Privileged Access Management is a category of cybersecurity solutions that enables security and IT teams to securely manage access for all privileged identities in an enterprise environment.
With PAM, you can employ consistent, policy-based security controls to manage privileged user behavior. These PAM policies determine what target systems authenticated identities are authorized to access and what they can do with that access.
Ultimately, implementing a PAM solution can prevent, detect, and contain privilege-based cyberattacks and malicious or accidental privileged insider behavior that puts your organization at risk.
Privileged Access Management doesn’t have to be an insurmountable challenge. Any organization can secure privileged access and make an attacker’s job more difficult.
This overview builds your understanding of PAM so you can set the foundation for a comprehensive Privileged Access Management strategy. You’ll learn how privileged access is defined and managed, and how implementing a PAM solution can safeguard your organization.
PAM replaces the need for manual password management and access control with seamless automation, stronger security, and continuous oversight.
Too many organizations rely on spreadsheets to keep track of passwords and attempt to govern privileged access manually. They also place the burden on users to remember passwords and adhere to access security policies. These practices are inefficient and increase your risk. As your organization grows, manual methods are impossible to scale.
PAM is necessary to help organizations meet cybersecurity best practices, compliance requirements, and expectations of cyber insurance companies.
Importantly, PAM helps organizations align with the Principle of Least Privilege, which means privileged access is only granted at the level necessary for people to get their jobs done. PAM reduces the attack surface by eliminating shared accounts and standing or excess privileges.
Users with privileged access are found everywhere in an enterprise, such as:
These privileged users can not only gain initial access to systems but can also adjust permissions, configure settings, make backdoor accounts, or change, delete, and extract sensitive, private data.
With PAM, you can manage and secure privileged access for all of them.
PAM capabilities fall into two classifications, which take different approaches to managing privileged access.
Privileged Account and Session Management (PASM) - In this approach, privileged access is managed via a PAM vault, which creates and stores “secrets” (passwords, keys, certificates) tied to privileged accounts. Privileged users must check out those secrets to gain access to systems. In addition, the PAM system enables privileged session management and recording at the vault/gateway level to monitor and report on the use of privileged accounts.
Privileged Elevation and Delegation Management (PEDM) - In this approach, all users (even domain admins and system admins) operate with standard privileges until they require a higher level of access. Controls on endpoints (servers or workstations) elevate privileges for a limited time, under limited circumstances. This approach reduces the need for shared privileged accounts, standing access, and excessive privileges. It allows more granular oversight of individual privileged behavior.
The combination of the PASM and PEDM approaches in a comprehensive PAM solution provides layered defenses for different privileged access scenarios and risk factors.
Like any IT security measure, Privileged Access Management requires thoughtful planning before you ever begin technology implementation.
Here are some important considerations for your PAM strategy.
1. Start by identifying which systems are business-critical and represent the highest risk in your organization. To do this, map out what important functions rely on data, systems, and access, including test systems, production systems, and backup systems. Identify important systems which would need to be recovered first in the event of a cyberattack.
2. Understand which privileged users and machine identities require privileged access to those business-critical systems. Determine exactly what access they need and when they need it. Most employees, for example, shouldn’t be given access to all critical systems at the same time. Employees changing jobs within your organization shouldn’t be able to keep the same access from their previous roles.
3. Make sure you include third-party contractors, vendors, and partners in your privileged access planning. Identify how their access will be granted and monitored as contracts are completed.
Related reading: What is Vendor Privileged Access Management (VPAM)
4. Decide on the factors that will determine how privileged access is granted, approved, monitored, and recorded. Ensure your PAM policies align to any regulatory compliance or cyber insurance requirements you have.
5. Understand what type of privileged behavior is expected so you can understand when accidental or malicious anomalies are occurring. For example, backup systems typically run at scheduled times. Privileged users typically access systems from certain IP addresses, using certain devices, at certain times of day.
