Privileged Access Management (PAM)
What is Privileged Access Management?
PAM is a broad category that concerns who can access a privileged account and what they can do once logged in to your organization’s network with that privileged account. PAM includes both privileged account management and privileged session management.
This overview builds your understanding of PAM so you can set the foundation for a comprehensive privileged access management strategy. We’ll cover:
What an IT professional should know about how privileged accounts function and the risks associated with their compromise and misuse.
How you can use this knowledge to make your organization much less vulnerable to potential monetary and reputational damage from increasing threats.
You’ll gain a practical understanding of privileged access management and its benefits to your organization. You’ll learn what privileged accounts are, where they’re located throughout an IT environment, and how they function. Most importantly, you’ll understand the risks associated with these accounts and learn how implementing a privileged account security solution can protect you from malicious insider and external threats.
Key Privileged Access Management Definitions
First, let’s define some key terms you need to know to understand PAM.
What’s the difference between privileged access management and privileged account management (both called PAM)?
The PAM industry began with the core capabilities of privileged account management. Privileged account management is the IT security process of using policy-based software and strategies to control who can access sensitive systems and information. Privileged accounts rely on credentials (passwords, keys, and secrets) to control access. By creating, storing, and managing these credentials in a secure vault, privileged account management controls authorized access of a user, process, or computer to protected resources across an IT environment.
Since the early days of PAM, however, privileged security strategies have expanded, and the common definition of PAM has changed. Today, most people define PAM as privileged access management. This definition of PAM reflects a broader security category than privileged account management. It includes cyber security strategies for exerting control over elevated access and permissions for users, accounts, and processes. It determines not only which people and systems can access a privileged account but also what they can do once logged in.
Additionally, this definition of PAM incorporates strategies that provide security teams with more granular control and oversight over the actions taken during privileged sessions. It includes managing the passwords of privileged accounts through tactics like credential management, least privilege enforcement, and account governance. For example, privileged access approval and workflows, two-factor/multi-factor authentication, privileged session monitoring and recording, and remote launching are critical elements of a comprehensive privileged access management program.
What’s the difference between user accounts and privileged accounts?
There are two major categories of IT accounts:
User Accounts: A user account typically represents a human identity (such as an Active Directory user account) and has an associated password to protect information and prevent anyone else accessing without permission. There is usually a single account password per user that needs to be memorized by a person.
Privileged Accounts: Privileged accounts provide administrative or specialized levels of access to enterprise systems and sensitive data, based on higher levels of permissions. A privileged account can be associated with a human being or non-human IT system.
Organizations often have two to three times more privileged accounts than they have employees. In most organizations, IT staff have one account with standard-level permissions and another account for performing operations that require elevated permissions.
What are privileged accounts used for?
Privileged accounts are the keys to your IT kingdom because they can be used to access a sensitive server, adjust permissions, make backdoor accounts, or change or delete critical data.
Privileged accounts that need elevated permissions include:
- Local or Domain Admin accounts that manage servers
- Domain Admin accounts that typically control Active Directory users
- SA accounts, or system admin accounts, that help manage databases
- Root accounts that manage Unix/Linux platforms
- Accounts that run and manage Windows applications, services, and scheduled tasks
- IIS application pools (.NET applications)
- Networking equipment accounts that give access to firewalls, routers, and switches
What are privileged service accounts?
A service account is a special category of privileged account that requires elevated privileges to run scheduled tasks, batch jobs, application pools within IIS, and more across a complex network of databases, applications, and file systems. Hundreds or thousands of services rely on privileged accounts to run critical IT processes. As such, service accounts are among the highest risk privileged accounts.
Unfortunately, service accounts are also typically the most misused types of privileged accounts. To keep systems running and avoid downtime, they’re often configured with unnecessarily high levels of privilege. Without human owners, they often lack oversight. As a result, service account passwords aren’t rotated, expiration dates pass or are never set, and accounts are never decommissioned. These common practices create a dangerous vulnerability for any organization, opening the door to cyber attacks.
Who uses privileged accounts and where are privileged accounts located?
