Privileged Account Management and Identity Access Management: Same family, different strengths
From a cyber criminal’s point of view, obtaining privileged account information has the highest ROI of any attack strategy. A malicious actor with privileged account passwords in hand could infiltrate key databases and access highly sensitive data. To obtain this information, attackers use increasingly sophisticated tools and social engineering techniques which are extremely difficult for even the best-intentioned organizations to effectively rebuff.
80% of breaches involve compromised privileged credentials—including credentials for privileged individuals like domain admins, as well as service, application, and root accounts that allow privileges to be exchanged between systems.
There is a common misperception that if you must log into it, IAM can protect it
Identity and access management (IAM) is a system to identify and authorize users across an organization. Privileged Access Management (PAM) is a subset of IAM that focuses on privileged accounts and systems. It governs and controls access to accounts with elevated privileges, such as administrator accounts, and strictly controls their use in accessing highly sensitive systems and data.
While Identity Access Management (IAM) tools can assist with managing privileged users, they leave coverage gaps that a cyber criminal could exploit if they aren’t used in conjunction with Privileged Account Management (PAM) solutions. PAM tools allow you to lock down and monitor all types of privileged accounts automatically, enabling you to implement a true “Trust No One” system.
IAM is for every user account in your organization; PAM secures access to key business and technical system accounts. If you are choosing which to implement first, it must be PAM. PAM protects access to the accounts which, if breached, would be the most devastating.
Gartner defines IAM as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. For example, IAM allows you to provide a salesperson with access to their email account and provides higher-level access for certain individuals to log into sensitive systems such as finance and HR.
Some IAM tools, such as Identity Governance and Administration (IGA), provide monitoring and reporting capabilities that are required for a compliance program. These tools are helpful in ensuring broad compliance with security protocols and identifying outliers, but they don’t “secure the bits.” They don’t handle the actual authentication, nor do they on their own control access to key resources.
In contrast, PAM, or Privileged Access Management solutions, have the ability to manage passwords and authentication to backend systems, the passwords that enable servers and databases to securely communicate. These privileged accounts are highly sensitive since they grant access to administrative capabilities such as network and server settings.
Unlike privileged accounts that are assigned directly to an individual and can be monitored and managed by IAM solutions, these non-human privileged accounts can easily be neglected and forgotten when no individual – no human – is paying close attention to them. A breach of these types of privileged accounts has the potential to remain undetected for a longer period with dire consequences if PAM is not in place.
PAM allows you to protect and manage many different types of privileged accounts:
- Service accounts that run application services.
- Application accounts that access and share sensitive information with databases and other applications.
- System administrator accounts that manage databases.
- Domain administrator accounts that manage servers, control Active Directory users, and provide access to local domain accounts.
- Root accounts that manage Unix/Linux platforms.
- Networking accounts that represent a full-access pass to critical infrastructures such as firewalls, routers, and switches.
PAM is more powerful than a password vault
PAM tools are designed to protect your most sensitive user credentials, secrets, tokens, and keys. In addition to providing secure storage for this authentication information, they allow you to manage who has access to which resources, applications, servers, and databases, facilitating the assignment of which tasks a user can perform within each system.
To prevent bad actors from making changes undetected, PAM automates the provisioning process for privileged accounts and ensures consistency and compliance, reducing the need for constant manual verification and intervention.
As people’s roles and responsibilities change, their access to key systems needs to be updated or they may retain access to systems they no longer should. In a non-crisis situation, when time is not a factor, an IT admin could follow a checklist and manually make changes throughout the spiderweb of systems someone had access to. But, let’s face it, when is time not a factor?
With PAM tools, you can immediately change and remove passwords, while also implementing proper password hygiene: you can monitor password activity and rotate passwords regularly but not predictably. This same process can be used in a crisis, to effectively lock down all systems without jeopardizing ongoing daily operations within your organization.
PAM tools allow you to monitor privileged account access, identify outliers, detect unusual behavior and quickly respond. All steps can be invisible to the people within your organization: no required system downtime nor disruption in their access to other resources they should have access to.
You can integrate PAM and IGA tools for added security and more robust management and compliance reporting
PAM tools provide a range of capabilities, including:
- Deep permission controls for privileged accounts
- Locking down credentials
- Automating an authentication rotation protocol
- Controlling access based on roles and responsibilities
- Auditing and monitoring what a system administrator is doing in a specific system
- Reporting includes logging session reports
- Providing the ability to stop or intervene in a specific authenticated session
- Discovering unused or forgotten privileged accounts to reduce your attack surface
Integration between PAM and other IAM tools closes gaps of each system. For example, integrating PAM with IGA tools can enable:
- Provisioning and pruning of access
- Recertification of access (continuous recertification or trigger-based recertification throughout a lifecycle, rather than requiring manual periodic review)
- Access request handling
- Separation of duty control
Joe Gottlieb, SVP of Corporate Development for Delinea partner, Sailpoint, believes “there are forces pushing these two technologies together. Best practices call for PAM and IAM to be integrated.”
An integrated IAM/PAM system will help flag accounts that are not being used, reduce “entitlement creep,” automate the provisioning of new accounts, simplify the assignment of privileged accounts and make it possible to regularly prune access without relying on spreadsheets, email, and paper checklists. Most importantly, the integration will enable you to meet compliance and regulatory reporting requirements efficiently and with minimal overhead.
With PAM, you can implement an automated access management system for your most privileged business and technical accounts. You can remove potential gaps in your authentication management and oversight system, enabling you to grant access to the people who need it while minimizing the risk that the wrong people will get access to sensitive systems. And finally, you can obtain deeper management capabilities by integrating your PAM tools with complementary, integrated, IAM and IGA systems.