Due to their access rights, privileged accounts are a critical target for attackers looking to extend their reach deeper throughout a targeted environment. Privileged access management (PAM) tools are designed to address this challenge and encompasses different types of solutions used to monitor, protect, and manage those accounts.
According to Gartner (Magic Quadrant for Privileged Access Management, August 2020), privileged access management (PAM) tools offer one or more of the following features:
- Discover, manage, and govern privileged accounts (i.e., accounts with superuser/administrator privileges) on multiple systems and applications.
- Control access to privileged accounts, including shared and emergency access.
- Randomize, manage, and vault credentials (password, keys, etc.) for administrative, service, and application accounts.
- Provide single sign-on (SSO) for privileged access to prevent credentials from being revealed.
- Control, filter, and orchestrate privileged commands, actions, and tasks.
- Manage and broker credentials to applications, services, and devices to avoid exposure.
These tools fall into three categories: privileged account and session management (PASM), privilege elevation and delegation management (PEDM), and secrets management. Privileged account and session management (PASM) solutions provide protection by vaulting account credentials, enabling full-session recording at the vault-/gateway-level, and brokering access for users, services, and applications. Modern privileged account and session management (PASM) solutions are characterized by being delivered as a cloud-architected, highly scalable service.
Privilege elevation and delegation management (PEDM) solutions, meanwhile, provide host-based command control (filtering) as well as privilege elevation and allow organizations to strengthen security by only granting admin rights for individual tasks, applications, or scripts that require them on a limited basis. This type of fine-grained capability allows an organization to effectively implement the principle of least privilege and provide workers with just enough access to do their jobs.
The final category of privileged access management tools is secrets management software. These tools manage credentials and secrets for software applications as well as machines and programmatically manage them through APIs and SDKs.
Each of these tools needs to support a much more diverse IT ecosystem today than in the past. Legacy privileged access management (PAM) solutions were effective when all privileged access was limited to systems located inside an organization’s network but are insufficient to meet the needs of the modern enterprise. Privileged access management (PAM) must now integrate with an ecosystem that includes Infrastructure-as-a-Service (IaaS) offerings such as Amazon Web Services and Microsoft Azure, as well as DevOps tools like Puppet and Chef. It must also integrate with container solutions like Docker and Kubernetes.
Privileged access management is different from identity and access management (IAM) in that identity and access management (IAM) focuses on handling authentication and authorization for all manner of accounts. Privileged access management (PAM), however, is centered on privileged accounts, which have access to business-critical resources and data. Implemented properly, privileged access management (PAM) systems reduce risk and enhance regulatory compliance efforts. With effective monitoring and management, organizations can detect malicious activity, eliminate orphaned accounts, and provide an audit trail necessary to demonstrate that the requirements of various standards and government regulations have been met.
When selecting your privileged access management tools, you should ideally go for a vendor that offers privileged account and session management (PASM), privilege elevation and delegation management (PEDM), as well as secrets management solutions that are fully integrated into an underlying platform. This approach would allow you to grow with your business needs and minimize the amount of siloed point solutions you typically have to maintain to address all the different uses case associated with privileged access management (PAM). Work you have done for one use case can easily be applied to another use case as the underlying data objects allow for reusability. This shortens time-to-value significantly. Another consideration in your selection process should be the vendor’s flexibility to offer you a client- as well as client-less approach to manage individual use cases. The client-based approach should establish a root of trust for your systems, providing granular, host-based access controls down to the command level, as well as host-based, DVR-like session monitoring that is more and more mandated by newer regulations.