What Is Privileged Access Management (PAM)? Definition, Components, and Best Practices
Privileged access management (PAM) is the provisioning of systems and controls to secure user accounts with access to critical data and functions.
Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization. This article introduces you to privileged access management, its importance and key components and shares the best practices for 2021.
Table of Contents
What Is Privileged Access Management (PAM)?
Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization.
Every organization’s infrastructure is built with multiple levels of deployments, data stores, applications, and third-party services. Some of these components are critical for operations, while some may be as mundane as email. But each of these is accessed by user accounts, which are of two types:
-
- Human users: They are typically employee accounts, encompassing all departments, including HR, DevOps, and network administrators.
- Automated non-human users: These are third-party applications and services that require an account to integrate with the organization’s systems.
‘Privilege’ is defined as the authority that an account has to modify any part of the company’s technology architecture, starting from individual devices to the office network. This privilege allows the bypassing of security restraints that are normally applied across all accounts.
A standard account is a norm among employees, with the least privileges attached to it. These accounts are used to access and operate limited resources such as internet browsing, emails, and office suites. A privileged account possesses more capabilities than a standard account. This elevated access is gained using privileged credentials.
Types of privileged user accounts
-
- Superuser accounts: These are top-of-the-pyramid accounts with unparalleled access to systems across the network. These are used to create and maintain other user accounts and grant and revoke permissions as and when required. These accounts can carry out various operations, such as creating and removing files, servers, and devices. Every organization typically has at least one such account.
- Administrative accounts: Administrative accounts can control all devices and users within a local setup (local administrative accounts) or a specific domain (domain administrative accounts). Such accounts do not have any jurisdiction beyond this.
- Emergency accounts: These are fallback accounts that administrators can turn to if their original accounts are compromised or face any issue.
- Application and service accounts: Most systems today are not standalone and are integrated with services and applications provided from within the organization or by third-party vendors. These applications and servers need accounts to access the operating systems, databases, etc., to function as required.
- Secrets and SSH keys: These are mostly used by programmers and DevOps to connect to servers where codes run. Secrets are also the mode of authentication while using web services to connect to other systems. Though they do not come under the traditional username-password umbrella, they establish sessions and come under underprivileged credentials.
Taking a look at the capabilities of standard user accounts and privileged accounts, it is clear that these accounts act as entry points to important parts of the system. A report by Forrester estimated that privileged credentials were involved in around 80% of data breaches that were reported. Clearly, securing and managing privileged accounts is the first point of entry to robust system security.
This is where privileged access management (PAM) comes into the picture.
Privileged access management or privileged account management is a system which ensures that privileged accounts remain free from any vulnerability. This system typically looks into the entire privileged account lifecycle, starting from granting and revoking permissions of these accounts to having a fail-proof password change cycle. Most PAMs use the principle of least privilege, wherein they start by giving zero permission across all accounts and incrementally add them as necessary.
The goal of privileged account management is to discover and monitor privileged accounts, bring down unnecessary entry points into the system (because of which the ‘attack surface’ of the organization decreases), and enable better password hygiene. It does so by establishing a unique identity for every employee in the company.
Each identity may have permissions to more than one set of resources. PAM ensures that each digital identity is maintained and modified as required. PAM also monitors privileged accounts and generates reports for auditing during compliance checks.
Difference between PAM and IAM
Identity and access management (IAM) systems are used to maintain all user accounts, standard or privileged. These focus on the authorization, authentication, and management of all accounts.
PAM is a subset of IAM which is specifically designed to maintain privileged accounts. It guards a smaller and more critical attack surface compared to IAM. Some of the guarded resources, if compromised, can result in compliance issues. As a result, PAM solutions usually have extra features such as a password vault for added security and session recording for auditing purposes.
Also Read: Top 11 Facial Recognition Software in 2021
Importance in Enterprise Security
In 2015, 225,000 Ukrainians faced a power outage because attackers used stolen credentials to remotely access and control Ukraine’s electric power grid system.
