Skip to content
 

Privileged Access Management (PAM)

What is Privileged Access Management?

Privileged Access Management  is a category of cybersecurity solutions that enables security and IT teams to securely manage access for all privileged identities in an enterprise environment.

 

With PAM, you can employ consistent, policy-based security controls to manage privileged user behavior. These PAM policies determine what target systems authenticated identities are authorized to access and what they can do with that access.

Ultimately, implementing a PAM solution can prevent, detect, and contain privilege-based cyberattacks and malicious or accidental privileged insider behavior that puts your organization at risk.

Privileged Access Management doesn’t have to be an insurmountable challenge. Any organization can secure privileged access and make an attacker’s job more difficult.

This overview builds your understanding of PAM so you can set the foundation for a comprehensive Privileged Access Management strategy. You’ll learn how privileged access is defined and managed, and how implementing a PAM solution can safeguard your organization.

Why is Privileged Access Management necessary?

PAM replaces the need for manual password management and access control with seamless automation, stronger security, and continuous oversight.

Too many organizations rely on spreadsheets to keep track of passwords and attempt to govern privileged access manually. They also place the burden on users to remember passwords and adhere to access security policies. These practices are inefficient and increase your risk. As your organization grows, manual methods are impossible to scale.

PAM is necessary to help organizations meet cybersecurity best practices, compliance requirements, and expectations of cyber insurance companies.

Importantly, PAM helps organizations align with the Principle of Least Privilege, which means privileged access is only granted at the level necessary for people to get their jobs done. PAM reduces the attack surface by eliminating shared accounts and standing or excess privileges.

What types of access does PAM manage?

Users with privileged access are found everywhere in an enterprise, such as:

  • Domain Admins that control Active Directory users.
  • System Admins that manage servers, cloud platforms, and databases.
  • Superusers that manage Unix/Linux platforms.
  • Machine identities that run and manage applications, services, and scheduled tasks, IIS application pools (.NET applications), and networking equipment such as firewalls, routers, and switches. These are typically called service or workload accounts and often run without direct human oversight.
  • Contractors, vendors or other third parties that access IT systems for support or troubleshooting.
  • Developers that have access to test and production systems, cloud platforms, as well as software in the development toolchain.
  • Business users that have local administrative accounts on workstations, which allow them to do things like download and install applications and execute other commands.

These privileged users can not only gain initial access to systems but can also adjust permissions, configure settings, make backdoor accounts, or change, delete, and extract sensitive, private data.

With PAM, you can manage and secure privileged access for all of them.

How does Privileged Access Management work?

PAM capabilities fall into two classifications, which take different approaches to managing privileged access.

Privileged Account and Session Management (PASM) - In this approach, privileged access is managed via a PAM vault, which creates and stores “secrets” (passwords, keys, certificates) tied to privileged accounts. Privileged users must check out those secrets to gain access to systems. In addition, the PAM system enables privileged session management and recording at the vault/gateway level to monitor and report on the use of privileged accounts.

Privileged Elevation and Delegation Management (PEDM) - In this approach, all users (even domain admins and system admins) operate with standard privileges until they require a higher level of access. Controls on endpoints (servers or workstations) elevate privileges for a limited time, under limited circumstances. This approach reduces the need for shared privileged accounts, standing access, and excessive privileges. It allows more granular oversight of individual privileged behavior.

The combination of the PASM and PEDM approaches in a comprehensive PAM solution provides layered defenses for different privileged access scenarios and risk factors.

How do you develop a strategy for your PAM program?

Like any IT security measure, Privileged Access Management requires thoughtful planning before you ever begin technology implementation.

Here are some important considerations for your PAM strategy.

1. Start by identifying which systems are business-critical and represent the highest risk in your organization. To do this, map out what important functions rely on data, systems, and access, including test systems, production systems, and backup systems. Identify important systems which would need to be recovered first in the event of a cyberattack.

2. Understand which privileged users and machine identities require privileged access to those business-critical systems. Determine exactly what access they need and when they need it. Most employees, for example, shouldn’t be given access to all critical systems at the same time. Employees changing jobs within your organization shouldn’t be able to keep the same access from their previous roles.

