privilege access management doesn’t work

By Art Poghosyan
cloud-computing-freepik56457.jpg
November 17, 2021


Organizations are moving to multi-cloud environments in droves, largely because the cloud is fast, agile and powerful.  


But is it secure? Inherently — no.  


Just like on-prem, multi-cloud environments have significant security risks that must be addressed if your goal is to supercharge your team’s productivity while keeping your organization and your customer’s data safe. But doing so is no small feat.  


On-prem zero trust typically applied to anyone outside the network – if you were not working inside the network, you were not granted privileged access. The cloud is a different animal. Since there is no network perimeter, and users are often located in various locations across the globe, user identity now defines who has access to what.  


Therefore, if we want to define zero trust for the cloud generation, it is incumbent on us to accept that all users — human and machine IDs alike — must be granted privileged access only when it is necessary. However, most security management teams agree that putting effective privilege access management (PAM) in a multi-cloud environment into practice is extremely difficult. 


Some see this problem and try to build bespoke, in-house solutions. And while we will always applaud when an organization is diligent and innovative, the hard truth is most of the time, the in-house solutions fail. The reasons for failure vary, but the result is always the same: teams lose precious time and resources, and at the end of the day, their environment is still vulnerable to attack.  


Below, we will review why DIY solutions often fail and how organizations can avoid the usual challenges and setbacks. 


Industry leaders consider establishing zero trust in multi-cloud environments essential. Securing accounts without impeding productivity is the goal we all share. In fact, there are plenty of solutions available that secure GSP, Azure, AWS, or any other CSP in an individual capacity. The problem, then, is not securing individual cloud service providers. The problem is how PAM performs in a hybrid environment across all CSP accounts. 


What does a poorly executed DIY solution look like? Typically, there are three signposts: 


1.    An organization lifts and shifts its existing on-prem stack into the cloud. This may seem like a reasonable move, but when it comes to protecting an identity-based perimeter, on-prem stacks are inadequate. 

2.    In many cases, DevOps leads the charge on building the solution. This is also easy to understand as it allows for speed and fluidity. But DevOps focuses on building, not security. This becomes a significant issue when the solution is implemented — it is usually only when the project fails or becomes unmanageable that SecOps is summoned to assist. 

3.    When an organization builds a solution in-house, the solution is, by definition, unique. This means it lacks the typical features of a commercial solution and therefore is prone to increased security vulnerabilities. What’s more, teams have to go it alone — there is no support team to guide them through rough waters. 


Beyond these challenges, organizations need to contend with the prohibitive costs of maintenance and tools, time to value, as well as ensuring teams have the capability and expertise to manage activity cross-cloud. Remember, siloed environments require cloud-specific skillsets. Organizations pursuing DIY solutions need AWS experts, Azure experts, GSP experts, etc., to oversee the day-to-day operations. Overhead soars, logjams proliferate. 


Difficult as the challenges are, there is a way forward.  


Organizations can better establish zero trust by enforcing zero standing privileges (ZSP) and right size privileges from a unified access model across IaaS, PaaS, and SaaS.  


How?


  1. DevOps and SecOps teams must collaborate.
    1. Unity is key to designing a better multi-cloud PAM solution. Leaders must understand what teams need and incorporate those needs from the point of conception. List any recognizable challenges each team faces and determine the best way to overcome them. The goal is not to be blindsided later. If the challenges are insurmountable, seek assistance from a third party to get you across the finish line. 
  2. Learn from others’ mistakes.
    1. Turn to industry colleagues to discern where they went wrong. How much of a hindrance was limited cross-cloud visibility? What prevented them from achieving true zero trust and least privilege access? Did they encounter pushback from DevOps or SecOps teams, and if so, what were their concerns?
  3. Elevate discoverability.
    1. Eliminating standing privileges is predicated on knowing where they are present. Organizations should have a plan to elevate discoverability cross-cloud. How will you manage to monitor and manage user access? What protocols will you follow to ensure users are not left with access if they leave the organization? Determine ways to tighten user access across cloud environments so admins can confidently grant and revoke privileges as necessary.
  4. Enforce Just-In-Time (JIT) permissions.
    1. While many organizations strive to enforce JIT permissions, it is critical to use true JIT if you hope to build a successful multi-cloud PAM solution in-house. This is a steep hill to climb if the technology is not available; after all, if you need to build the technology, it will delay your solution’s time-to-value. But ultimately, you need to be able to grant and revoke permissions on the fly. Determine what’s best for your organization and make sure JIT is a priority.
  5. Build ZSP into your CI/CD process.
    1. Perhaps one of the most difficult and urgent requirements, building ZSP into your CI/CD process can separate a successful multi-cloud PAM and a failure. Taking into account your need to build at the speed of automation, it’s no surprise DevOps teams do not want impediments to productivity. That’s the primary driver when organizations struggle to reign in too many standing privileges: the goal is not to over-privilege accounts but to make sure teams can do their jobs efficiently. However, as users in the cloud multiply and machine IDs proliferate, establishing ZSP is a necessary step in securing CI/CD. You’ll need to establish access requests in your workflows that support both speed and security.


In conclusion, the great migration to the cloud is upon us. But organizations must develop strategies to keep environments secure and productive. Teams hoping to build a multi-cloud PAM solution in-house face significant challenges. In most cases, the bespoke solutions fail. The reasons for failure vary, but it ends with teams losing valuable time, resources, and security. If you are intent on building a multi-cloud PAM solution, follow the recommendations listed above — and do your best to avoid common pitfalls. 

KEYWORDS: cloud security cyber security DevOps risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Art poghosyan
Art Poghosyan is CEO and Co-founder of Britive. Art is an entrepreneur with 20+ years InfoSec experience. Prior to Britive he co-founded leading Identity and Access Management (IAM) consulting company Advancive, acquired by Optiv in 2016. There, he shared the confidence of enterprise execs as they wrangled with protecting growing cloud landscapes.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cloud security freepik

    5 steps to integrating security into the app development process (without disrupting CI/CD workflows)

    See More
  • cloud-sec-freepik1170x658v98.jpg

    What good is visibility without enforcement?

    See More
  • kubernetes-freepik

    The way forward for Kubernetes security: Eliminate standing privileges

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing