PEDM - Privilege Elevation and Delegation Management
ContentsWhat is Privilege Elevation and Delegation Management? What problem does PEDM solve? How PEDM works
What is Privilege Elevation and Delegation Management (PEDM)?
Privilege Elevation and Delegation Management (PEDM) solutions are a class of privileged access management (PAM) solutions that are designed to grant user access to privileged corporate environments on a granular basis.
In 2017, analysts at Gartner divided the PAM market into two primary solution groups: Privileged Account and Session Management (PASM) and PEDM. PEDM solutions aim to improve upon the limitations of PASM solutions, which offer temporary admin access on an “all-or-nothing” basis.
What problem does PEDM solve?
On occasion, a user may need temporary access to secure IT resources that they typically would not have access to. On these occasions, organizations need a way to grant and them immediately revoke that access, because even a temporary admin account is just as much at risk to being stolen or compromised as a full admin account would be.
PASM solutions typically grant temporary admin access via a password vault. The vault grants the user access to the required server, and then logs all of their activity during that admin session for monitoring purposes. Once the session is done, the admin access is revoked.
The problem with PASM solutions is that they typically grant access on an “all-or-nothing” basis, so the temporary admin would be able to access everything on the target server, even the applications or scripts the user doesn't actually need or should be prohibited from accessing. If those temporary credentials were comprised, a bad actor would have unfettered access to the target server during the open session.
PEDM seeks to solve this challenge by eliminating the need for admin accounts and granting access to secure resources on a more granular basis.
How PEDM works
PEDM solutions typically aim to eliminate admin accounts altogether, instead allowing sysadmins to operate with regular user accounts. Sysadmins are granted admin privileges only to the individual applications, scripts or tasks that they need to manage. As a result, it’s easier for organizations to reduce or eliminate the number of accounts within their network that have any sort of admin access, which reduces the attack surface and the risk of external threats or human error.