In 2016, cyber intruders stole around 57 million users’ data from Uber after getting hold of an engineer’s AWS credentials. The common theme here — malicious players using privileged accounts to create catastrophic (and, in the case of Uber, damaging) outcomes.
The inherent security risks that come with privileged accounts are obvious. Most of these risks become organizational vulnerabilities when a proper PAM is not in place. Before considering a PAM solution, it is essential to understand the challenges of maintaining privileged accounts. This can make it easier to evaluate them.
Privileged access system challenges
1. Uniformly managing accounts across the entire threat surface
Today’s work environment is spread across multiple layers, some maintained in-house and some through external vendors. The threat surface can extend across the internal network and applications, on-premise servers, cloud-based components, and third-party solutions.
One of the biggest challenges here is commissioning and maintaining privileged accounts across all of these surfaces without confusing and burdening administrators and users alike. Using a centralized, uniform password access management system is one solution to overcome this challenge.
2. Maintaining proper password hygiene
The usual standard password login is highly prone to human error, making it the softest target for hackers. With privileged accounts, proper password hygiene is crucial. Some of the most common poor password practices include:
a) Leaving privileged credentials in unencrypted, easy-to-find places, mostly for ease of use. This is usually done when there are multiple access points involved in one employee’s digital identity.
b) Using default passwords or reusing passwords across different accounts.
c) Using weak passwords that can be easily guessed or found out using brute force.
d) Not changing passwords frequently. With so many credentials to keep track of, this is usually the easiest fallback for many users.
e) Sharing a single account across multiple administrators for ease of use. This makes it very difficult to audit, especially in case of security or compliance issues.
3. Keeping all privileged accounts in sight
Privileges are usually commissioned to an account if a new employee joins the organization or new responsibilities have been handed over to an existing employee. Privileges need to be revoked when employees leave or offload some of their responsibilities while moving to a different role.
The fluid nature of a privileged-credential lifecycle and the number of permutations of users and access points inevitably lead to some accounts becoming zombies — unused but active. These accounts are a security threat, with hackers sprawling for them across the organization’s network.
4. Providing too many permissions
As pointed out before, it’s best to use different passwords across different access levels for different resources. However, this can create a headache for users who cannot spend most of their time authenticating themselves at every step.
Sometimes, this is overcome with the admin team providing more permissions than required. This makes the workflow smooth; however, it isn’t the best solution as it goes against the principle of least privileges.
5. Tracking third-party privileges
Applications and cloud services require privileged credentials to access internal resources such as servers and databases. Ready-to-ship services often come with a default set of access permissions as well as a default password.
Sometimes, communicating with these services requires using these credentials in the codebase. Since this requires coordination of access among multiple sets of employees such as programmers, DevOps, and possibly even the service provider, password management can get dicey in such a situation.
6. Undoing hardcoded privilege credentials
Most integration between applications and services is done using secret keys. These keys are, by default, embedded into the system. In fact, the Uber hack in 2016 was due to easily accessible, embedded AWS credentials in the codebase. These keys need to be stored in an encrypted format and accessed specifically from the application and not through hard-coded web service calls.
PAM systems overcome these challenges by providing a streamlined and centralized approach to maintaining privileged credentials.
Also Read: What Is Biometric Authentication? Definition, Benefits, and Tools
Benefits of using PAM
1. Helps discover and report privileged accounts
The first step in securing privileged accounts across the infrastructure is detecting and consolidating them, including unused zombie accounts. Typically, PAM solutions start by recognizing all un-required accounts and stripping down the privileges of necessary accounts to the bare minimum. Permissions are then incrementally added. After this, privileged accounts are isolated from standard accounts to reduce the risk of credentials getting stolen.
