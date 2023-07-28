Americas

New access management tool to focus on the least privileges
Shweta Sharma
by Shweta Sharma
Senior Writer

New access management tool to focus on the least privileges

News
Jul 28, 20233 mins
Cloud SecurityIdentity and Access Management

ConductorOne’s cloud-based privileged access management product will allow security teams to grant just-in-time access to privileged resources.

security
Credit: anyaberkut

Cloud-based identity and access security provider ConductorOne has launched a new privileged access management (CPAM) product to help security and IT teams manage permissions and enforce policy for cloud resources.

"Legacy PAM solutions focus on account-centric access control and privileged accounts have high levels of static permissions," said Alex Bovee, co-founder and CEO of ConductorOne. "This is the opposite of a least privilege approach to access management as implemented by cloud PAM."

This is ConductorOne's second product with the first being an identity governance and administration (IGA) offering for automating compliance processes in cloud-based applications.

Agentless deployment enables the least privilege

The cloud-based offering, CPAM, is an agentless service for all SaaS and cloud infrastructure tools connected to ConductorOne. It can be used to manage access to cloud infrastructure accounts in AWS, GCP, Azure, Snowflake, etc.

"This solution helps security teams move towards a zero-standing privileges (ZSP) model to prevent identity breaches by automating permissions management for cloud infrastructure and SaaS," Bovee said.

The CPAM capabilities can also be accessed through an agent to apply the least privilege access controls to on-prem or non-cloud native infrastructure such as Active Directory, LDAP, Postgres, and Microsoft SQL server.

"We provide an agent for managing access to hosted infrastructure such as Active Directory and LDAP, that is firewalled off from internet connectivity," Bovee said.

CPAM overcomes legacy limitations

Legacy PAM solutions allow privileged accounts to have static, escalated levels of permissions, according to Bovee. "This allows for a number of privileged accounts floating around in a customer environment, many of which may not even be monitored" he added.

Privileged accounts are usually checked out (obtained credentials for) by users so that the user can perform privileged actions through the account, Bovee explained. Once the user is done with their work, they check the account back in and the credential is rotated.

The problem of using shared identities that are not owned by the user can be solved by ConductorOne's CPAM, Bovee claimed, as it allows for permissions to be escalated just in time, granting them only when they are needed.

Permissions are escalated on the user account directly and can authenticate via single-sign-on (SSO).

"The experience is provided through the developer or technical user’s first experiences -- such as a command line interface for escalating permissions and Slack for approving access," Bovee said.

Permissions and requests through CPAM are managed through the ConductorOne command line tool, "cone" CLI. The service also allows defining access management "as code" using the company's Terraform provider.

