Privileged access management (PAM), sometimes referred to as privileged account management, is the process of assigning, monitoring, and securing administrative-level access to critical business systems and applications. It also encompasses monitoring the activities carried out by privileged users once logged into those systems.
Most organizations organize their systems in tiers, according to the severity of the consequences should the system be breached or misused; the higher the tier, the more damage a breach would cause. Privileged accounts, such as domain admin accounts, are granted higher levels of permissions than standard user accounts, which give them administrative levels of access to high-tier systems.
If a cybercriminal were to compromise a privileged account by stealing or cracking its credentials, they could easily access critical business systems and applications undetected. Depending on the level of privilege of the compromised account, the attacker could even make changes to the account or to business data. This makes privileged accounts attractive targets for cybercriminals.
Despite this, many businesses don’t have adequate protection around their privileged accounts—some don’t even have visibility into which accounts have elevated privileges. This is most common amongst organizations that use multiple cloud applications, which often deploy with default admin privileges assigned. This means IT and security admins need to be proactive in identifying privileged users and ensuring they have a reasonable level of access or removing them.
PAM solutions help IT and security admins to monitor and secure privileged access by enabling them to grant “just-in-time” access to high-tier systems. That means that users are only granted elevated permissions for as long as they need them to do their job. Once signed out of the high-tier system, the permissions are revoked. These permissions can also be time restricted; a user will have access for a set length of time before having to seek renewed permission. This protects critical business systems against unauthorized access and encourages better governance in line with data protection regulations.
In this article, we’ll explore the top ten PAM solutions. We’ll look at features such as password management, multi-factor authentication, real-time notifications, session activity monitoring, and reporting. We’ll also give you some background information on the provider and recommend which type of customer they are best suited to.
JumpCloud’s Open Directory Platform™ securely connects privileged users to critical systems, applications, files and networks. JumpCloud delivers comprehensive visibility and control to privileged accounts. It enforces strong authentication that enables administrators to require Multi-Factor Authentication (MFA) before access is granted and is natively integrated with single sign-on (SSO) capabilities that admins can set granular policies that govern what resources that privileged accounts and individuals users can access with their identity.
The JumpCloud Open Directory Platform also features robust password and SSH Key management that allows administrators to set granular controls for password complexity for privileged accounts, and receive alerts for approaching expiries and brute force attempts against these accounts.
JumpCloud’s device management capabilities enable administrators to notify privileged users to rotate password at specified intervals that then automatically updates passwords and access across all of their MacOS, Windows, and Linux devices, reducing the risk from static passwords, credential phishing, and other techniques used to target privileged users.
JumpCloud is used by over 180,000 organizations worldwide and is consistently ranked as a top solution by customers. The solution is highly scalable and flexible, and can serve as an organization’s core directory or by integrating with an organization’s existing directory such as Google Workload and Azure AD. The platform has a full suite of identity, access, and device management capabilities that enable organizations to monitor and manage privileged and standard identities all from a single console. We recommend JumpCloud to enterprises of all sizes who are looking for an efficient and easy to use solution for privileged access management.
Heimdal™ is a cybersecurity provider with a wide range of solutions that offer protection against today’s most prevalent cyberthreats at every layer, including email, endpoint, application, web, and identity. Heimdal™’s security products can all be deployed via one platform and agent, enabling organizations leveraging Heimdal™ to gain in-depth insights into their entire threat landscape from a single, unified pane of glass. Heimdal™ Privileged Access Management is their PAM solution designed to simplify the process of securing user access to privileged accounts, while proactively remediating identity-related threats.
With Heimdal™ Privileged Access Management, admins can log into the intuitive, desktop- and mobile-compatible dashboard to assign permissions according to Active Directory roles, remove local admin rights, live-cancel admin rights, set escalation periods, log sessions, and approve or deny privilege escalation requests – or create approval workflows to automate that process. The dashboard also offers granular reporting functionality, enabling admins to generate reports into privileged account use, including average escalation duration, which users or files were escalated, and what actions were carried out during the session.
