Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources. These may be human administrators, devices, applications, and other types of users.
Privileged user accounts are high value targets for cyber criminals. That’s because they have elevated permissions in systems, allowing them to access highly confidential information and/or make administrative-level changes to mission critical applications and systems. In the last year, 44 percent of data breaches involved privileged identities.1
Privileged Access Management is also sometimes referred to as Privileged Account Management or Privileged Session Management (PSM). Privileged session management is actually a component of a good PAM system.
Privileged accounts exist everywhere. There are many types of privileged accounts and they can exist on-premises and in the cloud. They differ from other accounts in that they have elevated levels of permissions, such as the ability to change settings for large groups of users. Also, often multiple people may have access to a specific privileged account, at least on a temporary basis.
For example, the root account on a Linux machine is a form of privileged account. An account owner for Amazon Web Services (AWS) is another form of privileged account. A corporate account for the official company Twitter profile is yet another form.
Privileged accounts present a serious risk. Cyber criminals are more interested in stealing credentials for privileged accounts than any other type of account. Thus, they present a challenge for IT departments.
Traditionally, access to these accounts has not been well managed, despite the high risk of large damage if such accounts are compromised. Common issues include many people using the same account with no clear history or accountability, and static passwords that are never changed.
PAM solutions aim to address these risks.
A PAM administrator uses the PAM portal to define methods to access the privileged account across various applications and enterprise resources. The credentials of privileged accounts (such as their passwords) are stored in a special-purpose and highly secure password vault. The PAM administrator also uses the PAM portal to define the policies of who can assume access to these privileged accounts and under what conditions.
Privileged users log in through the PAM and request or immediately assume access to the privileged user account. This access is logged and remains temporary for the exclusive performance of specific tasks. To ensure security, the PAM user is usually asked to provide a business justification for using the account. Sometimes manager approval is required, as well. Often, the user isn’t granted access to the actual passwords used to log into the applications but instead is provided access via the PAM. Additionally, the PAM ensures that passwords are frequently changed, often automatically, either at regular intervals or after each use.
The PAM administrator can monitor user activities through the PAM portal and even manage live sessions in real time, if needed. Modern PAMs also use machine learning to identify anomalies and use risk scoring to alert the PAM Administrator in real time of risky operations.
Increased security is the obvious benefit of implementing a PAM system. However, it’s not the only one. PAM helps:
Protect against cyber criminals Privileged users, such as administrators, face the same challenges as other users with regard to remembering multiple passwords—and have the same tendency to use the same password across multiple accounts. Yet, these users are also more likely to be the target of cyber criminals. A PAM system can reduce the need for administrators to remember many passwords and avoid privileged users creating local/direct system passwords. Session management and alerts helps the superadmin identify potential attacks in real time.
Protect against inside attacks Sadly, a significant number of attacks come from bad actors inside the organization. Or employees who have left but haven’t been fully de-provisioned to prevent access after departure.
Greater productivity A PAM is a boon for privileged users. It allows them to login faster to the systems they need and relieves the cognitive burden of remembering many passwords. It also enables the superuser to easily manage privileged user access from one central location, rather than a slew of different systems and applications.
Ensure compliance Many regulations require granular and specific management of privileged user access and the ability to audit access. You can restrict access to sensitive systems, require additional approvals, or use multi-factor authentication for privileged accounts. The auditing tools in PAM systems record activities and enable you to provide a clear audit trail. PAM helps organizations comply with regulations like SOX, HIPAA, PCI DSS, GLBA, ISO 27002, ICS CERT, FDCC, FISMA.
Privileged access management is sometimes confused with Identity Access Management (IAM). IAM focuses on authenticating and authorizing all types of users for an organization, often including employees, vendors, contractors, partners, and even customers. IAM manages general access to applications and resources, including on-prem and cloud and usually integrates with directory systems such as Microsoft Active Directory.
PAM focuses on privileged users, administrators or those with elevated privileges in the organization. PAM systems are specifically designed to manage and secure the access of these users to critical resources.
Organizations need both tools if they are to protect against attacks.
IAM systems cover the larger attack surface of access from the many users across the organization’s ecosystem. PAM focuses on privileged users—but PAM is important because while it covers a smaller attack surface, it’s a high-value surface and requires an additional set of controls normally not relevant or even appropriate for regular users (such as session recording).
There are multiple benefits for integrating your PAM solution with your IAM solution. Many customers choose to do this integration because it reduces security risks, is required by auditors and compliance regulations, and it improves the user experience. IAM lets you:
In conclusion, PAM has a critical role to play in securing your organization’s resources and data. The best identity management solutions involve a coordinated use of an IAM and a PAM system to ensure security and usability.
It’s not enough to move to the cloud. You need to secure the cloud as well. Here's how with IAM.
Learn MoreSee how to expand upon privilege management tools with the use of single sign-on (SSO) and federated access solutions.
Learn moreWatch this webinar to learn how leverage SSO with Privileged User Management
Learn morePrivileged Management and SSO combine to address cyber threats while making for a better user experience
Learn more