Privileged Access Management (PAM) Solutions
Get the Facts
Privileged access management (PAM), also called privileged account management or privileged identity management, focuses on monitoring, managing and controlling privileged users and accounts. Gartner defines PAM as a set of tools designed to help companies secure privileged access to critical assets and meet compliance requirements by managing and monitoring privileged accounts and access.
Unlike manual processes, spreadsheets and basic password management, PAM software offers end-to-end control for your privileged passwords, secrets, certificates and documents. PAM solutions work by putting privileged credentials inside a secure vault or repository. System admins and other privileged users must go through the PAM software and be authenticated in order to access their credentials. The PAM software logs, records and monitors each session. Credentials and passwords are reset after each use for the highest level of security. PAM solutions offer a high-level of security by centralizing privileged credentials, controlling who has access to them and monitoring all access for suspicious network activity.
PAM solutions offer a range of features designed to help secure privileged accounts. With a PAM solutions, security and IT teams can:
- Easily discover privileged accounts on systems, devices and applications for subsequent management.
- Automatically randomize, manage and vault passwords and other credentials for administrative, service and application accounts.
- Control access to privileged accounts, including shared and emergency access accounts.
- Isolate, monitor, record and audit privileged access sessions, commands and actions.
Companies are adopting PAM solutions to help address a number of business-level initiatives. PAM can serve a number of high-level functions when it comes to protecting and securing a company’s information, applications and network environment. Top PAM functions include:
- Store privileged credentials in a secure place;
- Limit the attack surface by controlling the number of service accounts
- Establish personal accountability for using shared accounts;
- Identify individuals who can access or accessed sensitive or personal customer data in the past in order to limit future access and meet compliance regulations;
- Report, analyze and establish a secure process for open access to sensitive data, computing or network resources.
Read the 10 functions of PAM solutions.
According to Gartner’s Magic Quadrant for Privileged Access Management, two distinct categories have emerged as the predominant focus for security and risk management leaders considering investment in PAM tools. They are:
- Privileged account and session management (PASM). Privileged accounts are protected by vaulting credentials. Access to these accounts is brokered for human users, services and applications. Privileged session management (PSM) functions establish sessions with possible credential injection, and full session recording. Passwords and other credentials for privileged accounts are actively managed, such as being changed at definable intervals or upon occurrence of specific events. PASM solutions can also provide application-to-application password management (AAPM).
- Privilege elevation and delegation management (PEDM). Specific privileges are granted on the managed system by host-based agents to logged in users. This includes host-based command control (filtering) and privilege elevation, the latter in the form of allowing particular commands to be run with a higher level of privileges.
Gartner recommends that companies evaluating PAM solutions should look for tools that offer complete PASM functionality and optional PEDM features.
Still confused about PAM? Watch this great industry video from Solutions Review Magazine that outlines the basics of PAM solutions.
Privileged accounts can come in many different forms from admin, domain, network, local, active directory, cloud, emergency, service to application accounts. They are often used by privileged users and by machines, IT systems or cloud software for intercommunication. Privileged users have a higher level of access to critical systems within an organization. Privileged users can change system configurations, access secure data, change accounts, install software and much more.
Most companies have hundreds, if not thousands, of privileged credentials making them hard to manage and secure. A typical organization has more privileged account logins and passwords then individual or employee logins. The accounts are usually set up once and passwords are rarely changed.
PAM can be easily confused with identity and access management (IAM). PAM focuses strictly on accounts with privileged or admin access, while identity management focuses on any user that accesses a system. IAM solutions offer tools to authenticate and authorize access to employees, partners and customers.
According to Verizon 2018 Data Breach Investigations report, 80% of security breaches were a result of weak or stolen passwords. Forrester Research also reports that 80% of security breaches involve privileged credential.
With privileged or administrative credentials, suspicious actors can access your most sensitive company and customer data, move laterally through your business network, evade detection and cause serious damage to a business reputation and put you in violation of compliance regulations.
For example, a hacker with privileged credentials can easily use Unix root and Windows admin credentials to gain access to other systems. Hackers can use application to application credentials, which are often not inventoried, changed or controlled, to gain access to business-critical applications. Or hackers can use privileged credentials to databases to modify, destroy or steal your data.
Two factor and multifactor authentication (MFA) are additional layers to a privileged access process and considered a must have solution for organizations of all sizes. In fact, a Gartner paper stated “At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators.” Many PAM tools offer easy integration with the leading MFA offerings such as RADIUS, DuoSecurity, Google Authenticator, and Yubikey.
Yes, today’s PAM tools are built to work on-premise, in the cloud or in a hybrid environment. Look for cloud-native PAM solutions that have been developed for SaaS (Software-as-a-Service) delivery in public or private cloud environments such as Microsoft Azure or AWS. These solutions leverage the scalability and micro-services architectures offered by such public cloud infrastructure vendors. Tips for Achieving Secure Cloud Access
Many PAM solutions take a platform agnostic approach and support a range of protocols from RDP, SSH, HTTP(s), VCN, Telnet and more. They also support end point devices such as Windows, Unix, Linux, WEB Portals, AS/400, mainframes, CISCO, Juniper, routers, etc. PAM solution providers that use an agile development approach are able to quickly add support for emerging PAM requirements or device support.
A privileged session manager isolates, controls and monitors privileged user access and activities. It tracks all actions taken during a privileged account session. A privileged session manager is a key regulatory ingredient to any IT security strategy by providing compliance officers the ability to observe in real-time or playback later any previously recorded privileged sessions. Security, IT or auditors can answer the “who”, “when” and “what” privileged activity scenarios while maintaining the highest level of security.
Session Managers do this by establishing browser based secured access to remote desktop or shell terminals allowing employees or outside partners safe, secured and monitored access to devices inside your network. They support the secure use of native client applications like PuTTY, SecureCRT and WinSCP, including SSH Proxy and SSH Tunnel options.
Compliance regulations and internal auditors set controls / reporting requirements for privileged credentials. To pass, companies must identify all privileged accounts and document what security controls are in place to manage them and protect data. PAM strategies that rely on manual processes, spreadsheets and basic password enforcement are no longer enough to pass regulatory or audit requirements. Dedicated PAM tools provide out of the box solutions for several regulatory controls across multiple guidelines –GDPR, NIST 800-171, ISO 2700, HIPAA, Sarbanes-Oxley and many more. PAM tools help companies discover and lock down privileged accounts, reset passwords, record sessions, monitor shared account access and provide least privileged access to secure endpoints and accounts. Learn more about PAM for compliance.
The principle of least privilege is the practice of restricting access rights for users, accounts, and computers/applications to only those resources / permissions required to perform their job effectively. It is designed to prevent “over-privileged access” by users, applications, or services to help limit the risk of network or data damage. PAM tools allow enterprises to create role-based access controls that allow IT to control privileges based on a user’s role.
Xton Technologies makes it easy and affordable to implement PAM with a free download of Xton Access Manager (XTAM). XTAM is an end-to-end PAM solution built to protect against malicious or accidental access from both within and beyond your firewall. The XTAM platform works across the corporate network, third party cloud infrastructure and is accessible using any modern browser on the desktop or mobile.
Xton Access Manager software is brought to you by industry veterans who have been developing enterprise software in the areas of cyber security and content management since 2004. The company’s goal is simple – to help make your company secure by providing privileged access management software that is simple to install, evaluate, buy, implement and maintain – all at an affordable price point.
We are here to help you.