The typical user of a privileged account is a system administrator (sysadmin) responsible for managing an environment, or an IT administrator of specific software or hardware. They need elevated privileges to:
- Install system hardware/software
- Access sensitive data
- Reset passwords for others
- Log into all machines in an environment
- Make changes in IT infrastructure systems
Privileged accounts are used by systems administrators to deploy and maintain IT systems, so they exist in nearly every connected device, server, database, and application. Privileged accounts extend well beyond an organization’s on-premise or cloud-based enterprise infrastructure to include employee-managed marketing, sales, financial, and social media accounts. Therefore, it’s important that even small and medium businesses have an efficient privileged account management process in place.
What’s the difference between identity and access management (IAM) and privileged access management?
The domain of privileged access management is generally accepted as part of the broader scope of identity and access management (IAM). However, identity and privilege are inextricably linked and, as tools and solutions become more sophisticated, the lines continue to blur.
Identity refers to people. You, your boss, the IT admin, and the HR person are only a handful of examples of people who may be responsible for creating, updating, or even deleting attributes. The core objective of IAM is having one digital identity per individual. Once that digital identity has been established, it must be maintained, modified, and monitored.
Privileged access management is part of IAM, helping manage entitlements, not only of individual users but also shared accounts such as super users, administrative, and service accounts. A PAM tool, unlike IAM tools or password managers, protects and manages all types of privileged accounts. A mature privileged access management solution goes even further than simple password generation and access control to individual systems. It also provides a unified, robust, and—importantly—a transparent platform that is integrated into an organization’s overall identity and access management (IAM) strategy.
Risks and Vulnerabilities Related to Privileged Accounts
What are the risks associated with unmanaged privileged accounts?
Many high-profile breaches have one thing in common: They were accomplished through the compromise of privileged credentials. Industry analysts estimate that up to 80% of all security breaches involve the compromise of privileged accounts.
Despite the risk, traditional methods of identifying and managing privileged accounts still rely on manual, time-consuming tasks performed on an infrequent or ad-hoc basis. Even in the most sophisticated IT environments, privileged accounts are all too often managed by using common passwords across multiple systems, unauthorized sharing of credentials, and default passwords that are never changed—making them prime targets for attack.
These practices can easily compromise security because for most attackers taking over low-level user accounts is only a first step. Their real goal is to take over privileged accounts so they can escalate their access to applications, data, and key administrative functions. For example, in many cases, local domain accounts on end-user devices are initially hacked through various social engineering techniques. Attacks are then escalated to gain access to more systems.
Virtually all organizations have some unknown or unmanaged privileged accounts, increasing their risk. Some have thousands. This can happen for various reasons:
- An ex-employee’s access was never disabled.
- An account is utilized less and less often until it becomes obsolete and is abandoned.
- Default accounts for new devices were never disabled.
Every unknown or unmanaged privileged account increases your organization’s vulnerability and presents an opportunity for an intrusion. An employee may access it to perform unauthorized tasks, intentionally or unintentionally, breaking compliance regulations, and increasing your liability. A disgruntled ex-employee who retains privileged access can cause harm.
A cyber criminal can find the account and penetrate your organization, steal information, and wreak untold havoc.
If a single privileged account is used across your organization to run many services or applications, when that account is breached, your risk increases exponentially. In that case, it only takes one compromised privileged account for an attacker to gain access to virtually any information within your organization’s IT network.
How does the cloud increase your risk of a privileged account attack?
As businesses migrate to the cloud, the diversity of privileged access management use cases expands. In a cloud model, managing privileged access to workloads, services, and applications remains your responsibility, not the cloud providers’. It’s also your responsibility to make sure data going to and from the cloud (via Web browsers, Email, File exchanges such as SFTP, APIs, SaaS products, and streaming protocols) is properly secured.
Unfortunately, many organizations aren’t adequately implementing and enforcing policies to control privileged access. The challenge exists not in the security of the cloud itself, but in the policies and technologies that control access, identities, and privileges. In nearly all cases, it’s the user, not the cloud provider, who fails to manage the controls. According to Gartner, through 2023, at least 99% of cloud security failures will be the customer’s fault, with 50% of issues attributed to inadequate access, identity, and privileged management.
Do your cloud use cases include infrastructure, application development, and business process automation?
