Privileged accounts pose a serious security problem. Anyone who has access to one has the potential to use those administrative privileges to harm your organization in a number of ways, such as altering data, deleting or downloading databases, or creating unauthorized new administrative accounts.
The security risk is not just a theoretical one: Recent security breaches at companies such as Uber, Tesla and Timehop all involved the misuse of privileged account credentials, and in the case of Timehop, led to the loss of 21 million users’ personal information. Privileged access credentials were used by Timehop’s attacker to create a new administrative user account at the company’s cloud service provider, and used that new account to conduct further reconnaissance activities in the cloud environment, which ultimately led to the data breach.
See our picks for top privileged access management (PAM) products.
What is PAM?
To address this security risk, Privileged Access Management (PAM) solutions enable you to manage and monitor privileged accounts and the people who have permanent authority to access them. They also provide a secure way to give your staff or third-party contractors temporary, controlled access to privileged accounts, without the need to provide them with an account password that they could reuse at a later date or share with unauthorized parties.
Identity and access management (IAM) solutions control access to user accounts; PAM solutions control access to critical administrative accounts. The PAM market is smaller than the IAM market but growing at a much faster rate. Markets and Markets expects the PAM market to grow at a 33% compound rate for the next few years, reaching $3.8 billion in 2021.
Cloud-based infrastructure and applications are a key driver for companies implementing PAM solutions, because a significant proportion of cloud security breaches are caused by failure to control privileged accounts effectively. But today the overwhelming majority of PAM solutions manage access to local systems running in corporate data centers.
Privileged Access Management benefits
The key benefit of implementing a PAM solution is the reduction in the risk of a security breach, including a breach caused by an insider, and the associated costs of such a breach.
For example, with a suitable PAM solution in place, it becomes possible to provide access in a much more secure fashion to shared accounts, including:
- all system-defined default accounts, such as the Active Directory administrator, used by system administrators, and
- “firecall” accounts intended for after-hours support, which may be used by system and database administrators and application developers.
In general, a major problem with these types of shared accounts is that if there is no way to store or communicate passwords securely, they are bound to be compromised, presenting a serious cybersecurity risk.
There is also usually no way of knowing who is using a shared account at a particular time, so there is no audit trail or no user record to merge with event logs, and therefore no accountability.
And even if some sort of secure system for controlling shared passwords is in place, the time delays it can cause may have serious negative consequences for productivity. In emergency situations, time wasted accessing passwords before problems can be mitigated or dealt with could be extremely costly.
A PAM solution can help solve all these problems, leading to better security, a better audit trail if a breach does occur, and much more flexibility in providing privileged access securely to those who need it when they need it.
Increasingly, PAM solution vendors are integrating machine learning and predictive analytics systems into their products to provide privileged access profiling and real-time anomaly detection. If implemented effectively, this should provide another layer of security protection by detecting and flagging suspicious privileged account activity or suspicious privileged user access.
A PAM security solution can also help an organization to:
- comply with regulatory and audit requirements
- prevent or limit malware attacks that take advantage of privileged accounts
- make it quicker and easier for administrators to access privileged accounts
- provide secure privileged access to third parties such as contractors, vendors, or cloud service provider engineers.
How does a PAM solution work?
A typical privileged account management system offers a number of features to control access to key accounts:
- Discovering all instances of privileged accounts (both user and application) so they can be managed
- Creating procedures and workflows for obtaining privileged access, including requiring multifactor authentication for privileged access. PAM solutions may provide the multifactor mechanism or integrate with existing multifactor authentication solutions
- Making passwords available on-demand to applications, thus eliminating the need for hard-coded ones
- Storing privileged account passwords securely and allowing them to be “checked out” when needed and “checked back in” when the need for that specific account access is finished
- Changing passwords automatically, either periodically, or after each use, or when a particular user leaves the company or no longer needs access to a specific account (perhaps because their role has changed)
- Controlling and filtering the privileged actions that administrators can execute, depending on their role
- Monitoring and recording privileged access sessions, commands, and actions for audit and forensic purposes
- Enforcing least privilege policies on endpoints
PAM vs IAM
Privileged Access Management and Identity and Access Management (IAM) are closely related because both are used to control users and their access to accounts, so both can be thought of as access management systems.
But while PAM solutions are concerned with administrative users and accounts, IAM focuses on standard users (such as general employees and customers).
More specifically, IAM controls standard users’ access to applications, while PAM solutions control the connection between administrators and other privileged users with the role-based accounts that they need to do their jobs. These are often default accounts that exist on systems or applications, and which persist even after a particular individual leaves an organization or moves to another role.
The emergence of zero trust security tools
One emerging trend is the rise of zero trust security products. These new access control tools restrict access to just the data and applications users need rather than granting them access to the broader network, reducing the risk of lateral movement within the network. The market is still new, but Gartner expects sales of these products to begin to gain traction in 2021. PAM tools are likely to evolve to include zero trust principles, rather than being replaced by newer zero trust tools.
PAM use cases
All organizations have privileged accounts, including shared accounts, because you can’t run IT infrastructure and systems without people with the necessary privileges to do system-level tasks.
These may include:
- Personal accounts with full, permanent privileges
- Personal accounts with full (or restricted) temporary privileges
- Personal accounts with limited, temporary privileges
- Default application or device accounts that are shared and used by different administrators when the need arises.
The first two types are intended for full-time system administrators, while the third type of account with limited, temporary privileges is intended for application developers and database administrators who may need to access specific systems for a defined task or period of time. The shared accounts are likely to be used by administrators working on a specific database or other application.
Let’s imagine that a developer in your organization needs privileged access to a specific application. A PAM solution can grant that user administrator limited privileges:
- by privilege (for example, by regulating the commands available)
- by scope (by resources or systems, perhaps)
- by time (either by providing privileges for a fixed time period or by time windows)
The developer may also need access to a shared application account. In that case, the PAM solution can generate a password for the account that only that developer knows.
While the developer is using the privileged account, all of his or her actions are monitored and logged. On completion, the developer logs out and the password immediately expires, preventing them from sharing the password or accessing the account again without permission from an appropriate authority.
How to choose a PAM solution
For companies looking to acquire a PAM solution, Gartner’s Market Guide for Privileged Access Management offers the following advice:
- Shop around: Pricing and feature bundling is highly variable between vendors. Plan for the next three years in terms of systems and functionality covered
- Look for integrated high-availability features, built-in multifactor authentication (MFA) and value-priced bundled offerings if you are a small to midsize businesses
- Scrutinize vendors’ offerings for MFA integration support, scalability and auto-discovery features if you are a large and global organization
- Evaluate vendors on how they can help secure nonhuman service and application accounts — these accounts are major sources of operational and security risk, and most organizations have a significant number of them
- Look for solutions that enable you to deploy session recording as soon as possible, because this capability will add accountability and visibility for privileged activity. Include this capability as part of your selection process
The PAM solutions market is maturing and consolidating rapidly, resulting in a high level of M&A activity, including:
- CyberArk acquiring Conjur
- Thycotic acquiring Cyber Algorithms
- CA Technologies (now part of Broadcom) acquiring Mobile System 7
- Bomgar acquiring Lieberman Software and BeyondTrust (the combined entity is now called BeyondTrust)
Other leading PAM vendors include:
- Centrify
- IBM
- Micro Focus
- One Identity