Privileged Account and Session Management (PASM)
Privileged account and session management is the same as privileged access management. It specifically includes shared account and password management, and privileged session management. It can also include application-to-application password management.
Discovering, monitoring, and managing privileged accounts is a vital part of maintaining a strong security posture. To meet these demands, many organizations look to privileged account and session management (PASM) solutions. These tools are a subclass of privileged access management (PAM) tools and provide protection by vaulting account credentials and enabling full session recording at the vault/gateway-level. In their most sophisticated way of use, the solutions broker access for users, services, and applications.
According to Gartner (Magic Quadrant for Privileged Access Management, August 2020):
“Privileged session management (PSM) functions establish sessions with possible credential injection, and full session recording. Passwords and other credentials for privileged accounts are actively managed, such as being changed at definable intervals or upon occurrence of specific events. PASM solutions can optionally also provide application-to-application password management (AAPM), and/or zero-install remote privileged access features for IT staff and third parties that do not require a VPN.”
Privileged credentials are worth their weight in gold for cybercriminals and offer the potential for persistent network access and data theft. It is not uncommon for threat actors to use administrator-level permissions to deepen their compromise by spreading to systems throughout the network and even creating user accounts to help them go undetected for an extended period. Insider attacks are also a threat to organizations. Without the ability to monitor and manage privileged accounts, any malicious activity may go undetected.
These capabilities are also critical for supporting compliance efforts. Government regulations and industry standards such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) require the ability to audit the activity of privileged accounts. While some organizations may want to manage passwords for privileged accounts manually, that approach does not scale as businesses grow. It also does not deliver the audit trail organizations need to pass a compliance audit.
Though different vendors may offer different capabilities, some key elements of a privileged account and session management solution include:
- Discover privileged accounts on systems, devices, and applications.
- Automatically randomize, manage, and vault passwords and other credentials for administrative, service, and application accounts.
- Control access to privileged accounts, including shared and “break-glass” accounts in case of an emergency.
- Monitor, record, and audit privileged access sessions, commands, and privileged user activity.
In addition, privileged account and session management solutions might provide the following additional capabilities:
- Provide single sign-on (SSO) for privileged sessions to avoid revealing account credential details of human users.
- Eliminate hard-coded secrets by making them available on-demand to applications.
Modern privileged account and session management (PASM) solutions are characterized by being delivered as a cloud-architected, highly scalable offering to meet the increasing needs of the digitally transformed enterprise. By offering PASM-as-a-Service, these cloud-ready solutions can be up and running in under an hour. In turn, customers avoid a complicated and protracted IT project along with the hassles of designing a complex privileged access management (PAM) architecture with failover and disaster recovery and acquiring and building out the infrastructure.
Ultimately, privileged account and session management solutions help organizations reduce the number of privileged accounts. However, it does not reduce the risk associated with users or machines having too much privilege. That objective is achieved by adding privilege elevation and delegation management (PEDM) capabilities to the equation.