As part of your privileged access management strategy, you need to protect the privileged credentials used to access and manage your cloud resources.
How do cyber-criminals compromise privileged accounts?
We’ve discussed the importance of privileged accounts, the central role privileged accounts play in managing systems, infrastructure and applications, and the risks associated with losing control of privileged accounts. Next, it’s important to understand the tricks and techniques cybercriminals use to wrest control of these accounts. In the next section, we’ll discuss what can be done to protect privileged accounts.
The path to compromising a privileged account often follows a variation of this pattern:
- Compromise a local account. Criminal hackers use malware or social engineering to get access to desktops, laptops, or servers. Employees are fooled by phishing scams that appear to be legitimate requests from an employee’s manager, company executive, or another trusted source. They may unknowingly click on a malicious link, download a piece of software with malware hidden inside, or enter their password credentials into fake websites.
- Capture a privileged account. An attacker’s primary goal is to obtain a privileged account (such as a local Windows administrator account) to move around. After an employee’s password is captured, the perpetrator can log onto a network and simply bypass many of the traditional IT security controls because they appear as a user with legitimate credentials. Common techniques include Man in the Middle or Pass the Hash attacks to elevate privileges.
- Hide and observe. Sophisticated criminal hackers are patient, preferring to remain undetected rather than crack-and-dash. After attackers establish a breach, they typically use compromised privileged accounts to perform reconnaissance and learn about the normal routines of IT teams. This includes observing regular schedules, security measures in place, and network traffic flow. They use these observations to blend in and make sure they don’t trigger any network security alarms. Eventually, they can get an accurate picture of the entire network and its operations.
- Impersonate employees. An attacker with access to a privileged account can impersonate a trusted employee or system and therefore can carry out malicious activity without being detected as an intruder. When attackers compromise a privileged account, they can operate undetected for weeks or months at a time. Because a compromised privileged account appears to be a legitimate user, it’s very difficult to find the root cause or perform digital forensics when a breach is eventually detected.
- Establish ongoing access. An attacker’s next step is often to establish ongoing access by installing remote access tools, which enables them to return anytime they wish and perform malicious activities without raising an alarm.
- Cause harm. Depending on the motive of the attackers, they can use privileged accounts to do things such as:
- Damage system functions or disable access by an IT administrator
- Steal sensitive data for fraud or reputation damage
- Inject bad code
- Poison data
Preventing Privileged Account Attacks with PAM
How does PAM lower your risk of a privileged account attack?
The overall goal when designing your privileged access management process and implementing solutions is to arm IT and security professionals with the tools they need to control access within their corporate environment, thus reducing the attack surface by limiting privileged access and behavior. Ultimately, by implementing a PAM solution in conjunction with other IT security best practices, you can contain potential damage related to attacks originating external to your organization, or those instigated internally, regardless of whether an action is due to intentional maliciousness or inadvertent incompetence.
Why is it so difficult to prevent attacks using network or perimeter security tools?
Many organizations try to protect their information with traditional security perimeter tools, such as firewalls, anti-virus, and intrusion detection solutions. But with fast-evolving cloud, mobile, and virtualization technologies, building a fence or moat around critical assets is no longer sufficient. In fact, it’s impossible.
In the digital workplace, people are constantly sharing information and being exposed to social engineering and targeted spear-phishing attacks aimed at getting passwords and credentials. When identities are stolen, attackers can easily bypass the traditional security perimeter undetected and escalate the exploitation of privileged accounts.
Hacking privileged credentials can mean the difference between a simple breach and one that could lead to a cyber catastrophe. Therefore, the “new cyber security perimeter” must focus on protecting the access of employees, contractors, third-party partners, services, and cloud systems.
What are the top 10 capabilities of PAM software that thwart malicious hackers and other external threats?
Enterprise-grade PAM solutions employ numerous features to lock down privileged access and thwart cyber attacks. They can discover privileged accounts across your organization and import them into a secure, encrypted repository—a password vault. Once all privileged credentials are inside, the PAM solution can manage sessions, passwords, and access automatically. Combine all this with features like hiding passwords from certain users, auto-rotating passwords, recording sessions, auditing, and multi-factor authentication and you have a robust defense against external threats. Here are 10 important capabilities of PAM software:
- Password Vaulting
Password leaks and data breaches are an increasing part of the IT world. Reusing passwords increases the likelihood that a system and its data will be compromised. The primary method of security provided by a privileged access management solution is password vaulting, where passwords are stored in a central, highly secure location and protected by strong encryption. This ensures extremely limited access to all passwords.
