Privileged access in cloud-first finance: what changes for IAM teams

TL;DR: A European investment manager operating globally needed privileged access that was auditable, compliant, and fast enough for cloud-first operations, according to SSH Communications Security. The case shows that legacy PAM assumptions about static infrastructure and slow rollout cycles break down when regulated teams need ephemeral access without added complexity.

NHIMG editorial — based on content published by SSH Communications Security: a case study on cloud-first privileged access for a European investment manager

By the numbers:

• The initial deployment covered around 2,000 endpoints and 100 privileged users, using role-based access control, session recording, and passwordless authentication.

Questions worth separating out

Q: How should security teams govern privileged access in cloud-first environments?

A: Security teams should use brokered, auditable access paths that fit ephemeral infrastructure, then layer session recording and least-privilege assignment on top.

Q: When does legacy PAM become a poor fit for modern infrastructure?

A: Legacy PAM becomes a poor fit when it assumes static servers, long deployment cycles, and persistent host software in environments that are actually ephemeral and cloud-driven.

Q: What should organisations look for in privileged access auditability?

A: They should look for a complete chain of evidence: who accessed the system, what was approved, what actions were taken, and how those actions were recorded.

Practitioner guidance

• Map privileged access to infrastructure lifecycle, not just user roles Inventory where privileged sessions occur across cloud, data centre, and automation paths, then decide whether each path needs a human session, a service account, or an orchestration identity.
• Prioritise agentless controls for ephemeral estates For short-lived systems, avoid access designs that depend on persistent endpoint agents or manual software rollout on every host.
• Require session recording for all elevated actions Make evidence collection part of the privileged path so audit teams can reconstruct administrative activity across regions and business units.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• The deployment sequence from proof of concept to production, including the automation-first rollout path.
• The specific mix of role-based access control, session recording, and passwordless access used at scale.
• How the platform was applied across cloud and data centre environments without years-long implementation work.
• The article's forward-looking extension into automation and DevOps workflows, including Ansible use.

👉 Read SSH Communications Security's case study on cloud-first privileged access →

Privileged access in cloud-first finance: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →