Privileged Access Management (PAM) refers to a class of solutions that help secure, control, manage and monitor privileged access to critical assets.
To achieve these goals, PAM solutions typically take the credentials of privileged accounts – i.e. the admin accounts – and put them inside a secure repository (a vault) isolating the use of privileged accounts to reduce the risk of those credentials being stolen. Once inside the repository, system administrators need to go through the PAM system to access their credentials, at which point they are authenticated and their access is logged. When a credential is checked back in, it is reset to ensure administrators have to go through the PAM system next time they want to use the credential.
By centralizing privileged credentials in one place, PAM systems can ensure a high level of security for them, control who is accessing them, log all accesses and monitor for any suspicious activity.
Privileged Access Management by Gartner has the following subcategories:
- Shared access password manager (SAPM)
- Superuser password manager (SUPM)
- Privileged session manager (PSM)
- Application access password manager (AAPM)
PAM password vaults (SAPM) provides an extra layer of control over admins and password policies, as well as monitoring trails of privileged access to critical systems .
Passwords can follow a veraity of password policies and can even be disposable. Session brokers, or PSMs, take PAM to another level , ensuring that administrators never see the passwords, their hardened proxy servers such as jump servers also monitor active sessions, and enable reviewers to stop admin sessions if they see something wrong. Similarly, AAPMs can release credentials just-in-time for application-to-application communication, and even modify startup scripts to replace hard-coded passwords with API calls to the password vault.
CyberArk, a market leader in the field of Privileged Account Management states that they are 7 types PAM accounts in an enterprise:
- Emergency accounts : Provide users with admin access to secure systems in the case of an emergency. Access to these accounts requires IT management approval for security reasons, it is usually a manual process that lacks any security measures.
- Local Administrative Accounts : Are shared accounts which provide admin access to the local host or session only. These local accounts routinely used by the IT staff for maintenance on workstations purposes and also servers, network devices, servers mainframes and other internal systems. It has been proven in the past that IT professionals tent to reuse passwords across an organization for ease of use. This shared password is sometime used across thousands of servers and services and is a target that advanced persistent threats are known to exploit.
- Application Accounts : These accounts are used by applications to access databases, run cron jobs or scripts, or provide access to other applications. These privileged accounts usually have access to sensitive critical information that resides in applications and databases for example Zapier integrated accounts. Passwords for these accounts are often embedded and stored in plain text files, a vulnerability that is copied across multiple channels and servers to provide an inherit fault for applications. This vulnerability is well know and is targeted by advance persistent threats (APT) .
- Active Directory or Windows domain service account : Are a challenge to secure to say the least, password changes can be even more challenging as they require synchronization across multiple ecosystems and applications . This challenge often leads to a practice of rarely changing application account passwords to avoid directory sprawl which creates a single point of failure in a critical system such as Active Directory.
- Service Accounts : are local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have administrative privileges on domains depending based on the requirements of the application they are used for.
- Domain Administrative Accounts : Super admins who have privileged access across all workstations and servers within the organization domain and provide the most extensive access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, they are a constant threat to organizations and are widely targeted by hackers.
- Privileged User Accounts : Are users that are granted administrative privileges to systems. Privileged User Accounts are one of the most common forms of accounts access granted on an enterprise domain, allowing users to have admin rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords but most of the times are protected by passwords alone.
PAM Multi Factor Authentication
For companies running a PAM solution, the time has come to choose the correct platform to access that solution that will keep privileged accounts secure.
A Multi factor Authentication (MFA) solution is a must. As a recent Gartner research paper concluded: “At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators.”
Choosing a password-free high assurance solution does more than secure authentication systems. It also eliminates the cost associated with passwords such as help desk calls and password resets. Furthermore, going passwordless brings user experience (UX) to a new level, by streamlining the authentication process. No more storing and remembering credentials, and no more carrying around additional devices for verification.
Secret Double Octopus CyberArk Authentication Solution