Privileged Access Management (PAM): Next Generation
ContentsWhat is Privileged Access? What Is Privileged Access Management? Relationship to Insider Risk and Vendor Risk Traditional Privileged Access Management Traditional PAM Stinks, Especially in the Cloud What to look for in new Privileged Access Management No more password vaults and password rotation NO CREDENTIALS TO FORGET, LOSE OR STORE 3rd & Nth PARTY ACCESS CENTRALIZED Multi-cloud, hybrid cloud and on-prem Autodiscover global cloud instances Save valuable time on deployment Integrate with AD, LDAP & IdaaS
What is Privileged Access?
Privileged access means computer access with higher access rights, generally root access, Administrator access, or access to service accounts. Sometimes any access to the command line on a server is considered privileged access, as most enterprise users are only allowed to use applications through their user interface.
A privileged account is a user account that has higher privileges than other accounts. It is an account that has privileged access in some sense. Some privileged accounts are operating system accounts with command-line access; other privileged accounts are application accounts with higher privileges (e.g., accounts that can change the configuration of an application).
A privileged user is a user with higher access to an organization's information systems than other users. Typically a privileged user has access to one or more privileged accounts.
Privileged access may also be obtained through other means. For example, a user with physical access to a computer can usually reboot the computer from a DVD or USB memory stick and perform any desired operations on the computer. Thus, users with physical access may also sometimes be considered privileged users.
What Is Privileged Access Management?
Privileged access management (PAM) refers to systems and processes for giving organizations better control and monitoring capability into who can gain privileged access to the computer or information system. It is a subfield of Identity and Access Management (IAM).
Privileged access management typically includes definition of roles for users and granting required privileges, or access rights, for those roles. It also includes distributing the user information and access grants to all the devices and systems that enforce access rights in the organization. Furthermore, it usually includes monitoring what privileged users actually do and analyzing their activities to detect anomalies.
Relationship to Insider Risk and Vendor Risk
Users with privileged access are typically insiders in the organization. They include system administrators, database administrators, developers, architects, application owners, and IT managers. Most privileged users are insiders who already have access to the organization and its systems. Statistically, most cybercrimes are perpetrated by or assisted by insiders. Thus, controlling and monitoring privileged access reduces insider risk.
Many external vendors and outsourcing partners also have access to critical systems and data. For example, Edward Snowden was a contractor to the US government. In the famous Target breach, the hackers used an HVAC contractor as a stepping stone to get to their actual target. It is common for IT adminstration to be contracted to offshore outsourcing partners. Controlling and monitoring privileged access is an important part of reducing vendor risk.
Traditional Privileged Access Management
The traditional approach to privileged access management has been to automatically change the passwords for privileged accounts several times per day, and store the passwords in a password vault. A jump server or client software is then used to authenticate the user, obtain the current password from the vault, and login to the target server. Alternatively, a web portal may be provided for obtaining the current password for the target account and displaying it to the user. The password would typically be valid for a fixed period, such as one hour, or until expressly released by the user.
The traditional analyst worldview on PAM has been on the traditional approach. They compare products based on their password rotation, password vaulting, etc features. But the next generation needs none of this. It solves privileged access management differently.
Traditional PAM Stinks, Especially in the Cloud
PAM deployments are notoriously difficult. Read, for example, http://security-architect.com/privileged-account-management-pam-is-very-important-but-deploying-it-stinks/.
The traditional approach changes the way system administrators work and many administrators hate it. It also requires substantial infrastructure, with some large organizations reportedly needing over a hundred vaults/jump servers to scale to their infrastructure. Password vaults become a single point of failure. For automation, every script has to be changed to obtain the password from a vault.
The traditional approach also does not scale into cloud, containers, and particularly elastically scaling computing environments. It becomes very cumbersome to implement password vaulting when computing instances go up and down as needed and often only live for a few seconds.
Furthermore, the traditional approach often requires installing (and patching!) software on servers and clients. This is costly and resource-intensive.
What to look for in new Privileged Access Management
New technology has made it possible to implement privileged access management without password vaulting and without new software or agents installed on servers or clients. This substantially speeds up deployment, reduces overhead, and helps scale to cloud and elastic environments.
PrivX Lean Privileged Access Management for multi-cloud is the first Next Generation PAM. It is designed for elastic cloud environments from the start. It gets rid of passwords, password vaulting, and password rotation. Deployment becomes way easier and faster. The total project cost is greatly reduced, and time to full deployment easily drops by a factor of ten.
No more password vaults and password rotation
PrivX uses short-lived ephemeral certificates, invisible to the end-user, to enable access over secure SSH and RDP connections. Your people get one-click jump host to the right cloud hosts via SSO and with optional MFA from.
NO CREDENTIALS TO FORGET, LOSE OR STORE
People forget their credentials, leave them lying around or admins forget or lose track of who can access which host. In PrivX, users establish a secure connection without credentials. No need to worry about lost passwords, no need to rotate credentials, no need to store them in a vault that’s a target for attacks.
3rd & Nth PARTY ACCESS CENTRALIZED
Agile business units need to grant all types of secure access to critical resources: permanent, temporary, internal and external. With PrivX, all your sessions are granted, secured and controlled through one, centralized system. Say goodbye to backdoors and rogue keys.
Multi-cloud, hybrid cloud and on-prem
PrivX software makes managing privileged user access scalable, lean and rapid to deploy to multi-cloud and hybrid. Administrators enjoy role-based access control (RBAC) and re-use of existing AD/LDAP groups to automate access provisioning. Users make 1-click SSH or RDP connections from their browser –without sharing credentials, using SSH keys or password vaults. No need to install anything on the client or the server.
Autodiscover global cloud instances
PrivX comes with an auto-discovery feature that automatically scans your environment for all the available cloud hosts at all times from all regions. Your admins get a single pane of glass to cloud hosts. Your developers always know which host they can access.
Save valuable time on deployment
Installation, deployment and configuration of PrivX only takes a day. After that, maintenance work is lightweight and straightforward. Don’t worry about dedicating a team to handle a high-cost, high-maintenance product: PrivX leaves no footprint in your environment and updates automatically.
Integrate with AD, LDAP & IdaaS
PrivX helps you avoid duplicate work. You use your existing user identities from your AD/LDAP and PrivX fetches user groups for you automatically. It’s not like PAM where you have to duplicate your users manually or worry about keeping two separate systems up-to-date!
Try how the Lean Privileged Access Management works in your browser without installing anything