PAM (Privilege Access Management)
Privilege access may be the most sensitive aspect of IT. Administrative accounts have the ability to make sweeping and fundamental changes to IT systems on which the business may depend. Fail to protect those accounts, and you may as well hand intruders to keys to your business. With administrative access, an intruder can move laterally through your business, causing massive damage, from security threats and compliance violations to incidents that tarnish the reputation of the business itself.
To address these threats, organizations must improve the management of privileged access accounts, limit the amount of data system administrators can access and restrict some of their activities on the network. Enter the Privileged Access Management (PAM) solution.
PAM— the monitoring and protection of super user accounts— has emerged as one of the most important aspects of IAM, and cyber security writ large, today. Its goal is simple: protect the identities of individuals and applications that have the power to create accounts, delete accounts, or edit account privileges. A good PAM solution can help ensure compliance, maintain business integrity and responsible business processes, tackle security risks inside and outside your organization, and even reduce the total cost of IT operations.
PAM tools help organizations provide secure privileged access to critical assets and meet compliance requirements by managing and monitoring privileged accounts and access. PAM tools offer features that enable security and risk leaders to:
- Control access to privileged accounts, including shared and “firecall” (emergency access) accounts.
- Monitor, record and audit privileged access, commands and actions.
- Automatically randomize, manage and vault passwords and other credentials for administrative, service and application accounts.
- Provide single sign-on (SSO) for privileged commands and actions in a secure manner, such that credentials are not revealed.
- Delegate, control and filter privileged operations that an administrator can execute.
- Eliminate hard-coded passwords by making them available on demand to applications.
- Require high-trust authentication for privileged access by either providing or integrating with other multifactor solutions to ensure required levels of trust and accountability.
Two distinct tool categories have evolved as the predominant focus for security and risk management leaders considering investment in PAM tools:
- Privileged account and session management (PASM): Privileged accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services and applications. Sessions are established with possible credential injection, and full session recording. Passwords and other credentials for privileged accounts are actively managed (i.e., changed at definable intervals or upon occurrence of specific events).
- Privilege elevation and delegation management (PEDM): Specific privileges are granted on the managed system by host-based agents to log in users. This includes host-based command control (filtering), and also privilege elevation, the latter in the form of allowing particular commands to be run with a higher level of privileges.
The tools span a wide range of systems and infrastructure – OSs, databases, middleware and applications, network devices, hypervisors, and cloud services (infrastructure as a service [IaaS], platform as a service [PaaS] and SaaS). Although the major focus is on managing privileged access, PAM tools are also used by some organizations to manage shared access to non-administrative shared accounts, such as an organization’s official social media accounts. Accounts used by nonhuman users, such as services or applications – whether of an administrative nature or not – are also in scope.