What Is Privileged Access Management?
Privileged access management (PAM) is a way of authorizing, managing, and monitoring account access with a high degree of administrative permissions. This is done to protect an organization’s most critical systems and resources. These “super user” accounts are isolated within an encrypted repository or vault. The access of these systems is authenticated and logged, and the sessions may be recorded or audited.
With PAM, companies can exert greater control over the privileged access that could be used to make or break their operations.
Why is Privileged Access Management necessary?
Many organizations invest in Privileged Access Management to help them meet compliance standards, such as PCI-DSS, SOC2, FedRAMP, ISO27001.
PAM can present additional barriers for bad actors who are attempting to exfiltrate data and inflict damage, whether these threats are coming from outside or within your organization. By limiting and isolating privileged access, an organization reduces its attack surface.
When it comes to threat vectors, it’s important to keep in mind that insider threats—whether for commercial gain or other reasons—usually occur when employees, partners, and contractors seek to abuse the sensitive data or system access granted to them through their privileges. Insider attackers already have some awareness of where everything is, whereas external attackers might have a greater “dwell time” as they plot their next move. External hackers can essentially present themselves as insiders once they compromise accounts through phishing, credential stuffing, or other means.
The benefits of Privileged Access Management
IT leaders who successfully manage PAM stand to keep their companies secure in the following ways:
- IT leaders often look to PAM solutions to reduce the attack surface of their organization.
- IT leaders can weed out accounts with too many privileges. They can also find accounts with privileged access that were forgotten about and that should have been deleted.
- If something goes awry during a session, PAM ensures the evidence is logged and privileges can be swiftly revoked.
- PAM can reduce the probability of malware infection and propagation.
- PAM allows IT leaders to meet the standards set by industry and compliance regulations. The company’s IT infrastructure can be more readily monitored and audited with PAM procedures in place.
- A PAM solution might even reduce incompatibility issues and downtime.
What are privileged accounts?
Now that we know more about PAM, let’s dive deeper into privileged accounts. Most organizations have some form of role-based access policies, regardless of the sophistication of their PAM technologies. Otherwise, the risk of credential misuse or a data breach would be too large.
Privileged accounts have greater access than ordinary ones, whether they’re connecting to on-premise servers or applications and systems in the cloud. Some privileged accounts can perform functions that might be necessary for configuration or maintenance, but that might be equally valuable for hackers trying to exfiltrate data or inflict damage.
Privileges might include security overrides, or the ability to shut down systems and load device drivers. Privileged users could also be responsible for developing an app or handling a third-party integration. In addition to these abilities to execute certain tasks, privileges might also facilitate access to sensitive digital resources or proprietary information.
Types of privileged accounts
There are a multiple different ways to provide privileged account management. This is largely due to the vast amount of privileged accounts that can exist. As such, PAM solutions need to account for the following:
- Emergency accounts. These are also referred to as “break glass” accounts, in reference to the real-world containers that hold tools used only in emergencies. If someone is accidentally locked out of a system or is otherwise unable to take necessary actions, and they urgently need administrative access, they might be able to use an emergency account. These emergency access accounts aren’t usually assigned to specific individuals.
- Local administrative accounts. These are usually shared accounts, which are used to access a local host or instance for IT maintenance. Unfortunately, there is a tendency to reuse passwords on these types of accounts, which creates a cybersecurity risk.
- Application accounts. This kind of account allows applications to run jobs or scripts or give access permissions to other applications. Because of the sensitive critical information that is often contained in applications—and the fact that their credentials are often stored in easily-accessible plain text files—these accounts can pose a notable security risk and are often targeted by advanced persistent threats.
- Service accounts. These are local or domain accounts that are used to execute applications in operation systems or to make authorized API calls. Windows defines this type as a user account created to provide a security context for services running on Windows Server operating systems. Within Google Cloud, it’s a special type of account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Sometimes, hackers can exploit service accounts to gain remote access.
- Active Directory (AD) or Windows domain service accounts. These are AD and Windows system accounts that interact with other applications to, for instance, change a user’s credentials. Sometimes, IT admins don’t change passwords as often as they should because they’re trying to avoid directory sprawl. For companies still using Active Directory, PAM enables users to submit requests through the MIM Services Web Services API, a REST endpoint, Windows PowerShell, or other methods.
