What is privileged access management (PAM)?
Users with privileged access accounts can cause major damage to your organization. Privileged accounts have elevated access rights. These accounts could be used by humans or machines. Think of accounts like domain or local administrative accounts. Other types of privileged accounts may include accounts that have broad access to underlying company information that live in applications and databases.
To manage this risk, organizations need to have a privileged access management, or PAM, solution in place. PAM puts special controls in place to secure privileged access accounts and track their usage. Think of PAM as holding the keys to the IT kingdom. PAM is used to protect against the threats posed by credential theft and privilege misuse. PAM is different from identity and access management (IAM), but they are closely related.
Good PAM solutions provide just in time privileged access programs, and zero trust security architectures. A central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.
What are the main features of a PAM system?
PAM systems are made up, but not limited to, the following five key features:
- Password Vaults – Password vaults are secure encrypted repositories that store passwords used to access sensitive accounts. With password vaults, nobody knows the passwords for the privileged accounts. Passwords are created automatically by the password vault. When a user needs to log into a privileged account, they log into the password vault and the password vault then logs into the target system. The security of the privileged account password is maintained, even when multiple users access the same privileged account.
- Command Proxying – PAM provides proxying of commands which eliminates the needs for direct server access. Instead of a user login into a remote system directly, the privileged account manager receives the command that the user wishes to execute, verifies the user is authorized, then issue the command to the target system on the user’s behalf.
- Monitoring – PAM provides enhanced monitoring capabilities that can log every action taken by a user in a privileged session. The logs are stored for later review. This gives auditors or investigators to retrace the steps taken with administrative privileges.
- Credential Management – PAM typically performs account management functions. This can include rotating passwords automatically which will create new and strong passwords.
- Emergency Access Workflow – This is necessary when a user needs to bypass the account manager and access a system directly with administrative rights. The is a “break glass” scenario. The account manager should allow this with the permission from a manager. The account manager would then log the emergency access and ensure the emergency password is changed after the disclosure.
Summary
Users with privileged access accounts pose a major risk to your organization. To manage this risk, you need to have a privileged access management (PAM) solution in place. PAM needs to be a critical component of your organization’s cybersecurity strategy.