Different Paths, Same Goal: Privileged Account and Session Management (PASM) and Privilege Elevation and Delegation Management (PEDM)
Acronyms abound when it comes to Privileged Access Management (PAM). PIM, PAM, PUM, and SUPM, to name a few. As PAM solutions have evolved, analyst firm Gartner has established two further classifications to highlight different approaches: Privileged Account and Session Management (PASM) and Privilege Elevation and Delegation Management (PEDM). PASM and PEDM are two categories of security tools that have distinct approaches in how they manage access. Read on to find out the different approaches PASM and PEDM take to protect your data, and how they can work together to maximize your security.
PASM solutions are often referred to as password vaulting. Privileged account credentials are securely created and distributed exclusively by the solution. When users need access to a specific server, they request access from the vault, and are given a temporary account with full administrative privileges. This account is only valid for a single session. Additionally, the session activity is monitored and recorded.
PEDM solutions distribute access privilege based on job roles. Instead of using temporary privileged accounts, PEDM tools assign permanent privilege to standard accounts. PEDM tools define who can have access to each part of a system, as well as what they can do with that access.
Approaches to Privileged Access Management
PASM and PEDM tools both utilize the principle of least privilege, which mandates that users only have the access necessary to their job functions. However, their approaches are vastly different in several key areas.
Accounts and passwords
PASM tools focus on specialized accounts that have full administrative privileges. These accounts don’t belong to a single user. They are instead “checked out” when someone needs additional access. The user typically never has the password to the privileged account. Instead, they are launched into a session in which the credentials are automatically injected.
PEDM tools, on the other hand, focus on standard user accounts, and tend to eliminate these specialized ‘superuser’ accounts entirely. Users gain access through the use of their own accounts, using their regular password.
PASM tools essentially utilize an “all or none” strategy when it comes to privilege. Standard user accounts have no administrative privileges. The specialized, shared accounts mentioned above have full root access. Users go through an approval workflow in order to attain permission to utilize one of these shared accounts.
PEDM uses granular access controls to grant users only the privilege they need, when and how they need it. Each user is categorized in a certain job role. Each job role is granted limited privileges based on their expected usage of an organization’s environment. For example, a web administrator may only be given administrative access only to web servers during regular business hours.
Since PASM tools allow users to have full administrative access for a limited amount of time, each session is carefully monitored—think of a CCTV in a store. Everything the user does during this session can be seen in real time and is recorded for additional analysis. Because of the vast amount of power an administrative account holds, careful session monitoring is critical in trying to prevent abuse of privileges during these sessions.
Since no one user has full root privileges, monitoring is less critical for PEDM tools. Users don’t have unfettered access to an entire infrastructure, making them inherently less dangerous. However, this doesn’t mean that these solutions are without audit capabilities. Some PEDM tools have monitoring capabilities like keystroke logging to examine any unusual activity and ensure that the privilege that each user does have is not being abused.
PEDM and PASM solutions have an inherently symbiotic relationship. For example, Gartner notes that PEDM solutions are best suited for organizations looking for a more advanced PAM solution and recommends beginning with a PASM solution. With that in mind, the strengths of a PEDM solution create a stronger and more streamlined security layer. A PASM helps lay a solid foundation, but as an organization grows in size and sophistication, a PEDM will help maintain and enforce that foundation. After all, you can never a has a system that is too secure.
The granular access controls of a PEDM solution means that users don’t always need to go through the vault for system access. Regular privileged use activities are now defined by role, allowing for the vault to be reserved for special circumstances. Fewer requests for the vault reduces the burden on the approval workflow. When the vault is utilized, more focus can be placed on auditing the monitored session. Additionally, security experts agree that passwords are no longer sufficient and are too easy to crack—even when utilizing a password vault. PEDM solutions provide an additional layer of protection that frees an organization from relying entirely on passwords.
When it comes to cybersecurity, there is no “one size fits all” piece of software. The various components of your infrastructure may call for different solutions. While a password vault may work best for individual applications, critical infrastructures like a server environment are better served with a PEDM solution. Though their approaches may differ, PASM and PEDM are ultimately complementary, creating an even more secure, reliable solution.
Core Privileged Access Manager (BoKS) is an award winning PEDM solution that is a perfect fit for a multi-vendor Linux and UNIX server environment. Using granular privileged access controls to successfully protect your organization’s data, Core Privileged Access Manager (BoKS) also streamlines your security with centralized management and accelerated scaling capabilities. To see just how well Core Privileged Access Manager (BoKS) can work for you, contact one of our experts today.
Curious About PEDM Solutions?
Watch this 10-minute on-demand video to see Core Privileged Access Manager (BoKS) in action.