10 Features Every PAM Solution Must Have
The MoSCoW method is a prioritization technique used in project management and software to prioritize requirements. It stands for: Must have, Should have, Could have, and Won’t have. Using this approach can help you build a common understanding among your stakeholders as you evaluate and select a Privileged Access Management (PAM) solution.
In this blog, we’ll focus on the 10 must-have features that create the foundation of a robust PAM system.
- Password vaulting
Every PAM solution must prevent privileged users from knowing the actual passwords to critical systems and resources. This way, any attempt of a manual override on a physical device can be prevented. Instead of giving passwords to privileged users, the PAM solution must protect privileged credentials in a secure vault.
- Password management: auto-generation, rotation, and workflow approval
PAM tools allow you to automate and control the entire process of granting access and passwords to privileged accounts.
Each time a privileged user requests access, a new password can be automatically generated by the PAM system to avoid password reuse or leakage, while ensuring a match between current credentials and target systems.
Highly critical and sensitive credentials are given only if an established policy is followed and when all required approvals are met.
PAM includes handling access permissions based on roles and policies. Within your PAM solution, you can define a fixed number of parameters that control administrative access, as well as limit access to specific functions and resources.
- Multi-factor authentication
Even with multiple security protocols in place, there is still potential for privileged accounts to be breached. Your PAM software must add an additional layer of security with multi-factor authentication protocols (MAP) when a user requests access. OATH authentication and proprietary tokens can also be integrated as part of MAP.
- Access for remote employees and third parties
Remote workers must be able to access the same systems and data they could while in the office.
Identities should be consolidated across all operating systems and environments, on-premise and cloud, so you know which people are associated with which accounts.
PAM software must provide third-party personnel role-based access to systems without the need for domain credentials, thus limiting access to privileged resources.
- Mobile access points
Mobile devices are becoming common access points to enterprise systems. PAM software that integrates with a secure application launcher can grant access to remote devices.
- Session management
A PAM solution must establish sessions for each and every privileged user.
You need the capability to record all privileged sessions, both command-line, and video, in a searchable and comprehensive way. This way, you can quickly show compliance with regulations for SOC2, SOX, PCI DSS 3.2, HIPAA, NERC CIP, ISO 27001, and more.
With live session monitoring, IT teams are capable of viewing all sessions in real-time. A real-time view of all privileged sessions means you can quickly terminate suspicious or unauthorized sessions.
- Real-time visibility and alerting
When a threat is detected, preventative actions should be taken immediately. An effective PAM solution must enable you to create alerts and quickly address any deviations in account usage.
- Disaster recovery
PAM systems must be designed with failover safeguards to ensure no single point of failure can prevent critical access to systems during a widespread system or network outage.
- Emergency access
Your solution must enable you to configure access controls and approval workflows for a “break glass” scenario. If an all-out emergency occurs, a user could put a flag on the system to indicate that no approval is required for any checkout. All such requests would have to be approved automatically but still audited, and you must pre-define who can request such access, who is responsible for approving it, and on which systems.
- Auditing and reporting
Providing risk-based scorecards that show who has access to which resources and effective PAM solutions can save you hours gathering audit and compliance information.
If a privileged account attack occurs, a forensic investigation will require you to provide the complete picture. Only a few PAM solutions can give you a 360° view of when a privileged account password was checked out and by whom, as well as all the actions taken by that account.
Beyond the PAM must-haves
With the right PAM solution, you can rest assured that mission-critical infrastructure is protected. These must-haves will empower you to enforce access controls even on “superuser” accounts, improve your security, and meet audit and compliance requirements.
Once the PAM must-haves are in place, the unique needs, work style, and security risks of your organization will determine how you define your list of Should have, Could have, and Won’t have requirements.