What Is Privileged Access Management (PAM)?

Privileged Access Management, also known as PAM, is a critical security control that enables organizations to simplify how they define, monitor, and manage privileged access across their IT systems, applications, and infrastructure.

privileged-access-management

 

With full control over privileged accounts, IT and security teams can help prevent internal and external attacks on critical systems before they start.

Because administrator accounts have elevated privileges that can access valuable data and execute applications or transactions—often with little or no tracking control—it can be very difficult to manage privileged accounts. Privileged Access Management software centralizes management of administrator profiles and ensure least privileged access is enforced to give users only the access they need.

Organizations rely on PAM security not only for its efficiency, but also because they are often mandated by regulations, including Sarbanes-Oxley (SOX) Section 404, the Federal and North American Energy Regulations Commission (FERC/NERC), HIPAA 2, and state level regulations such as the California Information Practice Act and the Massachusetts privacy law 201CMR17.

Read More >

Text

 

PASM and PEDM

As Privileged Access Management has evolved, Gartner has established two further classifications to highlight different mechanisms of PAM solutions. These include Privileged Account and Session Management (PASM) and Privilege Elevation and Delegation Management (PEDM). PASM and PEDM are two categories of security tools that have distinct approaches in how they manage access. Both PASM and PEDM tools use the principle of least privilege, which mandates that users only have the access necessary to their job functions. While both solutions have the same goals, they have different mechanisms in how the target account is protected and accessed.

Read More >
 
 

 

PASM

PASM solutions are often referred to as password vaulting. Privileged account credentials are securely created and distributed exclusively by the solution. When users need access to a specific server, they request access from the vault, and are given a temporary account with full administrative privileges. This account is only valid for a single session. Additionally, the session activity is monitored and recorded.

 

What Are Privileged Accounts?

Text

Privileged accounts are considered elevated accounts within your IT environment that hold the 'keys to the kingdom.' These types of accounts frequently have privileges to access valuable data and execute any application or transaction, typically with little or no tracking or control. A privileged account can take the form of an Administrator in Windows environments or Root in UNIX or Linux environments.

Each organization should determine what is classified as privileged data, where it is, and who has access to it. Control of privileged accounts is a major factor in compliance across regulations in every industry. Here are common types of privileged accounts:

  • Local Admin Accounts
  • Privileged User Accounts
  • Domain Admin Accounts
  • Emergency User Accounts
  • Service Accounts
  • Application Accounts

Text

Because of their elevated access, privileged accounts have more significant risks than non-privileged accounts and have more potential for exploit or abuse. Privileged accounts, which can number in the hundreds in some enterprises, are frequently not tied to specific individuals, so the accounts can be used to do virtually anything, with little or no possibility of detection. 

Read More >

How to Select the Right PAM Approach

Text

Organizations struggling to achieve effective protection of privileged and root accounts often wonder what the best approach to Privileged Access Management is for their business. Here we examine three of the most common approaches to PAM within organizations today:

Home-Grown Privileged Access Management

Home-grown solutions are typically based on operating system capabilities, available utilities such as 'sudo,' clever password management procedures, and a lot of scripts. Home-grown solutions can become extremely costly and require system administrators to do considerable programming. Home-grown solutions are also often found insufficient from an auditor’s perspective. With sensitive information subject to insider threats, the capabilities of home-grown solutions are quickly superseded. 

Combination of Open Source and Commercial PAM Solutions

Some organizations look to combine various commercial or open source point solutions to create an operating system environment that provides an effective approach to protecting privileged accounts. This typically involves using one solution for user provisioning, another for centrally managed secure communications (SSH), a third for password management, and possibly another tool for audit log consolidation.

While combined solutions can amount to something powerful, one important aspect is lost: centralized access management on one security system. Combining multiple technical solutions into one leaves conceptual gaps, which in turn lead to security flaws and inefficient management. And while cost-focus may be the primary driver for this option, it typically ends up costing more and exposing organizations up to more risk than commercial options.

Commercial Privileged Access Management Solutions

Organizations that want to centralize management of their privileged accounts, secure systems without slowing down productivity, and easily enforce least privileged access look to commercially available PAM solutions. Investing in an agile Privileged Access Management solution specific to your multi-platform environment provides all of the components needed for effectively protecting privileged and root accounts both proactively and adaptively, without all of the overhead, costs, and complexities of full-blown identity and access management infrastructures. 

Commercial PAM solutions simplify an organization’s ability to enforce security policies, control access to critical systems and information, and provide full control over accounts, access and privilege, so IT and security teams can proactively prevent internal and external critical system attacks before they start.

Text

What Are the Benefits of PAM Solutions?

 

Improve Security with Granular Privileged Access Controls

Card image cap

Effective Privileged Access Management defines who can have access to each part of a system and specifies what they can do with that access. This eliminates privileged password sharing and enables you to track administrator and account activities in detail so you can specifically identify who has done what. 

Read More > 

What Are Requirements for Controlling Privileged Accounts?

Text

The challenges associated with controlling privileged and root accounts within a multi-platform environment increases quickly as the number of people who need powerful administrative access for various job functions grows.

Wheel of privileged users being organized and monitored with a Privileged Access Management solution.

 

Text

To effectively and efficiently control privileged accounts, a combination of adaptive access management capabilities is required:

  • Centralized Management of User Accounts Across All Real and Virtual Servers:
    Centralized administration of user accounts across your heterogeneous Linus/UNIX server environment ensures you can monitor and audit which users have access on which machines. 
     
  • Integration with Existing Corporate Directories:
    With multiple corporate directories and identity management systems, privileged account management must integrate seamlessly, so that team and group identities can be associated automatically to the correct systems, applications, and data.
     
  • Contextual Authentication:
    Contextual authentication enables organizations to target strong authentication to particular servers and roles that bring a higher level of risk.
  • Secure Keystroke Logging:
    For sensitive sessions, you must also have the ability to adapt to enforce full keystroke logging, so administrator activities can be tracked in full detail.
     
  • Granular Access Control:
    Instead of allowing functional accounts like 'root' or 'sysdba' to log in, you need to have enforceable authorization rules that mandate the use of individual and auditable user accounts. Implement fine grain security controls to define and enforce who is granted elevated privilege, when, how and from where.
     
  • Consolidated Audit Logging:
    Protecting privileged accounts includes centralized audit logging with a detailed record of user activities. Effective PAM solutions should deliver consolidated audit logs and reports from across your server domains and be kept on a separate security domain.

          Read More >

Privileged Access Management from Core Security 


 

Text

Identity & Access Manager (BoKS)

Identity, Account, and Privileged Access Management Platform for Linux and UNIX