This data can be used to support forensic incident analysis, as well as to prove compliance with standards such as NIST AC-5 and NIST AC-1,6. Heimdal™’s PAM solution also proactively remediates threats to privileged accounts by automatically ending privileged sessions when a threat is detected on the user’s device, preventing the spread of malware and stopping attackers from access sensitive corporate data stored in high-tier systems.
Heimdal™ Privileged Access Management deploys in the cloud, which enables it to offer high levels of scalability and allows admins to log in at any time, from anywhere. The solution integrates seamlessly with Heimdal™’s other solutions, making it particularly suitable for their existing customers. However, we’d also recommend Heimdal™ PAM to any-sized organization looking for an easy way to manage and automate their privilege escalation processes, as well as monitor the activities of privileged users while access high-tier systems.
StrongDM is a Dynamic Access Management platform designed to provide secure, auditable access for users within both legacy and modern digital infrastructures. Adaptable for cloud, modern databases, and ephemeral resources, the StrongDM platform enables organizations to implement just-in-time (JIT) or Zero Standing Privilege (ZSP) access, which reduces static, standing credentials and enhances overall security.
With StrongDM, admins assign users temporary elevated permissions based on their roles or through automated workflows, without having to manage unique credentials for every user. This “credential leasing” system injects the login credentials into a user’s session automatically; the credential is never revealed to the end user, which makes it unphishable. The platform also offers protection against brute force credential theft by automatically locking user accounts after five failed login attempts; accounts are unlocked after five minutes to minimize disruptions to productivity for legitimate users. StrongDM also supports the enforcement of multi-factor authentication and single sign-on on client sessions via integrations with identity providers such as Duo.
Admins can configure custom time-outs for client sessions and idle periods. Finally, the platform offers session recordings, and all actions within StrongDM—including user authentication, queries, and permission changes—are logged in a tamper-proof repository for compliance and auditing purposes. These logs can also be used for incident investigation.
StrongDM offers robust integrations with a broad range of databases, applications, and systems, including on-prem and cloud services. This helps speed up the deployment process, whilst ensuring that businesses can secure user access across their entire infrastructure. In terms of support, all customers receive access to the StrongDM Support Portal and customers on their basic support tier can access email and video support between 9am-8pm EST Mon-Fri. Premium support offerings include 24/7/365 email and video support with a 1-hour first response SLA, custom deployment places, and quarterly instructor-led training to help you get the most out of the platform.
Senhasegura is a PAM provider that helps companies implement strict and complex controls on access to privileged credentials in an automated and centralized manner. The solution effectively safeguards IT infrastructure from data breaches and potential compliance breaches and is equipped to meet compliance requirements such as LGPD, GDPR, PCI DSS, SOX, NIST, HIPAA, ISO 27001, and ISA 62443.
With its Scan Discovery feature, Senhasegura can map and identify all assets connected to the environment and their respective credentials, including digital certificates. The solution allows for the mapping and integration of devices, credentials, containers, playbooks, digital certificates, and SSH keys. Once assets are identified, administrators can configure access groups and define specific users who can be granted physical access passwords or remote access through the solution. This granularity in access control makes Senhasegura a highly customizable PAM solution and allows it to align with complex security policies. Senhasegura also offers a range of security features, including remote session recording, SSH key management, behaviour analysis, approval workflows, and threat analysis. These capabilities enable organizations to ensure only authorized, authenticated users are granted privileged access, and they enable admins to monitor user activities in real-time so they can respond to any suspicious actions efficiently.
Senhasegura is available on various platforms, including physical hardware (Dell OEM Appliance), virtual machines, on-premises environments, customer’s cloud, multi-cloud, and as a Software-as-a-Service (SaaS) offering. This flexibility allows companies to select the best deployment option to suit their specific business requirements and IT infrastructure. Overall, we recommend Senhasegura as a comprehensive, secure PAM solution for any sized organization looking to secure access to critical business systems.
