Privileged accounts are among an organization’s biggest cybersecurity concerns. These accounts give admins control over data, applications, infrastructure and other critical assets that average system users don’t have permission to access or change. If a hacker gains access to a privileged account, he or she could inflict significant damage, so any unauthorized access to a privileged account is about as dangerous as a cyberattack can get.
What is Privileged Access Management (PAM)?
Enter Privileged Access Management (PAM). Privileged access management solutions monitor, manage and secure privileged credentials by detecting threats and brokering access while optimizing users’ efficiency to complete tasks. PAM software is based on the principle of Least Privilege Access, which is about granting users access to and control over only the specific segments of a network they need to do their job. Under privileged access management, credentials must be verified before privileged users can enter a system and policies assigned to limit what actions they can take. This methodology improves security throughout the overall system while also optimizing workflows and productivity by removing the ability to waste time with unnecessary systems and applications.
PAM security tools leverage powerful automation capabilities and user-friendly features to build just-in-time (JIT) privileged access programs and zero trust security frameworks. These solutions are typically available as software products or software-as-a-service (SaaS) offerings, depending on the environment, whether on-premises data centers or hybrid and cloud systems.
Privileged Access Management vs IAM
PAM and Identity and Access Management (IAM) go hand in hand but serve different purposes. PAM is focused on defining and controlling privileges for more robust administrative tasks for sysadmins, superusers and other privileged access accounts. IAM manages access for general users and customers within applications, such as logging into accounts for emails or subscription services.
IAM generally has a smaller attack surface, as it focuses on users who only need access to a small number of business-specific applications. PAM focuses on larger actions such as the bulk download or alteration of databases that might give sysadmins access to a large number of accounts or critical data. These tasks create a much larger attack surface and a greater risk of a data breach, making PAM an essential tool in securing a network and its assets.
PAM is usually a subset of broader IAM frameworks, but it should be first in line as it delivers the connection between privileged users and the role-based accounts they require to do their job.
See our picks for the top Identity and Access Management (IAM) tools
What is the Difference Between PAM and Zero Trust Security?
The Zero Trust Security model embraces the philosophy of trust nothing and verify everything, as opposed to traditional castle-and-moat models focused primarily on perimeter security. Least privilege access is at its core, requiring every single connection within a network to be authenticated and authorized before they are granted access to a system. This relies on governance policies for authorization. PAM is the utility that verifies the permissions for administrative users according to these policies. Without PAM, zero trust security would be difficult if not impossible.
As cybercrime has grown in both frequency and severity, zero trust’s advantages have become increasingly clear. Now, 77% of IT decision-makers use a zero trust approach somewhere in their security infrastructure, according to ThycoticCentrify research. As this trend grows, tools like PAM that enable this kind of security will become more important.
See our picks for the best zero trust security tools
What to Look for in Privileged Access Management Software
Multi-factor authentication (MFA) is a core component of PAM solutions, so the best tools offer multiple MFA and authentication options, including compatibility with third-party MFA programs. In-depth audit trails, which provide more transparency, are another feature businesses should look for.
Support for remote systems and hybrid hosting environments aren’t standard but are important for today’s workforces, so some businesses may look for these features. Similarly, businesses with small IT teams or complex environments may need security information and event management (SIEM) software integration. Other features like artificial intelligence (AI)-based automation and user behavior analytics are ideal, too, for ease of management and detecting anomalous behavior.
Best Privileged Access Management (PAM) Software
Jump ahead to:
- Arcon Privileged Access Management
- BeyondTrust
- CyberArk Privileged Access Security
- Foxpass
- Iraje Privileged Access Manger
- One Identity Safeguard
- Senhasegura Privileged Access
- ThycoticCentrify
- WALLIX Bastion
- PAM best practices
- PAM market
ARCON Privileged Access Management
Arcon Privileged Access Management can be delivered as both software or SaaS. It provides Privileged Account and Session Management (PASM) capabilities for all systems, as well as Privilege Elevation and Delegation Management (PEDM) for Windows and UNIX/Linux systems. Its impressive discovery capabilities can monitor and identify Active Directory (AD) users, network devices, databases and some applications. The smart session management feature can flag access to the most high-risk systems to help prioritize remediation efforts.