3. Make sure you include third-party contractors, vendors, and partners in your privileged access planning. Identify how their access will be granted and monitored as contracts are completed.
Related reading: What is Vendor Privileged Access Management (VPAM)

4. Decide on the factors that will determine how privileged access is granted, approved, monitored, and recorded. Ensure your PAM policies align to any regulatory compliance or cyber insurance requirements you have.

5. Understand what type of privileged behavior is expected so you can understand when accidental or malicious anomalies are occurring. For example, backup systems typically run at scheduled times. Privileged users typically access systems from certain IP addresses, using certain devices, at certain times of day.

6. Determine what you’ll do if unexpected access is detected. Many organizations aren’t prepared when a privileged attack is suspected and typically default to simply changing privileged account passwords or disabling privileged access. A comprehensive cyber incident response plan helps you prevent a cyberattack from turning into a cyber catastrophe by ensuring key areas are addressed, such as:

a. Steps to take before a privileged-based attack occurs to make sure people are prepared to act

b. Indicators of compromise that help you discover account compromise or a privileged-based attack

c. Actions to take during each phase of an incident to contain the damage

d. Strategies that help you continue normal business operations even while under attack

7. Create a PAM policy for privileged access. Be sure to include who’s responsible for managing privileged access and how authentication and authorization are conducted.

8. Determine how you’ll measure success and demonstrate progress to executives and auditors. Many organizations must undergo regular internal and external audits to comply with regulations, legal, and cyber insurance requirements. That means demonstrating that your privileged accounts are audited, secured, and controlled and carefully defining policies and implementing security controls for privileged access. Discuss with your CISO your goals for a PAM program. Determine how often they’ll want to see reports and the level of detail they’ll need.

How should you start your PAM implementation?

When you’re implementing a Privileged Access Managment strategy, you’ll want to start with the basics so you can reduce your risk right away. Most organizations begin their Privileged Access Management program with a PASM approach by implementing a PAM vault to manage privileged accounts and the secrets that unlock them.

This includes PAM functionality such as:

  • Discovery: PAM will help you identify privileged accounts and identities with permissions throughout your IT environment, on-premise and in the cloud. You can then categorize these according to risk.
  • Credential Management: Through a secure, centralized vault, PAM regularly and automatically creates and rotates credentials (such as passwords, SSH keys, and certificates) used by human and non-human privileged users to gain privileged access.
  • Authentication: PAM enforces strict authentication methods, like multi-factor authentication. That way, even if a user circumvents the PAM vault or if credentials are stolen, PAM ensures only authenticated individuals can access privileged accounts and gain privileged access to managed systems.
  • Authorization: PAM automatically grants users privileged access to systems and data according to the Principle of Least Privilege.
  • Session Management: PAM continuously monitors the activities of privileged users during their sessions. Any suspicious or unauthorized actions can alert your team or automatically trigger actions such as password changes, approvals, or additional authentication requirements.
  • Session Recording: PAM records privileged behavior from the time a session begins to when it ends. It creates a detailed log of actions taken by privileged users, which you can review for post-event forensics or PAM training.
  • Auditing and Reporting: PAM creates an immutable audit log and detailed reports that you can easily share with regulators and insurers. You’ll see exactly who accessed what and when, and what they did with that access.

Choosing PAM software—what capabilities must you assess?

As you become more mature in your PAM journey, you’ll likely expand your PAM program in terms of governance, privilege administration, and identity management.

In addition to a PAM vault, you’ll begin to adopt the capabilities of PEDM solutions so that you can provide just-in-time, just-enough access through privilege elevation. Automation and risk-based privileged management will become more important as your organization becomes more diverse and complex.

While you don’t need to adopt every PAM capability at once, it’s helpful to have a long-term view of your PAM maturity journey (below). Then you can ensure that any PAM software you select will make it easy to add on capabilities without having to start over on a new system or learn a new interface.  

delinea-blog-pam-maturity-model

Related reading: PAM Maturity Model.

Enterprise-grade PAM solutions employ numerous features to support you as your PAM program becomes more sophisticated.

Here are 12 important capabilities of enterprise PAM software:

1. Account lifecycle management  Vault and manage the lifecycle of privileged accounts from provisioning to deprovisioning to rationalize the number of accounts and reduce your attack surface. 

