Privileged Access Management: Next Generation
What is Privileged Access?
Privileged access means computer access with higher access rights, generally root access, Administrator access, or access to service accounts. Sometimes any access to the command line on a server is considered privileged access, as most enterprise users are only allowed to use applications through their user interface.
A privileged account is a user account that has higher privileges than other accounts. It is an account that has privileged access in some sense. Some privileged accounts are operating system accounts with command-line access; other privileged accounts are application accounts with higher privileges (e.g., accounts that can change the configuration of an application).
A privileged user is a user with higher access to an organization's information systems than other users. Typically a privileged user has access to one or more privileged accounts.
Privileged access may also be obtained through other means. For example, a user with physical access to a computer can usually reboot the computer from a DVD or USB memory stick and perform any desired operations on the computer. Thus, users with physical access may also sometimes be considered privileged users.
What Is Privileged Access Management?
Privileged access management (PAM) refers to systems and processes for giving organizations better control and monitoring capability into who can gain privileged access to the computer or information system. It is a subfield of Identity and Access Management (IAM).
Privileged access management typically includes definition of roles for users and granting required privileges, or access rights, for those roles. It also includes distributing the user information and access grants to all the devices and systems that enforce access rights in the organization. Furthermore, it usually includes monitoring what privileged users actually do and analyzing their activities to detect anomalies.
Relationship to Insider Risk and Vendor Risk
Users with privileged access are typically insiders in the organization. They include system administrators, database administrators, developers, architects, application owners, and IT managers. Most privileged users are insiders who already have access to the organization and its systems. Statistically, most cybercrimes are perpetrated by or assisted by insiders. Thus, controlling and monitoring privileged access reduces insider risk.
Many external vendors and outsourcing partners also have access to critical systems and data. For example, Edward Snowden was a contractor to the US government. In the famous Target breach, the hackers used an HVAC contractor as a stepping stone to get to their actual target. It is common for IT adminstration to be contracted to offshore outsourcing partners. Controlling and monitoring privileged access is an important part of reducing vendor risk.
Traditional Privileged Access Management
The traditional approach to privileged access management has been to automatically change the passwords for privileged accounts several times per day, and store the passwords in a password vault. A jump server or client software is then used to authenticate the user, obtain the current password from the vault, and login to the target server. Alternatively, a web portal may be provided for obtaining the current password for the target account and displaying it to the user. The password would typically be valid for a fixed period, such as one hour, or until expressly released by the user.
The traditional analyst worldview on PAM has been on the traditional approach. They compare products based on their password rotation, password vaulting, etc features. But the next generation needs none of this. It solves privileged access management differently.
Traditional PAM Stinks, Especially in the Cloud
PAM deployments are notoriously difficult. Read, for example, http://security-architect.com/privileged-account-management-pam-is-very-important-but-deploying-it-stinks/.
The traditional approach changes the way system administrators work and many administrators hate it. It also requires substantial infrastructure, with some large organizations reportedly needing over a hundred vaults/jump servers to scale to their infrastructure. Password vaults become a single point of failure. For automation, every script has to be changed to obtain the password from a vault.
The traditional approach also does not scale into cloud, containers, and particularly elastically scaling computing environments. It becomes very cumbersome to implement password vaulting when computing instances go up and down as needed and often only live for a few seconds.
Furthermore, the traditional approach often requires installing (and patching!) software on servers and clients. This is costly and resource-intensive.
Next Generation Privileged Access Management
New technology has made it possible to implement privileged access management without password vaulting and without new software or agents installed on servers or clients. This substantially speeds up deployment, reduces overhead, and helps scale to cloud and elastic environments.
PrivX On-Demand Access Manager is the first Next Generation PAM. It is designed for elastic cloud environments from the start. It gets rid of passwords, password vaulting, and password rotation. Deployment becomes way easier and faster. The total project cost is greatly reduced, and time to full deployment easily drops by a factor of ten.