- Password Changing and Auto Generation
With PAM, you can generate random password values or merely rotate the current password. This can be done manually by an individual with an assigned password management role, or as an automated function of the PAM system. Each time a user requests access, a new password can be automatically generated by the PAM system to avoid password reuse or leakage, while ensuring a match between current credentials and the target systems.
To scale IT systems while managing costs, effective systems management increasingly requires a high degree of automation. PAM systems can automatically perform repetitive password-related tasks and can also alert administrators for a variety of privileged access conditions, such as failed password attempts, password requests, and web application transactions.
- Disaster Recovery
PAM systems can be designed with failover safeguards to ensure that no single point of failure can prevent critical access to systems during a widespread system or network failure.
- Access for Non-Employees
Third-party personnel may need continued access to systems (as opposed to emergency, one-time access as described below). PAM software can provide role-based access that doesn’t require granting domain credentials to outsiders, limiting access to needed resources and reducing the likelihood of unauthorized privileged access.
- Emergency Access to Critical Systems
Under certain conditions, emergency access must be granted to specific administrators and you’ll still need to ensure the monitoring and recording of all privileged activity in your systems. PAM solutions can offer a secure application launcher that provides immediate entry into applications without revealing passwords.
- Multi-factor Authentication Protocols
Even with multiple security protocols in place, there is still potential for privileged accounts to be breached. PAM software can add an additional layer of security with multi-factor authentication protocols (MAP) when a user requests access. OATH authentication and proprietary tokens can also be integrated as part of the MAP.
- Session Management
Once a user has accessed the system, PAM software can assist in workflow management through automation of each approval step throughout the session duration. For each user role, you can configure check-out rules and, if needed, receive notification for specific access requests that require manual approval by an administrator.
- Mobile Access Points
Mobile devices are becoming common access points to enterprise systems. PAM software can provide integration with a secure application launcher to grant access to remote devices.
- Auditing and Reporting
Auditing privileged sessions is critical. PAM solutions can provide recording and reporting for a variety of activities including password requests and session recording of transactions during privileged sessions. Additionally, PAM software can provide dozens of critical reports including asset reports, compliance reports, and privileged activity reports.
How does PAM software protect organizations from insider threats?
PAM solutions contain multiple features to safeguard against insider threats. Audit trails and email alerts keep administrators informed of what’s going on in the IT environment. Session monitoring and recording increases visibility of privileged account activity. There are also permissions as well as role-based access controls to give users the access they need to do their jobs. Last but not least, PAM allows you to sever the access users had the moment they leave your organization—an action that a surprising number of organizations fail to include in their PAM strategy.
How is PAM deployed?
PAM can be deployed on-premise, in the cloud (otherwise known as PAM as a Service, or PAMaaS), or with a hybrid approach. Increasingly, PAM solutions are delivered as a service. In the PAMaaS model, a privileged access management vendor manages hosting and updates so you can avoid the expense and resources of installing software and keeping it up to date. Cloud-native, PAMaaS solutions also provide tighter integrations with cloud resources to strengthen protection of privileged accounts in the cloud.
How to Develop a Comprehensive PAM
Critical questions to answer when getting started
Like any IT security measure designed to help protect critical information assets, proper privileged access management requires both an initial plan and an ongoing program. You must identify which privileged accounts should be a priority in your organization, as well as ensure the people who are responsible for managing your privileged accounts are clear on their acceptable use and responsibilities.
Before you can successfully implement a privileged access management solution, a planning phase must answer several key questions:
- How do you define a privileged account for your organization?
Map out what important functions rely on data, systems, and access. Identify important systems which would need to be recovered first in the event of a breach. Then you can identify the privileged accounts for those systems. Classifying privileged accounts at this stage is good practice because this helps prioritize privileged accounts and will make decisions easier when it comes to applying security controls.