Ensure that when rotating a privileged account password, you don't break dependent services. 
2. Insights and incident response  Integrate with a SIEM tool for privileged activity monitoring and alerting. 

Ensure admins use their individual account for all privileged access, so logged events tie back to a unique user, streamlining incident response and audit activities. 

Record privileged sessions initiated from the vault so they can be replayed and metadata searched to facilitate incident investigations and audits. 

Enforce session, file, and process auditing for detailed event intel at the host operating system level.  

Leverage audit data, machine learning, behavioral analytics, and automation to detect, track, and alert on anomalous privileged activities. 
3. Inventory and classification  Import Excel, or automatically discover and classify AD and Azure AD accounts and groups, local Windows and Linux privileged accounts, and local *NIX SSH Keys and vault them to ensure the PAM system has centralized management and control over their use. 

Continuously discover new privileged accounts whether sanctioned, shadow IT, or by an adversary. 

Discover and classify privileged admin groups, roles, and security configuration files to ensure visibility and simplify access based on their sensitivity and importance. 

Automatically discover service/application accounts across Identity and Cloud Service Providers for visibility.  

Upon discovering a new/unmanaged asset, automate the process of bringing it under centralized management, deploying PAM controls, enforcing baseline PAM policies, and vaulting local privilege accounts.
4. Password management  Enable automatic rotation of privileged accounts and passwords. Configure password complexity rules. 
5. Secrets vaulting and management Vault the most privileged accounts within your environment, such as those that can create other accounts, move laterally to access multiple systems, and have full control within your trust fabric (AD and AAD). Enable access to these accounts only in emergency situations. 

Manage admin groups, roles, and security configuration files that might grant privileged access across all assets.
6. Secure PAM  Enable use of a bastion/jump host to proxy connections to servers in private networks that don't expose public IP addresses. Configure target servers to only permit inbound sessions from the trusted jump hosts. 
7. Access control Support dual authorization for privileged operations on critical or sensitive secrets and assets. For example, require just-in-time privileged access approval or DoubleLock to provide an extra layer of security for accessing secrets. 

Support just-in-time access requests for elevated permissions to run privileged commands and applications on workstations and servers. 

Control application launch with local controls enforcing privilege elevation policies on Windows and Mac workstations. 

Minimize local privileged accounts on Linux and UNIX to reduce the attack surface and align with the Principle of Least Privilege and zero standing privileges. 

Prohibit privileged access by any client that is unknown, not secured, and untrusted.
8. Secure remote access For remote access, obtain necessary credentials from the vault without exposing them to the user. 

Leverage vaulted credentials to automatically launch login sessions to targets other than servers and websites. Extend credential and session security to any target that has a suitable API such as PowerShell, PuTTY, SQL Server, and Notepad. 

Enable browser-based remote access to Windows, Linux, and UNIX servers. Ideal for vendors and other remote users, this reduces the risks associated with VPN-based remote access, increases user productivity, and reduces helpdesk calls. 

Expand remote access beyond remote employees to third-party vendors and contractors. Ensure a stricter degree of security leveraging VPN-less remote access since you have less control over these users.
9. DevOps Replace plaintext, hard-coded credentials and sensitive configuration data from source code, configuration, and script files. Replace with programmatic calls to the vault to obtain secrets and credentials that grant privileged access. This prevents adversaries from harvesting sensitive data on the disk. 
10. Just-in-time access request Integrate with IT Service Management tools (such as ServiceNow) to streamline privileged access requests.
11. Identity governance Establish policies around secret checkout and session launching. Self-service request workflows built-in to the PAM platform or via integrations with third party workflows such as ServiceNow, allow users to request privileged access. This helps align with best practices such as zero standing privileges. 

Enable creation of basic elevation policies to run privileged applications on workstations (Windows, Mac) and servers (Windows, Linux) to support least privilege. 

Support granular policies for privilege elevation to have tighter control over privileged access. Enforce just-enough privilege to avoid granting excessive privileges that are not required for the task at hand. 