Arcon lacks many out-of-the-box technology integrations and primarily leans on APIs, which means more effort left on security teams for implementation and support. This PAM solution is best suited for midsize to large enterprises with mature use cases and the ability to support approaches through open APIs for adjacent integrations.
BeyondTrust
BeyondTrust Privilege Management is available as software or as a virtual appliance coupled with hardware for Windows, macOS, and UNIX/Linux. It has powerful discovery capabilities that include network and IaaS asset scanning. It beats out Arcon with more out-of-the-box adjacent technology integrations. Privilege Management also supports sandboxing and allow/deny/isolate functions for applications and Windows. File integrity monitoring is supported on Windows and UNIX/Linux systems.
It does provide clustering and high availability functions, however, it relies on high availability for Disaster Recovery (DR)scenarios and lacks a true “break glass” capability to allow access to passwords in emergency situations. But it remains an advanced tool that caters to large global enterprises with mature PASM and PEDM use cases.
CyberArk Privileged Access Security
CyberArk Privileged Access Security is a robust solution that offers PEDM capabilities for Windows and Mac, as well as an On-Demand Privileges Manager (OPM) for UNIX/Linux systems. It also has a separate SaaS offering called CyberArk Privilege Cloud for hybrid and cloud environments.
It boasts advanced discovery capabilities and service account management to support virtually any use case. Its break glass capability provides access to information even when the PAM tool is unavailable. It leads the pack in governance and administration with short-term, long-term and ephemeral access policies.
Privileged Access Security provides automation features for deployment but users still report deployment and upgrades are more complex to manage compared to competitors. The scanning and discovery tools in the SaaS offering are less mature than in the software product version but it’s a good choice for midsize to large enterprises that require on-demand scaling.
Foxpass
Foxpass’s primary business model is as a SaaS solution, but it’s also available as a self-hosted program for Windows, macOS and Linux. The biggest draw of this solution is its flexibility and control, offering multiple integrations and control options to fit into any IT environment. It integrates with Office 365, Google Workspace, Okta and more for both cloud-based and on-premises systems.
Administrators can manage MFA rules, password rotations and password requirements, then automate their enforcement. Automated threat detection takes this ease-of-use further. In the event of network downtime, Foxpass also includes a local cache feature to keep it running. Its highly configurable nature makes it ideal for experienced digital-native companies, but this may be overwhelming for teams newer to these types of software.
Iraje Privileged Access Manager
Iraje may not have the name recognition of some other competitors, but its PAM solution is one of the most competitive available. The SaaS tool can scale to support hundreds of users and thousands of devices. It also features many automation capabilities to help manage these networks, including automated alerts, password rotation, behavioral analytics and reporting.
This solution also includes compliance audit features. Some businesses, like those that fall under the Data Protection Act, must meet standards like ISO 27001, and these audits can help ensure compliance with them. Iraje Privileged Access Manager works across all operating systems and browsers, but it’s best for Windows ecosystems, as many of its third-party integrations fall into that category.
One Identity
One Identity’s Safeguard for Privileged sessions is only available as a hardware or virtual appliance. Its discovery capabilities aren’t market-leading but they are integrated into the main product instead of requiring customers to purchase a stand-alone software solution. It has impressive session management functionality with transparent gatewaying, OCR analysis for live sessions, command filtering, and SQL protocol logging for Microsoft SQL Server. Native governance and administration capabilities are pretty basic but can be improved thanks to integration with the One Identity IGA tool.
This is not the tool for companies looking to automate a lot of PAM processes. It requires users to build scripts for basic automated admin tasks. It also lacks break glass capabilities.
Senhasegura
Senhasegura Privileged Access is delivered only as a virtual image. Its account discovery capabilities are highly extensible with many automation and input connectors, as well as prebuilt integrations with change management database (CMDB) and IT operations monitoring (ITOM) systems. Users praise its logging and analytics features that come with searchable out-of-the-box reporting templates and an impressive graphical user interface (GUI).
Senhasegura Privileged Access is certainly not the best choice for a team looking for easy ways to extend functionality. The solution relies heavily on scripting yet the product documentation is surprisingly limited. So expect to perform a lot of independent research.
ThycoticCentrify
Thycotic and Centrify both previously made this list. Now that they’re merging, we’ll put both together here as the merged company develops.
