What is Privileged Access Management (PAM)?

What is PAM?

Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources. These may be human administrators, devices, applications, and other types of users.

Privileged user accounts are high value targets for cyber criminals. That’s because they have elevated permissions in systems, allowing them to access highly confidential information and/or make administrative-level changes to mission critical applications and systems. In the last year, 44 percent of data breaches involved privileged identities.¹

Privileged Access Management is also sometimes referred to as Privileged Account Management or Privileged Session Management (PSM). Privileged session management is actually a component of a good PAM system.

Why is PAM important?

Privileged accounts exist everywhere. There are many types of privileged accounts and they can exist on-premises and in the cloud. They differ from other accounts in that they have elevated levels of permissions, such as the ability to change settings for large groups of users. Also, often multiple people may have access to a specific privileged account, at least on a temporary basis.

For example, the root account on a Linux machine is a form of privileged account. An account owner for Amazon Web Services (AWS) is another form of privileged account. A corporate account for the official company Twitter profile is yet another form.

Privileged accounts present a serious risk. Cyber criminals are more interested in stealing credentials for privileged accounts than any other type of account. Thus, they present a challenge for IT departments.

Traditionally, access to these accounts has not been well managed, despite the high risk of large damage if such accounts are compromised. Common issues include many people using the same account with no clear history or accountability, and static passwords that are never changed.

PAM solutions aim to address these risks.

How do privileged access management systems work?

A PAM administrator uses the PAM portal to define methods to access the privileged account across various applications and enterprise resources. The credentials of privileged accounts (such as their passwords) are stored in a special-purpose and highly secure password vault. The PAM administrator also uses the PAM portal to define the policies of who can assume access to these privileged accounts and under what conditions.

Privileged users log in through the PAM and request or immediately assume access to the privileged user account. This access is logged and remains temporary for the exclusive performance of specific tasks. To ensure security, the PAM user is usually asked to provide a business justification for using the account. Sometimes manager approval is required, as well. Often, the user isn’t granted access to the actual passwords used to log into the applications but instead is provided access via the PAM. Additionally, the PAM ensures that passwords are frequently changed, often automatically, either at regular intervals or after each use.

The PAM administrator can monitor user activities through the PAM portal and even manage live sessions in real time, if needed. Modern PAMs also use machine learning to identify anomalies and use risk scoring to alert the PAM Administrator in real time of risky operations.

What are the benefits of a PAM?

Increased security is the obvious benefit of implementing a PAM system. However, it’s not the only one. PAM helps:

Protect against cyber criminals Privileged users, such as administrators, face the same challenges as other users with regard to remembering multiple passwords—and have the same tendency to use the same password across multiple accounts. Yet, these users are also more likely to be the target of cyber criminals. A PAM system can reduce the need for administrators to remember many passwords and avoid privileged users creating local/direct system passwords. Session management and alerts helps the superadmin identify potential attacks in real time.

Protect against inside attacks Sadly, a significant number of attacks come from bad actors inside the organization. Or employees who have left but haven’t been fully de-provisioned to prevent access after departure.

Greater productivity A PAM is a boon for privileged users. It allows them to login faster to the systems they need and relieves the cognitive burden of remembering many passwords. It also enables the superuser to easily manage privileged user access from one central location, rather than a slew of different systems and applications.

Ensure compliance Many regulations require granular and specific management of privileged user access and the ability to audit access. You can restrict access to sensitive systems, require additional approvals, or use multi-factor authentication for privileged accounts. The auditing tools in PAM systems record activities and enable you to provide a clear audit trail. PAM helps organizations comply with regulations like SOX, HIPAA, PCI DSS, GLBA, ISO 27002, ICS CERT, FDCC, FISMA.

How is PAM Different from Identity Access Management (IAM)?

Privileged access management is sometimes confused with Identity Access Management (IAM). IAM focuses on authenticating and authorizing all types of users for an organization, often including employees, vendors, contractors, partners, and even customers. IAM manages general access to applications and resources, including on-prem and cloud and usually integrates with directory systems such as Microsoft Active Directory.

PAM focuses on privileged users, administrators or those with elevated privileges in the organization. PAM systems are specifically designed to manage and secure the access of these users to critical resources.

Organizations need both tools if they are to protect against attacks.

IAM systems cover the larger attack surface of access from the many users across the organization’s ecosystem. PAM focuses on privileged users—but PAM is important because while it covers a smaller attack surface, it’s a high-value surface and requires an additional set of controls normally not relevant or even appropriate for regular users (such as session recording).

How can IAM improve PAM?

There are multiple benefits for integrating your PAM solution with your IAM solution. Many customers choose to do this integration because it reduces security risks, is required by auditors and compliance regulations, and it improves the user experience. IAM lets you:

• Add Multi-Factor-Authentication (MFA) and Adaptive Authentication for your PAM access. This can help meet compliance requirements, such as PCI DSS Requirement 8.3. Many regulations such as PCI DSS require securing administrative access with tools like MFA.
• Make sure that privileged access is terminated automatically upon the employee leaving the organization. Again, this is often a compliance requirement, such as for PCI DSS. Not all PAM tools ensure this and—too often—IT departments don’t de-provision ex-employees quickly enough. When that employee has access to privileged accounts, it can spell disaster.
• Ensure that administrators are productive on day one. By using your IAM with PAM, you can automatically provision administrators to the PAM and grant them appropriate access on their very first day.
• Provide a single user experience. By using your IAM as the interface to the PAM, you improve the user experience for privileged users, since they access the PAM from the same place that they access other corporate resources.

In conclusion, PAM has a critical role to play in securing your organization’s resources and data. The best identity management solutions involve a coordinated use of an IAM and a PAM system to ensure security and usability.