Traditional Privileged Access Management (PAM)
The traditional way analysts have structured privileged access management technology is all based on password vaulting. It was an approach selected by several early vendors in the market.
Recently, a new approach to PAM has emerged, which does not require password rotation, password vaults, or agent software on servers or clients. We call this the Next Generation PAM. The first product use this approach was PrivX On-Demand Access Manager.
This page describes the old approach. For a more detailed description of the new approach, see Next Generation Privileged Access Management.
Traditional PAM Market Definition
Traditionally, the PAM market has been structured around the following features. However, several of these features are specific to a particular way of implementing PAM. Alternative approaches work much better in the cloud.
- Controlling access to shared accounts. This may be implemented, e.g., by obtaining a password from a vault, using client software on the user's computer, or by using a web portal. Authentication to the portal or client may use, e.g., two-factor authentication or single sign-on (SSO).
- Providing four-eyes control, meaning that two people must approve the operation, or the other may be monitoring the action in real time with the ability to terminate the session. Sometimes this is also called dual control.
- Controlling and filtering commands or actions an administrator can execute. This is often implemented as part of privileged escalation controls, similar to sudo.
- Monitor and record what privileged users do. Optical Character Recognition (OCR) functionality may be used to extract text from images. User's actions may also be passed on to Security Incident and Event Monitoring (SIEM) and analytics systems. Such systems may analyze the operations to discover anomalies and provide early warning about potential breaches. Many systems provide video recordings of users' activities and executed commands.
- Traditional systems use randomized passwords for shared accounts, and rotate these accounts frequently.
- Traditional systems use a password vault for storing the current passwords for service accounts and for supplying the to users and scripts.
- Some privileged access management systems provide functionality for managing SSH keys. However, the functionality provided by these products is usually very limited compared to dedicated SSH key management products and does not generally include full implementation of key life cycle management or the necessary functionality for sorting out legacy keys.
- Prividing dashboards, views, and reports to help understand what users are doing in the IT environment.
- PAM systems integrate with ticketing systems, IT service and support management (ITSSM) systems, and change management workflows.
Privileged access management system manage credentials for a wide variety of systems, including operating systems, databases, middleware, applications, network devices, hypervisors, IoT devices, and SaaS applications.
Analysts typically divide product functionality into the following categories.
Shared account password management (SAPM)
Managing and rotating passwords and access to them. Many products also manage SSL/TLS keys, encryption keys, SSH keys, and/or other confidential data in their vaults. It should noted, however, that just storing SSH keys in a vault does not solve SSH key management in any significant way. Some products also save password history to handle restoring from backups and continuously monitor the environment for password changes made outside the solution (reconciliation). Access to shared accounts often involves a request and approval workflow. An irrefutable audit trail is typically kept of any access to passwords. Sometimes access may be configured to only be possible if there is an outstanding ticket in an IT Service Management (ITSSM) system that requires access. Additional authentication, just two-factor authentication, may also be required before access is granted. Most critical systems may require another person to watch the session.
Break-the-glass or firecall functionality may also be supported for emergency access. Nonhuman access may be also be supported, e.g., in combination with AAPM solutions.
Privileged session management (PSM)
Establishing and monitoring sessions to multiple systems. Monitoring recording activity in such systems. Authenticating users (e.g., using two-factor authentication or SSO) and then providing the users access to shared accounts.
Superuser privilege management (SUPM)
Selectively permits users to execute commands with higher privileges. This functionality is similar to the sudo tool, but is also available for a wide variety of operating systems.
Application-to-application password management (AAPM)
This functionality refers to providing applications and scripts access to passwords stored in a password vault. This is basically used to eliminate hard-coded passwords. However, these products generally suffer from the risks that hackers may use the same functionality to read the passwords from the vault.
Dissatisfaction with Traditional PAM
While the traditional PAM market has been hot and growing fast, there is a substantial amount of customer dissatisfaction in the market. Deployment projects frequently do not go as planned. Read, for example Privileged Account Management (PAM) is Necessary, but Deploying it Stinks.
Gartner has reportedly has discussions with organizations that have received surprisingly high-priced offers from vendors to extend the capabilities of their current deployments. Sometimes these offers have been obscene enough to result in vendor replacements. Many vendors try to achieve strong vendor lock-in via proprietary password vaults, expensive deployment investments, and complex software installations.
We have customers who needed a hundred password vaults to get their market-leading PAM solution to scale to the size of their environment. A leading product uses a Windows server as the jump host, running PuTTY on the Windows host to connect to end systems. (PuTTY has had several vulnerabilities that could allow breaking into the jump server.)
The problem in the market is that many organizations don't think strategically. They start run into issues about one year into their products. By the time they've spent millions and several years on a deployment project, it is very difficult to replace a product no matter what it costs.
Privileged access management solutions differ in how they discover user accounts.
- Some use ad hoc tasks to discover user accounts and devices (e.g., from Active Diretory).
- Concurrent discovery is used by some products to detect changes continuously. They may, for example, poll information from Active Directory and hypervisors. These products may trigger automatic enrollment workflows in the PAM solution.
- Service account and credential discovery finds service accounts from the organization. The accounts are often scattered throughout the organization.
- Some provide semi-automated discovery of hard-coded passwords from shell scripts and applications.
Integration with Identity Governance and Administration
Some PAM products come from more general identity and access management vendors. They may offer more general identity governance and administration (IGA) solutions. Some offer proprietary integrations into their products, increasing vendor lock-in. Others use standards-based solutions, such as Active Directory and Light-weight Directory Access Protocol (LDAP).
Next Generation PAM
Traditional PAM solutions are largely built around password vaulting. However, password vaults have become largely unncessary. It is now possible to completely eliminate passwords and other permanent credentials using short-lived certificates that are automatically generated on demand. For an example of a next generation privileged access management solution, see PrivX On-Demand Access Manager.