- Who needs access to your privileged accounts?
Privileged accounts should be categorized as: a) human, b) applications and services, c) systems, and d) infrastructure accounts, including cloud-based accounts. These classifications will determine the level of interaction and security controls which should be applied to each privileged account. For applications and systems, ask yourself how often rotating the passwords is required and if the path to the system is static so you can restrict IP addresses that can use the privileged accounts.
- Do you rely on third-party contractors that need access?
Third-party contractors that need access to privileged accounts can be one of the highest risks because you don’t have full control over how they access and manage privileged accounts. Make sure you include these use cases in your planning and identify how those accounts should be created, governed, and eliminated as contracts are completed.
- Do you set time windows for privileged account usage?
Knowing when specific privileged accounts are supposed to be used indicates normal behaviors that allow you to identify possible abuse or misuse. Accounting systems, for example, may only require access at the end of the month or quarter. Backup systems typically run at scheduled times. Integrity validation and vulnerability scanning probably will follow a scheduled penetration test.
- What happens if privileged accounts are compromised?
Many organizations aren’t prepared when an account is breached and typically default to simply changing privileged account passwords or disabling the privileged account. That’s not enough. A comprehensive incident response toolkit helps you prevent a cyber attack from turning into a cyber catastrophe by ensuring key areas are addressed, such as:
- Steps to take before an incident occurs to make sure people are prepared to act
- Indicators of compromise that help you discover a privileged attack
- Actions to take during each phase of an incident to contain the damage
- Strategies that help you continue normal business operations even while under attack
- What’s the risk of privileged accounts being exposed or abused by an insider?
Protecting privileged accounts from insider misuse or abuse should focus on your most critical systems. Most employees, for example, shouldn’t be given access to all critical systems at the same time, including production systems, backup systems, and financial systems. Employees changing jobs within your organization shouldn’t be able to keep the same access from their previous roles.
- Do you have an IT security policy that explicitly covers privileged access management?
While a lot of companies have a corporate IT policy in place, many still lack acceptable use and responsibilities of privileged accounts. Create a privileged account password policy that treats privileged accounts separately by clearly defining a privileged account and detailing acceptable use policies. Be sure to include who’s responsible and accountable for using privileged accounts.
- Do you have to comply with government or industry regulations?
If your company must comply with certain industry regulations, it’s critical to get privileged accounts secured. Many organizations must undergo regular internal and external audits to comply with policies and legal requirements. That means demonstrating to auditors that your privileged accounts are audited, secured, and controlled.
- What reports does your CISO expect on privileged account use and exposure?
Discuss with your CISO your goals for a PAM program and how you’ll measure success. If you can’t properly observe what’s going on with your privileged accounts, you increase your risk. If a breach does occur, monitoring privileged account use helps digital forensics identify the root cause and identify critical controls that can reduce your risk of cyber security threats.
Basic PAM Security Controls
Privileged access management doesn’t have to be an insurmountable challenge. Any organization can control and secure its privileged accounts (and make an attacker’s job more difficult) with these best practices:
- Increase awareness and empower employees
With more sophisticated social engineering and phishing attacks, and with more personal devices used for business purposes, you must train employees on secure behavior. Provide privileged access management training to those who will be using and are accountable for privileged accounts. PAM training should emphasize the critical importance of privileged account security and include IT security policies specific to your organization. Make sure you get buy-in from your executive team by educating them as well.
- Write a formal policy for privileged accounts to assure accountability
Base policies on the categorization and classification of privileged accounts specific to your organization. Rely on purpose-built security policy documents; don’t start from scratch.
- Change default IDs and passwords for many built-in privileged accounts
This should be one of your very first tasks in improving PAM security. Research shows one in five organizations have never changed default passwords, such as “admin” or “12345,” on privileged accounts. These default credentials are a top priority for malicious hackers because it’s so easy to crack their passwords.
- Limit privileged access to systems
Limit privileged account access through a least privilege strategy, meaning privileges are only granted at the level necessary. Enforce least privilege on workstations by keeping them configured to a standard user profile and automatically elevating their privileges to run only approved applications. For IT administrator users, control access and implement super user privilege management for Windows and Unix systems and cloud resources.