BeyondTrust is a market-leading vendor in privileged access management. They offer a range of solutions that deliver high levels of visibility and security across endpoint, server, cloud, DevOps and network device environments. Privileged Remote Access is BeyondTrust’s solution for managing and auditing internal and third-party remote privileged access, without the need for a VPN. It’s designed to enable employee productivity, no matter their location, whilst keeping bad actors from accessing critical business systems.
Privileged Remote Access stores passwords in a secure cloud-based on-appliance vault. Alternatively, this solution integrates with BeyondTrust’s Password Safe, which is delivered as software. Both options enable BeyondTrust’s credential injection capabilities, which allow BeyondTrust to securely inject credentials from the vault directly into a session. This means that users don’t expose credentials at any point during sign in. The solution also features strong monitoring capabilities, with tracking and auditing capabilities all accessible in a single interface. Admins can set authorization and notification preferences to receive alerts when a user is accessing Privileged Remote Access. These notifications are also remote worker-friendly, so that admins can approve access requests and monitor usage on their mobile devices from any location. Comprehensive audit trails and session forensics allow IT teams to review and monitor privileged account use, as well as generate reports to prove compliance.
Privileged Remote Access features desktop consoles for Windows, Mac and Linux. It also allows privileged users to access critical systems via a web-based console or a mobile app for privileged access anytime, anywhere. This makes it a strong PAM solution for any organization with remote workers who need to access privileged systems.
Symantec, the cybersecurity services unit of global software manufacturer and supplier Broadcom, is a market-leading producer of enterprise data loss prevention (DLP), endpoint protection and web security solutions. Symantec Privileged Account Management (PAM) is their PAM solution designed to help organizations more easily monitor and govern access to high-tier corporate accounts, in order to reduce the risk of credential-related breaches and ensure compliance with industry standards such as PCI-DSS.
Symantec PAM stores all privileged credentials—including root and admin passwords, and SSH keys—in a secure vault. Users must verify their identities via two-factor authentication before they’re granted access to the vault, and credentials are automatically rotated as per admin-configured policies to ensure compliance with data protection standards and help prevent breaches as a result of using standing credentials. Symantec PAM continuously monitors the activity of privileged users, applying machine learning techniques to compare current actions to historical actions in order to identify suspicious or anomalous behavior. Admins can configure automatic remediation of such behaviors to help limit the lateral spread of attacks throughout the network. Finally, the platform captures audit data from each privileged session, linking all activities to a named user and storing that data in an encrypted vault, where it can be used for auditing and compliance, or used as forensic evidence of risky behaviors. Admins can also choose to video record all privileged sessions for the same purposes.
We recommend Symantec Privileged Access Management for mid- to large organizations looking to implement a PAM solution to help prevent credential-related breaches and lateral account compromise attacks. The platform is also well suited to businesses already leveraging Symantec’s other security technologies, as they would benefit from ease of integration and a unified overview of their security tools.
CyberArk holds one of the largest shares of the PAM market, offering enterprise-level, policy-driven solutions that allow IT teams to secure, manage and record privileged account activities. Their Core Privilege Access Security (PAS) solution provides multi-layered access security for privileged accounts, and comes with over 500 “out of the box” integrations. Centralized management and reporting gives admins a clear insight as to who is accessing critical systems, and why.
Core PAS scans the network continuously to detect privilege access. IT teams can choose to validate access attempts by adding them to a queue, or automatically rotate accounts and credentials based on the company’s policies. Credentials for accessing critical assets are isolated in a secure vault, helping to prevent credential exposure. From the central management console, IT teams can choose to record and audit privileged sessions within an encrypted repository. Recordings include video playback, so admins can view specific activities and keystrokes and monitor them for suspicious activity. If suspicious behavior is detected, Core PAS automatically suspends or terminates the privileged session based on the level of risk. Automatic credential rotation on suspension or termination ensures that bad actors or compromised inside account can’t re-gain access to the system.