6. Determine what you’ll do if unexpected access is detected. Many organizations aren’t prepared when a privileged attack is suspected and typically default to simply changing privileged account passwords or disabling privileged access. A comprehensive cyber incident response plan helps you prevent a cyberattack from turning into a cyber catastrophe by ensuring key areas are addressed, such as:
a. Steps to take before a privileged-based attack occurs to make sure people are prepared to act
b. Indicators of compromise that help you discover account compromise or a privileged-based attack
c. Actions to take during each phase of an incident to contain the damage
d. Strategies that help you continue normal business operations even while under attack
7. Create a PAM policy for privileged access. Be sure to include who’s responsible for managing privileged access and how authentication and authorization are conducted.
8. Determine how you’ll measure success and demonstrate progress to executives and auditors. Many organizations must undergo regular internal and external audits to comply with regulations, legal, and cyber insurance requirements. That means demonstrating that your privileged accounts are audited, secured, and controlled and carefully defining policies and implementing security controls for privileged access. Discuss with your CISO your goals for a PAM program. Determine how often they’ll want to see reports and the level of detail they’ll need.
When you’re implementing a Privileged Access Managment strategy, you’ll want to start with the basics so you can reduce your risk right away. Most organizations begin their Privileged Access Management program with a PASM approach by implementing a PAM vault to manage privileged accounts and the secrets that unlock them.
This includes PAM functionality such as:
As you become more mature in your PAM journey, you’ll likely expand your PAM program in terms of governance, privilege administration, and identity management.
In addition to a PAM vault, you’ll begin to adopt the capabilities of PEDM solutions so that you can provide just-in-time, just-enough access through privilege elevation. Automation and risk-based privileged management will become more important as your organization becomes more diverse and complex.
While you don’t need to adopt every PAM capability at once, it’s helpful to have a long-term view of your PAM maturity journey (below). Then you can ensure that any PAM software you select will make it easy to add on capabilities without having to start over on a new system or learn a new interface.
Related reading: PAM Maturity Model.
Enterprise-grade PAM solutions employ numerous features to support you as your PAM program becomes more sophisticated.
Here are 12 important capabilities of enterprise Privileged Access Management software: |
|
1. Account lifecycle management | Vault and manage the lifecycle of privileged accounts from provisioning to deprovisioning to rationalize the number of accounts and reduce your attack surface. Ensure that when rotating a privileged account password, you don't break dependent services. |
2. Insights and incident response | Integrate with a SIEM tool for privileged activity monitoring and alerting. Ensure admins use their individual account for all privileged access, so logged events tie back to a unique user, streamlining incident response and audit activities. Record privileged sessions initiated from the vault so they can be replayed and metadata searched to facilitate incident investigations and audits. Enforce session, file, and process auditing for detailed event intel at the host operating system level. Leverage audit data, machine learning, behavioral analytics, and automation to detect, track, and alert on anomalous privileged activities. |
3. Inventory and classification | Import Excel, or automatically discover and classify AD and Azure AD accounts and groups, local Windows and Linux privileged accounts, and local *NIX SSH Keys and vault them to ensure the PAM system has centralized management and control over their use. Continuously discover new privileged accounts whether sanctioned, shadow IT, or by an adversary. Discover and classify privileged admin groups, roles, and security configuration files to ensure visibility and simplify access based on their sensitivity and importance. Automatically discover service/application accounts across Identity and Cloud Service Providers for visibility. Upon discovering a new/unmanaged asset, automate the process of bringing it under centralized management, deploying PAM controls, enforcing baseline PAM policies, and vaulting local privilege accounts. |
4. Password management | Enable automatic rotation of privileged accounts and passwords. Configure password complexity rules. |
5. Secrets vaulting and management | Vault the most privileged accounts within your environment, such as those that can create other accounts, move laterally to access multiple systems, and have full control within your trust fabric (AD and AAD). Enable access to these accounts only in emergency situations. Manage admin groups, roles, and security configuration files that might grant privileged access across all assets. |
6. Secure PAM | Enable use of a bastion/jump host to proxy connections to servers in private networks that don't expose public IP addresses. Configure target servers to only permit inbound sessions from the trusted jump hosts. |