- Domain administrative accounts. These privileged accounts provide access across all workstations and can modify the configuration of servers, information, and the other administrative accounts within the domain.
- Privileged user accounts. These users have more privileges than ordinary accounts. They have admin rights on local machines and other systems within their purview, and they can make system and software configuration changes.
How to implement PAM
PAM solutions offer different tools and levels of customization, based on your organizational needs and priorities. When organizations are reforming their procedures and cybersecurity through PAM, they need to take a step back, assess the situation, prioritize, and then make gradual progress from there. This process can be refined over time.
The following tools can be used as part of a PAM solution:
- Shared account password manager (SAPM). This structure isolates and protects the passwords to admin accounts, and generates audit trails on privileged access.
- Superuser privilege manager (SUPM). This is for managing individual accounts and selectively allowing users to execute important commands.
- Privileged session manager (PSM). These session brokers make sure that even administrators do not see the passwords being used. Hardened proxy servers monitor active sessions, and reviewers can intervene by ending sessions that look suspicious.
- Application-to-application password manager (AAPM). For applications to communicate with one another, access needs to be granted. AAPMs introduce security to these processes by releasing credentials as they’re required. API calls are made to the secure password vault, replacing the need for hard-coded passwords.
PAM best practices
PAM is built on an understanding of several security principles.
A common approach to PAM involves the principle of least privilege, which ensures that users, applications, and devices are given access only to the resources they need to perform their required functions. It’s all about looking at administrative tasks for authorized users on a granular level: any gratuitous privileges are held back, to prevent abuse.
Just-in-time access operates on the principle that access should only be granted for a short period of time, not extended indefinitely. To help mitigate the threat of bad actors, this should be paired with robust authentication methods like multi-factor authentication (MFA) so that bad actors that break into an account don’t have uninterrupted access.
According to a report from Gartner, the value of PAM solutions can be increased through automation, delegation, and integration with other enterprise tools. PAM tools can’t do the job on their own. They require an operational vision, established through best practices and deliberate processes.
Gartner defines four pillars of privileged access management.
- Track and secure. It’s important that all privileged accounts are tracked: if privileged access is occurring but isn’t accounted for, companies risk having their data stolen by bad actors. Gartner recommends that enterprises using an identity governance and administration (IGA) system check whether it can track lifecycle activity for privileged accounts. Companies should regularly review and remove PAM accounts that are no longer in use or have been abandoned.
- Govern and control. Once IT managers have gained visibility and taken charge of their identity lifecycle processes, they can begin their PAM overhaul by transferring privileged accounts to a password vault. Then they should reevaluate application-to-application access. Any new privileged accounts should follow a request-based workflow and approval process. The PAM solution itself should also be protected through MFA.
- Record and audit. The third pillar focuses on viewing and reviewing the existing levels of privilege and any changes being made to systems or processes. IT admins can implement a procedure of regular, random reviews to create an environment where any activity could be under review at any time. Session recording can include text input/output (I/O), keystroke logs, or even video/graphical recordings. All of this material can be retained to allow for thorough, backdated investigations following the discovery of a breach.
- Operationalize. Operationalizing PAM may involve automation and integration with other enterprise tools. When considering this fourth pillar, Gartner points out that “good targets for automation are predictable and repeatable tasks, such as simple configuration changes, software installations, service restarts, log management, startup and shutdown.”
Privileged access management vs identity and access management
Identity and access management (IAM) focuses on the overall creation, maintenance, validation, and sometimes consolidation of digital identities. PAM is one component of this greater IAM strategy which can be achieved through numerous approaches.
It’s possible to leverage PAM independently of IAM to manage the access of the most powerful accounts—or privileged identities—within an organization’s IT infrastructure. That said, many modern organizations choose to unify their privileged access policies through their core identity and access management provider. While IAM can become more complex the bigger and more distributed a company grows, many IT teams still choose to establish clear and secure privileged access management through this approach.
With a solid identity foundation, organizations can also extend their workforce capabilities through IAM tools like Single Sign-On and Adaptive Multi-Factor Authentication to boost security, reduce friction, and conquer identity sprawl.
To learn more about Okta’s privileged Access Management capabilities, visit our PAM Solution Page.