Privileged Access Management (PAM)
Privileged Access Management (PAM) refers to a class of solutions that help secure, control, manage and monitor privileged access to critical assets.
To achieve these goals, PAM solutions typically take the credentials of privileged accounts – i.e. the admin accounts – and put them inside a secure repository (a vault) isolating the use of privileged accounts to reduce the risk of those credentials being stolen. Once inside the repository, system administrators need to go through the PAM system to access their credentials, at which point they are authenticated and their access is logged. When a credential is checked back in, it is reset to ensure administrators have to go through the PAM system next time they want to use the credential.
By centralizing privileged credentials in one place, PAM systems can ensure a high level of security for them, control who is accessing them, log all accesses and monitor for any suspicious activity.
Privileged Access Management by Gartner has the following subcategories:
- Shared access password manager (SAPM)
- Superuser password manager (SUPM)
- Privileged session manager (PSM)
- Application access password manager (AAPM)
PAM password vaults (SAPM) provides an extra layer of control over admins and password policies, as well as monitoring trails of privileged access to critical systems .
Passwords can follow a veraity of password policies and can even be disposable. Session brokers, or PSMs, take PAM to another level , ensuring that administrators never see the passwords, their hardened proxy servers such as jump servers also monitor active sessions, and enable reviewers to stop admin sessions if they see something wrong. Similarly, AAPMs can release credentials just-in-time for application-to-application communication, and even modify startup scripts to replace hard-coded passwords with API calls to the password vault.
CyberArk, a market leader in the field of Privileged Account Management states that they are 7 types PAM accounts in an enterprise:
- Emergency accounts : Provide users with admin access to secure systems in the case of an emergency. Access to these accounts requires IT management approval for security reasons, it is usually a manual process that lacks any security measures.
- Local Administrative Accounts : Are shared accounts which provide admin access to the local host or session only. These local accounts routinely used by the IT staff for maintenance on workstations purposes and also servers, network devices, servers mainframes and other internal systems. It has been proven in the past that IT professionals tent to reuse passwords across an organization for ease of use. This shared password is sometime used across thousands of servers and services and is a target that advanced persistent threats are known to exploit.
- Application Accounts : These accounts are used by applications to access databases, run cron jobs or scripts, or provide access to other applications. These privileged accounts usually have access to sensitive critical information that resides in applications and databases for example Zapier integrated accounts. Passwords for these accounts are often embedded and stored in plain text files, a vulnerability that is copied across multiple channels and servers to provide an inherit fault for applications. This vulnerability is well know and is targeted by advance persistent threats (APT) .
- Active Directory or Windows domain service account : Are a challenge to secure to say the least, password changes can be even more challenging as they require synchronization across multiple ecosystems and applications . This challenge often leads to a practice of rarely changing application account passwords to avoid directory sprawl which creates a single point of failure in a critical system such as Active Directory.
- Service Accounts : are local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have administrative privileges on domains depending based on the requirements of the application they are used for.
- Domain Administrative Accounts : Super admins who have privileged access across all workstations and servers within the organization domain and provide the most extensive access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, they are a constant threat to organizations and are widely targeted by hackers.
- Privileged User Accounts : Are users that are granted administrative privileges to systems. Privileged User Accounts are one of the most common forms of accounts access granted on an enterprise domain, allowing users to have admin rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords but most of the times are protected by passwords alone.
Privileged access, refers to access to a system (on-premise or cloud) which is above the benchmark a regular user login too. Organizations have different tears of systems according to the level of risk associated with breaching/misusing the system.
Privileged access accounts are users who have access to system critical resources, therefore, need to be protected and monitored.
PAM helps customers secure and control their privilege user accounts to ensure better security and governance, and also comply with some regulations.
Privileged identity management (PIM) and privileged access management (PAM) are often used interchangeably and mean the same thing – securing, controlling, managing and monitor privileged access to critical assets.
PAM solutions take privileged account credentials – i.e. the admin accounts – and put them inside a secure repository – a vault. Once inside the vault, system administrators need to go through the PAM system to access the credentials, at which point they are authenticated and their access is logged. When a credential is checked back in, it is reset to ensure administrators have to go through the PAM system next time they want to use a credential.
Generally speaking, PAM does not need AD DS. When deployed with AD, PAM’s purpose is to re-establish control over a compromised Active Directory environment by maintaining an isolated, highly-secured environment for privileged account credentials.
PAM can be integrated with AD DS for domain account authentication and authorization.
PAM creates an isolated, highly secured and tightly controlled environment for storing privileged credentials and controlling access to them. It also ensures granular usage tracking for privileged accounts (i.e. admin accounts), which are typically shared accounts.
Privileged user sessions, protects targeted systems through enabling access without exposing sensitive credentials leveraging a secure jump server (secured administrative host), Monitor and record privileged sessions to meet audit requirements and stop suspicious privileged sessions at real-time.