CyberArk also offers an Advanced version of their Core Privileged Access Security, which includes centrally managed granular access controls for least privilege server protection and network monitoring for threats to domain controllers. Both of these modules integrate fully with the Standard solution. CyberArk’s solution comes with on-premises, cloud and SaaS deployment options, making it suitable for all organizations, no matter their state of cloud transition. We recommend Core Privileged Access Security for any enterprise looking for a trusted, flexible PAM solution.
Delinea, a cybersecurity provider born of the 2020 merger between Thycotic and Centrify, is a specialist in providing enterprise-level access management solutions. Secret Server is Delinea’s privileged access management tool, designed to help organizations monitor, manage and secure access to their most sensitive corporate databases, applications, hypervisors, security tools and network devices. Secret Server offers a range of powerful security features as well as robust session monitoring and auditing tools, to help businesses protect company data against account takeover attacks and ensure compliance with data protection regulations.
Secret Server stores all privileged credentials in an encrypted, centralized vault that users can only access via a two-factor authentication process. Once verified, users can only view the passwords they need to be able to do their job, as assigned by admin-configured access controls. From a centralized management portal, admins can provision and deprovision privileges for just-in-time access, as well as configure policies for password complexity and credential rotation. This eliminates weak and static passwords, reducing the risk of password theft. Admins can also set up a custom workflow to delegate access requests, including for third parties. Powerful session recording capabilities enable organizations to monitor privileged activities, both to ensure compliance and to detect the source of any fraudulent or suspicious activity.
Secret Server is available to deploy on-prem or in the cloud via two packages: the Professional package offers an encrypted password vault with AD integration, auditing and reporting, and CRM, SAML and HS integrations; the Platinum package offers all of the above, plus approval workflows, Unix protection, advanced scripting and disaster recovery. Overall, Delinea’s Secret Server is a strong solution for enterprises looking to secure and centrally manage access to their critical systems, accounts and applications, both to prevent account takeover attacks and to ensure compliance with federal and industry data protection standards.
ManageEngine, a division of Zoho Corporation, provides IT management software and cybersecurity solutions that enable organizations optimize, integrate, and secure their IT processes for ease of management and increased visibility. PAM360 is their enterprise PAM solution, which combines access management with automation, transparent policy creation, robust integrations, and compliance readiness. There is also support for NIST, PCI-DSS, FISMA, HIPAA, SOX, and ISO-IEC 27001. PAM360 is currently trusted by over 5,000 organizations and government agencies to secure privileged access to critical systems, applications, and services.
PAM360 automatically discovers and onboards privileged users, accounts, and resources, enabling admins to immediately identify standing privileges across their network. Once onboarded, admins can set up just-in-time access, with least privilege workflows for automated access provisioning. These workflows can be role-, attribute-, and policy-based. The platform stores all privileged credentials—including non-human credentials such as machine, applications, service, and script identities—in a secure credential vault, which employs AES-256 encryption and role-based access. Finally, the platform offers full audit trails, real-time session recording, and session shadowing that—with support from AI- and ML-driven anomaly detection capabilities—enable admins to identify anomalous user activity that could indicate account compromise.
PAM360 also offers robust integrations with ManageEngine’s other IT management and cybersecurity tools, making it easier for IT and security teams to secure their access provisioning and gain deeper insights into access events across the network from a single place. This makes it well-suited to ManageEngine’s existing customers. Overall, we recommend ManageEngine’s PAM360 to any sized organization, and—thanks to its robust session monitoring and auditing capabilities—particularly those that must comply with strict data protection regulations, such as healthcare, government, and financial services organizations.
Okta is a leading provider of cloud-based identity and access management solutions that enable organizations to secure user access to company accounts, applications, and systems. Okta Privileged Access is their PAM solution that enables organizations to secure, monitor, and govern privileged access across their on-prem, cloud, and multi-cloud environments. The solution is available as part of Okta’s wider Workforce Identity and Access Management platform, which also offers adaptive MFA, SSO, identity governance and administration (IGA), and lifecycle management.