2. Improves workflow and productivity
PAM removes the need to manage multiple credentials by creating a single digital identity for every user. Privileged users gain access by going through a central interface provided by the PAM instead of using individual access points and different credentials. This allows for a smooth workflow, with the onus of secure access falling on PAM instead of human users. A centralized access point also means that the attack surface reduces considerably.
3. Addresses compliance regulations
Regulations such as HIPAA, PCI DSS, and FISMA require the ‘who, what, when, where, and why’ of access to private user data. PAM systems provide compliance by giving administrators control over who accesses this data by authenticating and approving connections. The reduced complexity of privileged account maintenance makes it easy to procure audit logs. In case of a data breach, these can be produced as proof of compliance.
4. Manages and secures passwords
PAM solutions typically store encrypted privileged credentials in a ‘vault’. Access to critical resources requires going through the PAM system with sufficient authentication. Passwords are managed and reset within the system based on the policies set up by the security team.
Since these passwords are randomly generated at specified intervals or triggers, there is a lesser chance of succumbing to brute force attacks. This credential “create-reset-expire” model guarantees data security and integrity. It also reduces the risk of malware attacks.
5. Manages access points
PAM ensures that all access points are secure by assigning role-based identities. For example, third-party application accounts are given reduced privileges as compared to internal developers. This allows administrators to see a clear trail of respective users who have accessed critical resources. This becomes essential, both while auditing and spotting any anomalies in user behavior.
6. Monitors privileged user sessions for anomalies
Privileged session management (PSM) systems are a subset of PAM. Once access has been granted, PSM records the authenticated sessions till a user logs off. This helps pinpoint the exact user and session that has potentially caused a security incident. PSM also alerts an administrator of potential attacks in real-time, making it a great security investment.
As you can see, enterprises benefit from privilege access management systems in terms of security and compliance. Most organizations require both an IAM and PAM that work in tandem. PAMs are solutions that provide high value simply because of the highly critical resources they stand guard for.
Also read: Top 10 Identity and Access Management Solutions
Key Components of Privileged Access Management
A good PAM solution centralizes discovering, segmenting, on-boarding, and managing privileged credentials. Components that make up a PAM solution are:
Key Components of a Privileged Access Management System
1. Access manager
Access manager is the single point of entry that stands between users and critical resources. It stores permissions, user roles, and privileged user information. Policy managers use it to create access policies based on individual user identities or roles.
The access manager also sets privilege limits to a predetermined list of apps and services. Some access managers also allow the segmentation of assets based on threat risk or type of asset (like VPN, database).
2. Session manager
Session manager monitors and controls all authenticated sessions for users, apps, services, and systems. It provides the audit trail for every action performed by a privileged user. The session manager ensures real-time monitoring and sends out alerts in case of suspicious user behavior.
In case of a verified attack, the manager must be able to terminate the session automatically. This alerting system is an important component of PAM. The session manager must also empower administrators to allow or deny specific actions based on the context of access.
3. Password manager
All PAM solutions have a centralized, encrypted vault that stores privileged credentials. The password vault processes the policies passed on to it by the access manager before validating and authenticating the user. It allows administrators to set up policies for password creation, rotation, and revocation.
The password manager significantly reduces human error caused by improper password management. It also handles application-to-application password management (AAPM). AAPM seeks and removes all embedded and hardcoded keys, vaults them, and subjects them to the same level of security as traditional user credentials.
An advanced password manager must work with the multi-factor authentication (MFA) solution implemented by the organization. With infrastructure setup largely moving to the cloud, compatible MFA solutions and PAMs can create the optimal security conditions for privileged accounts.
4. Reporting and auditing tools
In enterprises, PAM solutions are most likely working with thousands of access points across multiple geographical locations, safeguarding hundreds of access points. One of the main benefits of using a PAM is viewing and analyzing privileged user data in an uncomplicated manner. Reporting tools are hence crucial for administrators to understand and evolve their existing security policies.
These reports and the auditing system in the session manager, together, provide forensic information that can pin down how previous data breach attempts occurred and what mitigation techniques can prevent future attacks. This also provides information about compliance adherence, thus helping organizations avoid potential lawsuits.
