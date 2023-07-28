Cloud-based identity and access security provider ConductorOne has launched a new privileged access management (CPAM) product to help security and IT teams manage permissions and enforce policy for cloud resources.\n\n\u201cLegacy PAM solutions focus on account-centric access control and privileged accounts have high levels of static permissions,\u201d said Alex Bovee, co-founder and CEO of ConductorOne. \u201cThis is the opposite of a least privilege approach to access management as implemented by cloud PAM.\u201d\n\nThis is ConductorOne\u2019s second product with the first being an identity governance and administration (IGA) offering for automating compliance processes in cloud-based applications.\n\nAgentless deployment enables the least privilege\n\nThe cloud-based offering, CPAM, is an agentless service for all SaaS and cloud infrastructure tools connected to ConductorOne. It can be used to manage access to cloud infrastructure accounts in AWS, GCP, Azure, Snowflake, etc.\n\n\u201cThis solution helps security teams move towards a zero-standing privileges (ZSP) model to prevent identity breaches by automating permissions management for cloud infrastructure and SaaS,\u201d Bovee said.\n\nThe CPAM capabilities can also be accessed through an agent to apply the least privilege access controls to on-prem or non-cloud native infrastructure such as Active Directory, LDAP, Postgres, and Microsoft SQL server.\n\n\u201cWe provide an agent for managing access to hosted infrastructure such as Active Directory and LDAP, that is firewalled off from internet connectivity,\u201d Bovee said.\n\nCPAM overcomes legacy limitations\n\nLegacy PAM solutions allow privileged accounts to have static, escalated levels of permissions, according to Bovee. \u201cThis allows for a number of privileged accounts floating around in a customer environment, many of which may not even be monitored\u201d he added.\n\nPrivileged accounts are usually checked out (obtained credentials for) by users so that the user can perform privileged actions through the account, Bovee explained. Once the user is done with their work, they check the account back in and the credential is rotated.\n\nThe problem of using shared identities that are not owned by the user can be solved by ConductorOne\u2019s CPAM, Bovee claimed, as it allows for permissions to be escalated just in time, granting them only when they are needed.\n\nPermissions are escalated on the user account directly and can authenticate via single-sign-on (SSO).\n\n\u201cThe experience is provided through the developer or technical user's first experiences \u2014 such as a command line interface for escalating permissions and Slack for approving access,\u201d Bovee said.\n\nPermissions and requests through CPAM are managed through the ConductorOne command line tool, \u201ccone\u201d CLI. The service also allows defining access management \u201cas code\u201d using the company\u2019s Terraform provider.