Okta Privileged Access enables IT and security teams to implement least privilege access across all company resources via customizable access request workflows, which must be approved before elevated access permissions are granted. The platform also automatically discovers and imports all local privileged account passwords, then stores them in a secure vault to help admins manage and reduce backdoor access. As well as enabling admins to monitor access, Okta Privileged Access also allows them to monitor privileged session activity, with session capture for all SSH and RDP sessions and audit reports to help meet compliance requirements.
Because of its position within a wider platform, Okta Privileged Access enables organizations to eliminate siloes between their IAM, IGA, and PAM tools. This in turn allows them to offer users a seamless, universal login experience. The platform also gives IT and security admins a single pane of glass through which they can maintain access governance across their entire infrastructure, reducing human error and alert fatigue. Overall, we recommend Okta Privileged Access to mid-market organizations and larger enterprises looking for a PAM tool as part of a wider workforce identity and access management solution, with in-built MFA and SSO.
One Identity is a provider of identity-centric security solutions designed to reduce organizations’ attack surface from internal and external threats. All of One Identity’s PAM products are available as modules or as an integrated package, so that customers can build new capabilities onto their existing measures. Their Safeguard solution allows organizations to secure, control and audit privileged accounts for the entire duration of the session. It features powerful auto discovery and provisioning capabilities, which make it easy for admins to monitor and address suspicious or unauthorized behavior.
With One Identity’s Safeguard solution, users can access their privileged and non-privileged resources from a single account, which removes the risk of error in provisioning access. This also reduces the strain on help desk workloads, automating the process of granting privileged credentials according to the user’s role. Privileged accounts are stored in a secure vault for enhanced security, with centralized authentication and SSO for added protection and increased efficiency. Safeguard uses machine learning to analyze user activity both at the time of access and throughout the session. It also records keystrokes, mouse movement and windows viewed in order to detect unauthorized use of critical business systems and increase accountability. Admins can review these recordings remotely and search them like a database for specific events across sessions. They can also be used for governance and compliance purposes.
Safeguard enables admins to configure the level of authentication required from each user, from requiring full credentials through to limiting access with granular delegation for just-in-time or least-privileged access. This ensures security without compromising on employee productivity. Safeguard’s powerful recording and analysis tools make this a strong PAM solution for larger enterprises looking for more control over privileged activities.
Privileged Access Management Solutions: Everything You Need To Know
What Is Privileged Access?
“Privileged access” refers to the elevated access permissions that IT and security admins can assign to user accounts, that give those accounts administrative levels of access to high-tier systems and applications.
What Are Standing Privileges?
“Standing privileges” are elevated access privileges that are always on. If a user has standing privileges, it means that they always have those privileges assigned to their account, even if they’re not currently using them. A user may not even be aware that they have those privileges. A common example of standing privilege is the “admin” account that often comes pre-made with a new laptop or desktop, or when you install a new cloud application.
The problem with standing privileges is that if an attacker were to compromise a privileged account by stealing or hacking the user’s login credentials, they would be able to use that account to access critical business resources multiple times.
The best way to eliminate standing privileges is by implementing a “just-in-time” approach to elevating access privileges, also known as the “principle of least privilege”. This states that IT and security admins should only grant elevated permissions when they’re needed, and for the amount of time they’re needed. Once the user logs out of the system, the elevated permissions and revoked. So, if an attacker compromises an account with just in time privileges, they’ll only be able to utilize those elevated permissions once— this greatly limits the amount of damage they can do.
How Does Privileged Access Management (PAM) Software Work?
PAM software enables IT and security admins to assign, monitor, and secure privileged access to high-tier business systems and applications. This involves securely elevating privileges in line with the principle of least privilege, eliminating standing privileges, and monitoring user activity within high-tier systems.
