Notifications
Clear all
Topic starter
12/06/2026 9:24 pm
TL;DR: Legacy PAM built around static credentials, manual onboarding, and rigid architectures does not match Kubernetes-orchestrated and multi-cloud environments, according to SSH Communications Security. The practical shift is toward ephemeral, just-in-time access and automated policy updates that reduce standing privilege and operational drift.
NHIMG editorial — based on content published by SSH Communications Security: cloud-native privileged access management for Kubernetes and multi-cloud access control
Questions worth separating out
Q: How should security teams control privileged access in Kubernetes and multi-cloud environments?
A: Use short-lived, task-scoped access instead of persistent secrets, and automate entitlement changes from infrastructure events.
Q: Why do static credentials create more risk in cloud-native infrastructure?
A: Static credentials outlive the workload and the task, which creates a larger window for theft, reuse, and lateral movement.
Q: How do organisations know if privileged access governance is keeping up with hybrid cloud change?
A: Look for access that updates automatically when workloads are discovered, scaled, or decommissioned.
Practitioner guidance
- Map privileged access to workload lifecycle events Trigger access assignment, renewal, and removal from workload discovery and orchestration events so permissions follow the actual runtime state of clusters, pods, and cloud hosts.
- Replace long-lived SSH keys with short-lived certificates Use ephemeral certificates for administrative sessions and ensure the credential expires when the task ends, not when a human remembers to rotate it.
- Automate RBAC updates across hybrid estates Sync role and tag-based policy changes to new cloud instances, namespaces, and Kubernetes nodes so access does not lag behind the infrastructure it protects.
What's in the full article
SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:
- How its PrivX approach handles ephemeral certificates, session access, and workload-driven privilege.
- Implementation detail on integrating access policy with Active Directory, LDAP, OIDC, and SCIM.
- Operational considerations for Kubernetes, Docker, Helm, and CI/CD pipeline deployment.
- Architecture notes on horizontal scaling, high availability, and agentless operation.
👉 Read SSH Communications Security's analysis of cloud-native privileged access control →
Kubernetes and multi-cloud PAM: are static credentials the real gap?
Explore further
12/06/2026 11:26 pm
Legacy PAM assumptions fail when infrastructure is elastic. Static onboarding, manual credential handling, and fixed administrative paths were designed for systems that stay put long enough to be reviewed. That assumption fails in Kubernetes and hybrid cloud because the object being governed may exist for minutes, not days. The implication is that access governance has to shift from asset-centric administration to runtime identity control.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, which is why cloud-native access governance remains uneven.
A question worth separating out:
A: Accountability sits with the identity, platform, and operations owners together, because the failure is usually a shared governance gap. Access that persists after workload change indicates missing lifecycle control, weak automation, or both. Frameworks such as Zero Trust and NIST CSF expect continuous control, not delayed clean-up.
👉 Read our full editorial: Cloud-native PAM for Kubernetes and multi-cloud access control
