Privilege Elevation and Delegation Management (PEDM)
What is Privilege Elevation and Delegation Management?
Privilege Elevation and Delegation Management (PEDM) describes a category of Privileged Access Management (PAM) focused on providing more granular access controls than typically offered by Privileged Account and Session Management (PASM) tools.
By providing more specific controls, PEDM helps reduce the risks posed by overprivileged users. Password vaulting is the most common method for securing access with Privileged Account and Session Management (PASM) solutions offering only the most basic control on an all-or-nothing basis. Human users and machines gain access by checking out an administrator account that either has full access privileges or none.
PEDM solutions address this issue by providing host-based command control filtering and privilege elevation capabilities that allow specific commands to run with a higher level of privileges. Thus, PEDM enables companies to improve their cyber security posture by only granting admin rights associated with certain tasks, applications, or scripts on a limited basis. This finely-grained control enables organizations to deploy and enforce the principle of least privilege, providing employees and other users with just the right level of access to accomplish their jobs.
How does PEDM work?
PEDM empowers IT and security teams with the ability to provide permissions based on defined roles, with built-in limitations—such as allowing an employee access to a specific server while limiting access to business hours or for another specified time.
Once a session ends, the PEDM capability revokes access rights to secure the account. If for any reason, the credentials involved are compromised, attackers could not maintain persistence. Combining PEDM with PASM, IT security can significantly reduce the number of administrator accounts throughout the organization. Because privileged accounts usually possess powerful access capabilities, they can pose a serious risk if and when compromised by an attacker. By eliminating or limiting the total number of privileged accounts, organizations reduce the risk of abuse from external threats and malicious insiders.
PEDM solutions also allow administrators to systematically request new roles to get the rights they need to perform specific tasks. This self-service capability allows companies to assign privileges and roles according to a flexible, Just-in-Time approach. PEDM tools also help meet compliance requirements since they typically include monitoring (at host-level) and reporting capabilities.