Integrate with Identity Governance and Administration tools (such as Fastpath and SailPoint) for attestation reporting and risk-based approvals.
12. MFA at Depth Enforce MFA policies at initial access and privileged elevation to eliminate passwords and increase identity assurance. 

For all admin users who log in to the PAM vault, enforce MFA to ensure the user is the legitimate owner of the credential. 

Enforce MFA when checking out a secret from the PAM vault to ensure the user is the legitimate owner of the credential. 

Enforce MFA when initiating a remote login session to a server to ensure the user is the legitimate owner of the credential. 

Enforce MFA at workstations and servers for direct login and privileged command and application execution.

How is PAM software deployed?

PAM software can be deployed on-premise, in the cloud (otherwise known as PAM as a Service, or PAMaaS), or with a hybrid approach.

Increasingly, PAM solutions are delivered as a service. In the PAMaaS model, a Privileged Access Management vendor manages hosting and updates so you can avoid the expense and resources of installing software and keeping it up to date. Cloud-native, PAMaaS solutions also provide tighter integrations with cloud resources to strengthen protection of privileged accounts in the cloud.

You don’t need to deploy your PAM solution throughout your organization all at once, for all types of use cases. Most organizations begin by vaulting their most high-risk accounts (domain admins, etc.) and then move to other parts of the IT organization, including remote users, and then business users and developers.

As part of your PAM deployment, make sure you focus on user adoption. Increase awareness of PAM best practices and empower employees to follow them. Make sure you get buy-in for your PAM program from your executive team by educating them on its importance for compliance and security.

How do you choose the right partner for your PAM program?

Selecting the best PAM solution for your organization can be daunting and goes well beyond the list of features and functionality.

Look for a true partner that has:

  • Usable security: You don’t want to find out too late that the PAM software you chose is too complex to use or requires professional services every time you want to make a change. Look for a solution that is easy to use.
  • Fast time to value: You should expect to see measurable results within the first few months of implementing your PAM solution.
  • Top-notch support: The top Privileged Access Management vendors offer phone, email, knowledge base, and forum support at every stage, from trial to purchase and ongoing use.
  • Integrations: To ensure adoption and create a seamless user experience, your PAM solution should be embedded in your existing IT tech stack and workflow. Look for a PAM vendor that easily integrates with IGA, IAM, SIEM, helpdesk, and other solutions.
  • Innovation and frequent updates: Attack vectors are constantly increasing in number and complexity. The PAM solution you choose should be able to keep up.
  • Scalability: You PAM software must scale as your organization grows and your needs expand. A modular platform—like Delinea Platform—lets you start small and grow over time without rewriting your system or starting over.

Next steps: becoming a PAM expert

Now that you know the basics of Privileged Access Management, you can test out a PAM solution for yourself. Download a free trial of Secret Server on the Delinea Platform and see how it works for you.

Or, start your journey to becoming a PAM expert. We have many resources to help you!

More Privileged Access Management Resources:

Blog Posts

10 features every PAM solution must have

PAM Best Practices

PAM Pricing: The real cost of PAM software

How to manage and secure privileged users

PAM in the cloud vs. PAM for the cloud. 

PAM that fits your small business

Free Tools

Privileged Access Management Checklist

Privileged Access Management Policy Template

Free eBooks

Privileged Access Management for Dummies

Expert’s Guide to Privileged Access Management (PAM) Success

Whitepapers

Privileged Access Management Maturity Model

PAM Total Cost of Ownership Checklist

X
PAM in the Cloud. Powerful. Secure.
Try it Free »

MEET THE AUTHOR

Author, Joseph Carson
Joseph Carson
Joseph is Chief Security Scientist and Advisory CISO at Delinea, an active member of the cybersecurity community, and a frequent speaker at cybersecurity events globally. He has 25+ years’ experience in Enterprise Security & Infrastructure and is a Certified Information Systems Security Professional (CISSP). Joe is also an adviser to several governments and cybersecurity conferences. (ISC)² Information Security Leadership Award (ISLA:registered:) Americas Winner 2018. LinkedIn | Twitter

Author, Alex Fitzgerald
Alex FitzGerald
Alex is a Product Marketing Manager at Delinea. He drives the ecosystem for Delinea’s Vault/Platform product, and manages the blog. LinkedIn