- Don’t allow privileged accounts to be directly shared
Shared credentials among IT administrators make it very easy for an attacker to escalate permissions and gain access to sensitive information. Privileged account access should be limited by time, scope of permissions, and approvals needed.
- Limit privileged and unknown applications
Applications need to be inventoried and undergo strict policy enforcement for password strength, account access, and password rotation. Least privilege and application control solutions enable seamless elevation of approved, trusted applications while minimizing the risk of running unauthorized applications.
- Control new privileged account creation with a formal review and approval process
The creation of any new privileged account should be subject to specific reviews and approvals involving a peer or supervisor review.
- Govern privileged accounts
Proactively manage, monitor, and control privileged account access. Rotate, audit, analyze, and manage privileged session activity. Monitor privileged accounts to quickly detect and respond to malicious activity.
- Evaluate your privileged accounts to set appropriate expiration dates
This policy helps prevent what’s known as privileged access creep, in which users accumulate privileges over time. Review and disable privileged accounts that aren’t appropriate for specific users—especially for accounts used by third-party contractors that are no longer needed.
- Steer clear of manual methods for PAM
Too many organizations rely on spreadsheets to keep track of privileged account passwords and attempt to govern them manually. These practices are inefficient and increase your risk. As your organization grow, manual methods are impossible to scale.
How to choose a vendor for your PAM solution
You want to implement a comprehensive privileged access management solution with a trusted partner to help you control access to systems and sensitive data, comply with policies and regulations, and ultimately make your organization safer.
Selecting the best privileged account security solution for your organization can be daunting. To simplify the process, focus on some key requirements:
- Robust solution: Does the price include everything you need to govern your privileged accounts in the manner most suitable for your organization? You shouldn’t have to navigate numerous add-ons for every little feature or pay later for additional functionality or services.
- Easy to manage: Does the software make it easier for an IT Admin to do their job?
- Excellent user onboarding: A high adoption rate among users results in better security across your organization.
- Fast time to value: The solution should be swift, effective, and assist you with the kind of protection promised without requiring investment in lengthy and expensive services or establishing any extended timelines.
- Top-notch support: The top privileged access management vendors offer phone, email, knowledge base, and forum support at every stage, from trial to purchase and ongoing use.
- Innovation and frequent updates: Attack vectors are constantly increasing in number and complexity. The solution you choose should be able to keep up.
- Scalability: The software must scale as your organization grows and your needs expand.
Building on the PAM basics
Once you’re experiencing the benefits of a privileged access management system, it’s important to keep it in prime condition and plan for ongoing improvements.
Audit and analyze privileged account activity. The combination of auditing and analytics can reduce your privileged account risk. Auditing of privileged accounts gives you metrics that provide executives with vital information to make more informed decisions as well as demonstrate compliance with policies and regulations.
Keep discovering privileged accounts. Implement a process and automated tools to continuously identify new privileged accounts and account changes made in your network. It’s the only practical way to maintain the visibility and control necessary to protect your critical information assets.
Prevent sprawl. Automated service account governance prevents service account sprawl by managing the lifecycle of service accounts from provisioning through decommissioning.
Integrate PAM with other IT and security systems. Integrate PAM into your organization’s other security and IT systems for a defense-in-depth strategy. Integrating PAM as part of the broader category of identity and access management (IAM) ensures automated control of user provisioning along with best security practices to protect all user identities. PAM security should also be integrated with security information and event management (SIEM) solutions. This provides a more inclusive picture of security events that involve privileged accounts and gives your IT security staff a better indication of security problems that need to be corrected or those that require additional analysis.
PAM can also be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, and administration and behavior analytics. By paying special attention to privileged account security, you can enhance all your cyber security to safeguard your organization in the most efficient and effective way possible.
Extend existing directories such as Active Directory to Unix/Linux. Increase visibility of local and privileged users and accounts across operating systems and platforms to simplify management and reporting.
Next Steps to becoming a PAM Expert
Now that you know the basics of privileged access management, you can test out a PAM solution for yourself. Start with a free trial of Delinea Secret Server and see how it works for you.
More Privileged Access Management Resources:
Privileged Access Management Best Practices
Privileged Access Management for Dummies