What Is Privileged Access Management (PAM)?
ContentsWhat is Privileged Access? What Is Privileged Access Management? PAM Links to Insider Risk and Vendor Risk Traditional Privileged Access Management Traditional Privileged Access Management in the Cloud What to look for in new Privileged Access Management PAM without password vaults and password rotation......except when you need them for privileged accessPrivileged 3rd & party access centralized Multi-cloud, hybrid cloud and on-prem Autodiscover global cloud instances with PAM Save valuable time on deploying privileged access management Integrate PAM with AD, LDAP & IdaaS
What is Privileged Access?
Privileged access means computer access with higher access rights than those of a standard user in an enterprise. Typically, privileged access is used to maintain, upgrade and configure critical IT infrastructures, servers, applications and databases. Examples include root access, Administrator access, or access to service accounts. Sometimes any access to the command line on a server is considered privileged access, as most enterprise users are only allowed to use applications through their user interface.
Some privileged accounts are operating system accounts with command-line access; other privileged accounts are application accounts with higher privileges (e.g., accounts that can change the configuration of an application).
With privileged accounts, privileged users can access highly valuable targets like the company network infrastructure, medical records credit card databases, software production environments or government secrets. Typically a privileged user has access to one or more privileged accounts.
Privileged access may also be obtained through other means. For example, a user with physical access to a computer can usually reboot the computer from a DVD or USB memory stick and perform any desired operations on the computer. Thus, users with physical access may also sometimes be considered privileged users.
As operations in all industries are becoming digitalized and secure remote access is more commonplace, new targets that are considered privileged have emerged. These include industrial control systems (ICS) in operational technology, network switches in IT environments and access to company customer relationship management (CRM) databases. The accounts allowing access to such targets are considered privileged as well.
What Is Privileged Access Management?
Privileged access management (PAM) is used to mitigate the threats of credential theft and privilege misuse. PAM as a concept is an important part of cybersecurity strategy with a purpose to control, track, secure and audit all human and non-human (interactive and automated) privileged identities and activities in an enterprise IT environment.
PAM is a subfield of Identity and Access Management (IAM).
Sometimes referred to as privileged identity management (PIM) or privileged access security (PAS), PAM is grounded in the principle of least privilege, wherein users only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. By enforcing the principle of least privilege, organizations can reduce the attack surface and mitigate the risk from malicious insiders or external cyber attacks that can lead to costly data breaches.
Privileged access management typically includes definition of roles for users and granting required privileges, or access rights, for those roles. It also includes distributing the user information and access grants to all the devices and systems that enforce access rights in the organization. Furthermore, it usually includes monitoring what privileged users actually do and analyzing their activities to detect anomalies.
PAM Links to Insider Risk and Vendor Risk
Users with privileged access are typically insiders in the organization. They include system administrators, database administrators, developers, architects, application owners, and IT managers. Most privileged users are insiders who already have access to the organization and its systems. Statistically, most cybercrimes are perpetrated by or assisted by insiders. Thus, controlling and monitoring privileged access reduces insider risk.
Many external vendors and outsourcing partners also have access to critical systems and data. For example, Edward Snowden was a contractor to the US government. In the famous Target breach, the hackers used an HVAC contractor as a stepping stone to get to their actual target. There are also recent examples of high-impact breaches involving privileged passwords. It is common for IT adminstration to be contracted to offshore outsourcing partners. Controlling and monitoring privileged access is an important part of reducing vendor risk.
Traditional Privileged Access Management
The traditional approach to privileged access management has been to automatically change the passwords for privileged accounts several times per day, and store the passwords in a password vault. A jump server or client software is then used to authenticate the user, obtain the current password from the vault, and login to the target server. Alternatively, a web portal may be provided for obtaining the current password for the target account and displaying it to the user. The password would typically be valid for a fixed period, such as one hour, or until expressly released by the user.
The traditional analyst worldview on PAM has been on the traditional approach. They compare products based on their password rotation, password vaulting, etc features. But the next generation needs none of this. It solves privileged access management differently.
Traditional Privileged Access Management in the Cloud
PAM deployments are notoriously difficult. Read, for example, http://security-architect.com/privileged-account-management-pam-is-very-important-but-deploying-it-stinks/.
The traditional approach changes the way system administrators work and many administrators hate it. It also requires substantial infrastructure, with some large organizations reportedly needing over a hundred vaults/jump servers to scale to their infrastructure. Password vaults become a single point of failure. For automation, every script has to be changed to obtain the password from a vault.
The traditional approach also does not scale into cloud, containers, and particularly elastically scaling computing environments. It becomes very cumbersome to implement password vaulting when computing instances go up and down as needed and often only live for a few seconds.
Furthermore, the traditional approach often requires installing (and patching!) software on servers and clients. This is costly and resource-intensive.
Read more about PAM in the cloud >
What to look for in new Privileged Access Management
New technology has made it possible to implement privileged access management without password vaulting and without new software or agents installed on servers or clients. This substantially speeds up deployment, reduces overhead, and helps scale to cloud and elastic environments.
A truly modern and future-proof Privileged Access Management for multi-cloud needs and agile architecture. It is designed for elastic cloud environments from the start. It gets rid of passwords, password vaulting, and password rotation. Deployment becomes way easier and faster. The total project cost is greatly reduced, and time to full deployment easily drops by a factor of ten.
PAM without password vaults and password rotation...
Next-gen PAM uses short-lived ephemeral certificates, invisible to the end-user, to enable access over secure SSH and RDP connections. Your privileged users get one-click jump host to the right cloud hosts via SSO and with optional MFA. This approach is passwordless and keyless, since access is granted just-in-time for authentication, but the authorization to the target expires automatically, leaving no keys or passwords behind to manage, forget or lose.
...except when you still need them in privileged access.
The reality is that going passwordless and keyless is not possible overnight. Customers have legacy environments that require key management, password vaulting and rotation. For this reason, the next-gen PAM needs to be hybrid and supports various credential management methods. It allows customers to manage access to their legacy critical infrastructures while migrating to more modern access approaches at the same time when they modernize their applications.
Privileged 3rd & party access centralized
Agile business units need to grant all types of secure access to critical resources: permanent, temporary, internal and external. With PrivX, all your sessions are granted, secured and controlled through one, centralized system. Say goodbye to backdoors and rogue keys.
PAM for Multi-cloud, hybrid cloud and on-prem
Next-gen PAM software makes managing privileged user access scalable, lean and rapid to deploy to multi-cloud and hybrid. Administrators enjoy role-based access control (RBAC) and re-use of existing AD/LDAP groups to automate access provisioning. Users make 1-click SSH or RDP connections from their browser –without sharing credentials, using SSH keys or password vaults. No need to install anything on the client or the server.
Autodiscover global cloud instances with PAM
Next-gen PAM solution comes with an auto-discovery feature that automatically scans your environment for all the available cloud hosts at all times from all regions. Your admins get a single pane of glass to cloud hosts. Your developers always know which host they can access.
Save valuable time on deploying privileged access management
Installation, deployment and configuration of future-proof PAM only takes a day. After that, maintenance work is lightweight and straightforward. Don’t worry about dedicating a team to handle a high-cost, high-maintenance product: the PAM solution leaves no footprint in your environment and updates automatically.
Integrate PAM with AD, LDAP & IdaaS
Next-gen PAM helps you avoid duplicate work. You use your existing user identities from your AD/LDAP and the solution fetches user groups for you automatically. It’s not like basic PAMs where you have to duplicate your users manually or worry about keeping two separate systems up-to-date!