Centrify’s PAM solution includes Vault, Cloud, Server and Threat Analytics suites, available as software but primarily offered as SaaS to cater to hybrid and cloud environments that require on-demand scaling. This is a good option for organizations with a focus on making data-driven decisions, as it provides advanced privileged access logging and analytics presented through a variety of built-in reports and support for SQL queries. Centrify also caters to largely remote companies by including a remote PAM tool. Account discovery capabilities could use further development, with primary focuses on Active Directory and network scanning. But its break glass capability through what the escrow function is a big win for emergency access. It’s able to export passwords and other sensitive data into CSV files that can then be encrypted and stored securely. Centrify is a good option for global enterprises with a need for AD bridging capabilities but not for macOS systems.
Thycotic Secret Server is available as both software and SaaS. Its credential management is great for Windows systems as it offers extensive support for a variety of Windows service accounts. Thycotic offers some useful add-ons at an additional cost, such as its Account Lifecycle Manager and the Connection Manager to support remote privileged access. It doesn’t have break glass capabilities and advises file copy backups for DR scenarios. Its software is an efficient tool for midsize and large enterprises and is likely the better option over the SaaS offering unless on-demand scalability and availability are a prime concern.
WALLIX Bastion
The main selling point of WALLIX Bastion is its session management functionality and advanced governance and administration, which offers advanced features, such as the Office for Civil Rights (OCR) analysis for live sessions. It also makes automation a priority with options to automate repetitive password policy tasks. Its unique break glass function uses email encryption to gain access when the PAM tool is not available.
WALLIX Bastion’s account discovery is lacking as it’s limited to Active Directory and local account and network scanning. Its event trigger automation controls are also limited to SIEM systems. Overall, it’s an intermediate PAM solution for midsize to large enterprises.
Privileged Access Management best practices
Here are some tips and best practices for ensuring your privileged access management lifecycle stays secure.
Identify Privileged Accounts
The exact parameters that determine what a privileged account varies for every organization according to the needs of the business. Not knowing exactly what a privileged account looks like creates vulnerabilities. Without this knowledge, you can’t create concrete governance policies. Start by mapping out what functions of your organization rely on different data, systems and applications. Then create a profile of who in your organization will have privileged access to these resources and when those accounts will be used. This information will inform your governance, which ensures that privileged accounts are properly monitored and controlled.
Define Governance
Well-defined privileged access governance is key to effectively monitoring and controlling privileged accounts throughout the entire lifecycle. Comprehensive governance entails defining roles, policies and mechanisms for access requests, approvals and delivery. After identifying what a privileged account is within your organization, you can draft policies that ensure accounts only gain access to the information they need, when they need it.
Continuously Monitor Account Activity
Continuous session monitoring and auditing should always be in place in the privileged account lifecycle. When breaches occur, records of account use will help security teams quickly identify the root cause of the issue. This information can also be cross-referenced with the account privileges to identify what policy controls need to be re-configured and improved.
Get Buy-In From Your Organization
Members of your organization need to understand what privileged access is, what access they have and why. Without this knowledge, they may make critical errors with their actions that contradict policies and leave backdoors in the network for attackers. If you don’t already, include PAM in your company’s security awareness training.
Privileged Access Management market
Gartner has identified PAM solutions as a top 10 security control. They deemed it, “one of the most critical security controls, particularly in today’s increasingly complex IT environment.” In a recent survey of IAM leaders, Gartner found that 30% have already implemented PAM solutions, with 36% planning to within the year. Another 22% plan on adopting SAM practices by 2023 or 2025. Only 13% have not included PAM in their future security developments. These figures are extremely similar for SaaS offerings, with 34% already using PAM solutions and 29% planning to adopt by 2023 or 2025.
As organizations increasingly move to cloud infrastructures, there is a shift in PAM solutions increasingly offered as SaaS rather than software, hardware appliances or virtual machine (VM) images. Gartner expects 84% of all organizations to have a SaaS-based PAM solution implemented in their security architecture by 2025, as the market continues to grow by double-digits.
The push for more remote work throughout organizations, especially due to the global pandemic, leads Gartner to expect a large rise in the need for remote administration access – not just for employees but for remote vendors and contractors as well. Remote access features will likely become standard in PAM solutions in the years to come.
Updated by Devin Partida