PAM tools usually work in one of two ways to achieve this:
- The PAM solution stores privileged login credentials in a secure vault that is only accessible after identity has been verified through multi-factor authentication. This ensures that only legitimate, authorized users can access privileged credentials. Some PAM solutions give users access to the credential vault, others inject the credentials directly into the user’s login session once they’ve authenticated, so that they never see the credentials. This prevents users from exposing credentials in a phishing attack. In both cases, the PAM solution logs who requested access, when, from where, and for how long.
- The PAM solution offers a system by which users can submit a request for elevated privileges on-demand. The solution then notifies IT or security admins of the request, and they can grant or deny the user access on a case-by-case basis or set up automatic, role-based provisioning.
The best PAM tools take access management a step further by enabling admins to monitor a user’s activities during their privileged session. This can help to identify malicious activity and can also be used for compliance and auditing. The level of monitoring varies between solutions; some offer activity logs, while others offer full video recordings and keystroke monitoring.
What Are The Benefits Of Privileged Access Management?
There are numerous benefits to implementing a PAM solution:
- Secure your data. By reducing the number of accounts that have elevated privileges, a PAM solution can help you minimize the likelihood of an attacker gaining access to a privileged account using stolen credentials. This, in turn, reduces the likelihood of a data breach, or a malware attack that requires elevated privileges to run, such as an SQL injection.
- Identify compromised accounts. PAM solutions provide greater visibility into account use, thereby making it much easier to spot an attack.
- Reduce repeat attacks. By eliminating standing privileges and rotating login credentials in between privileged sessions, PAM solutions prevent attackers from using the same credentials to access your company’s systems twice, greatly limiting the damage they can do.
- Prove compliance. PAM solutions generate reports explaining which users have elevated access privileges and for which applications. These reports should detail when those privileges are used, and what activities the user performs during a privileged session. These reports can be used to prove compliance with strict data protection regulations such as HIPAA, PCI-DSS, and SOX—all of which require that businesses apply least-privilege access policies to critical accounts containing sensitive data.
What Features Should You Look For In A PAM Solution?
The features offered by PAM solutions will vary between different products, but there are some features that any good PAM solutions should offer. These include:
- Support for “just-in-time” or “zero standing privilege” (ZSP) access that only grants users the minimum level of privilege they need to carry out their task, and only for as long as they actively need it
- A credential vault that encrypts and securely stores privileged credentials
- Credential rotation after each privileged session, to prevent users (and attackers) from being able to sign into a critical system multiple times, using the same credentials
- In-built multi-factor authentication (MFA) or integrations with MFA providers to verify users’ identities before they’re granted access to high-tier systems, and to verify admins’ identities before signing into the PAM solution and granting other users’ elevated privileges
- Session tracking either via a breadcrumb-based audit trail or full session recording, to enable IT and security admins to detect anomalous or malicious activity in real-time and prove compliance with data protection standards such as HIPAA, PCI-DSS, and SOX
- Real-time alerts that notify admins of anomalous account activity, and on-demand access requests
- In-depth reporting into privileged access across the organization, including who has access to which systems, and when a user “checks out” a password from the credential vault or is assigned elevated privileges by an admin
PAM Vs. IAM: What’s The Difference?
Identity and access management (IAM) and privileged access management are similar, but not the same. IAM is a series of tools and processes (such as multi-factor authentication and single sign-on) that are used to verify and authorize users across an entire organization. These processes enable IT and security teams to decide who can access what, from which locations, when, and how. In IAM, the verification process usually takes place when a user first signs into their user account. A user’s credentials (including alternative authentication factors) are used to verify their identity.
PAM, on the other hand, is a subset of IAM that focuses solely on privileged users who need to access more sensitive data. In PAM, verification takes place when a user tries to access a specific resource. And while PAM solutions often include MFA as a means of verifying users before they can be granted elevated privileges, PAM ultimately bases its identity validation on attributes, rather than credentials.