5. PAM dashboard
The PAM dashboard is a one-stop portal for setting up access, session, and password policies, discovering privileged accounts across the system, and defining user identities, roles, and permissions. It also provides visualization of the access reports and streamlines the entire privileged access management process for administrators.
6. Interaction between components
Every superuser goes through the access manager, which accesses the password vault and enables secure authentication. Once authenticated, control passes over to the session manager, which commences, monitors, and terminates sessions as required.
Within a valid session, users can access, modify, and delete critical assets at the other end. Every activity within the session is recorded for auditing. The PAM dashboard portal displays all failed and successful access attempts and subsequent sessions. Policy managers allow the configuration of access policies as well as password policies.
Also Read: Top 10 Customer Identity Management Solutions in 2021
Top 7 Privileged Access Management Best Practices for 2021
Now that we have understood the basics, key components, and importance of privileged access management, let’s move on to the best practices of privileged access management in 2021.
Privileged Access Management Best Practices
1. Identify critical resources and all access points
The first step toward building a robust privileged account management system is recognizing critical systems, operations, and underlying assets.
With this data in place, administrators must work with system architects and security teams to identify access points for each of these critical components. Every user, system, app, and third-party vendor who requires credentials to these points must be cataloged.
2. Discover and onboard all privileged accounts
All existing privileged credentials need to be accounted for. This means going through all access points cataloged in the identifying stage and discovering the corresponding privileged accounts.
Any zombie accounts, as discussed before, must be deleted or stripped of all permissions. All possible operating systems, hardware devices, firewalls, routers, and directories must also be crawled for privileged accounts.
3. Segment systems and assets into clusters
In large enterprises, maintaining all assets in a single pool may become difficult. To maintain and provide scalability, users and processes must be segmented based on trust, role, and permission sets.
This helps create flexible privilege policies that can implement security controls based on segments. Segments also prevent the propagation of breaches.
4. Separate privileges and duties
Every user must have a digital identity, with privilege levels varying based on current roles. For example, system function privileges must be separated from administrative account privileges.
Also, auditing privilege must be treated as a separate privilege. Every role must have a defined set of duties. Once these separated privileges and duties are in place, distinct privileged accounts can be set up with their own set of tasks.
5. Enforce least privilege
All user accounts, as we’ve seen so far, are not the same. But to ensure that there is no over-provisioning of privileges to any account, every account discovered in the discovery stage must be neutralized by provisioning the least privilege.
Each account is then iterated and provisioned with the privileges defined by the separation of duties. The principle of least privileges falls in line with zero trust security policies that all enterprises are striving to achieve right now.
6. Ensure robust reporting and logging system
The amount of data that PAM collects is huge but also necessary. This means that all access and session-related data must be presented to administrators and compliance auditors in the proper format, enabling a bird’s eye view of privileged user activity.
7. Incorporate behavioral analysis to mitigate threats
All acceptable user behavior, based on role, privileges, and type of session, must be outlined and documented. Privilege ‘risk’ must be defined and ranked. Any variation from the standard behavior outlined must be alerted and analyzed.
Modem PAM systems use behavioral context to ascertain if the deviating activity is just an anomaly or actually a potential threat. This can be done by combining this with other risk data, such as threat intelligence. For example, any access request during off-hours is a red flag that can be used to terminate a session immediately.
Wrapping up
Targeting privileged accounts is one of the easiest tactics for hackers. It allows them to become an ‘insider’ and take the system down internally. Account takeovers, denial-of-service attacks, and malware are a few of the outcomes of poor privilege account management policies.
There are many PAM solutions available in the market, and the right one must be chosen based on the organization’s size and compatibility with existing security tools. Together, strong PAM, IAM, and MFA solutions can fortify all entry points into the organization’s digital surface.
Did this article help you understand privileged access management? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!