7. Access control | Support dual authorization for privileged operations on critical or sensitive secrets and assets. For example, require just-in-time privileged access approval or DoubleLock to provide an extra layer of security for accessing secrets. Support just-in-time access requests for elevated permissions to run privileged commands and applications on workstations and servers. Control application launch with local controls enforcing privilege elevation policies on Windows and Mac workstations. Minimize local privileged accounts on Linux and UNIX to reduce the attack surface and align with the Principle of Least Privilege and zero standing privileges. Prohibit privileged access by any client that is unknown, not secured, and untrusted. |
8. Secure remote access | For remote access, obtain necessary credentials from the vault without exposing them to the user. Leverage vaulted credentials to automatically launch login sessions to targets other than servers and websites. Extend credential and session security to any target that has a suitable API such as PowerShell, PuTTY, SQL Server, and Notepad. Enable browser-based remote access to Windows, Linux, and UNIX servers. Ideal for vendors and other remote users, this reduces the risks associated with VPN-based remote access, increases user productivity, and reduces helpdesk calls. Expand remote access beyond remote employees to third-party vendors and contractors. Ensure a stricter degree of security leveraging VPN-less remote access since you have less control over these users. |
9. DevOps | Replace plaintext, hard-coded credentials and sensitive configuration data from source code, configuration, and script files. Replace with programmatic calls to the vault to obtain secrets and credentials that grant privileged access. This prevents adversaries from harvesting sensitive data on the disk. |
10. Just-in-time access request | Integrate with IT Service Management tools (such as ServiceNow) to streamline privileged access requests. |
11. Identity governance | Establish policies around secret checkout and session launching. Self-service request workflows built-in to the PAM platform or via integrations with third party workflows such as ServiceNow, allow users to request privileged access. This helps align with best practices such as zero standing privileges. Enable creation of basic elevation policies to run privileged applications on workstations (Windows, Mac) and servers (Windows, Linux) to support least privilege. Support granular policies for privilege elevation to have tighter control over privileged access. Enforce just-enough privilege to avoid granting excessive privileges that are not required for the task at hand. Integrate with Identity Governance and Administration tools (such as Fastpath and SailPoint) for attestation reporting and risk-based approvals. |
12. MFA at Depth | Enforce MFA policies at initial access and privileged elevation to eliminate passwords and increase identity assurance. For all admin users who log in to the PAM vault, enforce MFA to ensure the user is the legitimate owner of the credential. Enforce MFA when checking out a secret from the PAM vault to ensure the user is the legitimate owner of the credential. Enforce MFA when initiating a remote login session to a server to ensure the user is the legitimate owner of the credential. Enforce MFA at workstations and servers for direct login and privileged command and application execution. |
PAM software can be deployed on-premise, in the cloud (otherwise known as PAM as a Service, or PAMaaS), or with a hybrid approach.
Increasingly, PAM solutions are delivered as a service. In the PAMaaS model, a Privileged Access Management vendor manages hosting and updates so you can avoid the expense and resources of installing software and keeping it up to date. Cloud-native, PAMaaS solutions also provide tighter integrations with cloud resources to strengthen protection of privileged accounts in the cloud.
You don’t need to deploy your PAM solution throughout your organization all at once, for all types of use cases. Most organizations begin by vaulting their most high-risk accounts (domain admins, etc.) and then move to other parts of the IT organization, including remote users, and then business users and developers.
As part of your PAM deployment, make sure you focus on user adoption. Increase awareness of PAM best practices and empower employees to follow them. Make sure you get buy-in for your PAM program from your executive team by educating them on its importance for compliance and security.
Selecting the best PAM solution for your organization can be daunting and goes well beyond the list of features and functionality.
Look for a true partner that has:
Now that you know the basics of Privileged Access Management, you can test out a PAM solution for yourself. Download a free trial of Secret Server on the Delinea Platform and see how it works for you.
Or, start your journey to becoming a PAM expert. We have many resources to help you!
More Privileged Access Management Resources:
10 features every PAM solution must have
PAM Pricing: The real cost of PAM software
How to manage and secure privileged users
PAM in the cloud vs. PAM for the cloud.
PAM that fits your small business
Free Tools
Privileged Access Management Checklist
Privileged Access Management Policy Template
Free eBooks
Privileged Access Management for Dummies
Expert’s Guide to Privileged Access Management (PAM) Success
Whitepapers