Privileged access management (PAM), or privileged account management, is a security measure that allows organizations to control and monitor the activity of privileged users, including their access to key business systems and what they’re able to do once logged in. Most organizations order their systems in tiers according to the severity of the consequences should the system be breached or misused. Privileged accounts, such as domain admin and networking equipment accounts, provide administrative levels of access to high-tier systems, based on higher levels of permissions. Privileged access management vendors offer solutions that help administrators to monitor access to critical business resources and ensure that these high-tier systems remain secure. This extra security layer protects critical business systems, but also encourages better governance and compliance with data regulations.
Verizon’s 2020 Data Breach Investigations report found that over 80% of hacking breaches involve brute force of the use of lost or stolen credentials, and a recent study by Centrify found that 74% of data breaches involved access to a privileged account. It’s absolutely crucial that organizations keep login credentials secure, particularly for high-tier, high-risk systems. PAM solution vendors provide this security by storing the login credentials of privileged administrative accounts in a secure repository, reducing the risk of those credentials being stolen. To gain access to these credentials, users have to go through an authentication process, which logs that they’ve accessed the account. This process allows organizations clear visibility into who is accessing which account and from where, which in turn helps them to monitor any suspicious or potentially malicious activity, both internal and external.
In this article, we’ll explore the top ten privileged access management solutions designed to secure an organization’s critical systems. We’ll look at features such as password management and multi-factor authentication, role-based security, real-time notifications and robust reporting. We’ll give you some background information on the privileged access management vendors and the key features of the solutions themselves, as well as the type of customer that they are most suitable for.
JumpCloud’s Open Directory Platform™ securely connects privileged users to critical systems, applications, files and networks. JumpCloud delivers comprehensive visibility and control to privileged accounts. It enforces strong authentication that enables administrators to require Multi-Factor Authentication (MFA) before access is granted and is natively integrated with our single sign-n (SSO) capabilities that admins can set granular policies that govern what resources that privileged accounts and individuals users can access with their identity.
The JumpCloud Open Directory Platform also features robust password and SSH Key management that allows administrators to set granular controls for password complexity for privileged accounts, and receive alerts for approaching expiries and brute force attempts against these accounts.
JumpCloud’s device management capabilities enable administrators to notify privileged users to rotate password at specified intervals that then automatically updates passwords and access across all of their MacOS, Windows, and Linux devices, reducing the risk from static passwords, credential phishing, and other techniques used to target privileged users.
JumpCloud is used by over 180,000 organizations worldwide and is consistently ranked as a top solution by customers. The solution is highly scalable and flexible, and can serve as an organization’s core directory or by integrating with an organization’s existing directory such as Google Workload and Azure AD. The platform has a full suite of identity, access, and device management capabilities that enable organizations to monitor and manage privileged and standard identities all from a single console. We recommend JumpCloud to enterprises of all sizes who are looking for an efficient and easy to use solution for privileged access management.
Heimdal™ is a cybersecurity provider with a wide range of solutions that offer protection against today’s most prevalent cyberthreats at every layer, including email, endpoint, application, web, and identity. Heimdal™’s security products can all be deployed via one platform and agent, enabling organizations leveraging Heimdal™ to gain in-depth insights into their entire threat landscape from a single, unified pane of glass. Heimdal™ Privileged Access Management is their PAM solution designed to simplify the process of securing user access to privileged accounts, while proactively remediating identity-related threats.
With Heimdal™ Privileged Access Management, admins can log into the intuitive, desktop- and mobile-compatible dashboard to assign permissions according to Active Directory roles, remove local admin rights, live-cancel admin rights, set escalation periods, log sessions, and approve or deny privilege escalation requests – or create approval workflows to automate that process. The dashboard also offers granular reporting functionality, enabling admins to generate reports into privileged account use, including average escalation duration, which users or files were escalated, and what actions were carried out during the session.
This data can be used to support forensic incident analysis, as well as to prove compliance with standards such as NIST AC-5 and NIST AC-1,6. Heimdal™’s PAM solution also proactively remediates threats to privileged accounts by automatically ending privileged sessions when a threat is detected on the user’s device, preventing the spread of malware and stopping attackers from access sensitive corporate data stored in high-tier systems.
Heimdal™ Privileged Access Management deploys in the cloud, which enables it to offer high levels of scalability and allows admins to log in at any time, from anywhere. The solution integrates seamlessly with Heimdal™’s other solutions, making it particularly suitable for their existing customers. However, we’d also recommend Heimdal™ PAM to any-sized organization looking for an easy way to manage and automate their privilege escalation processes, as well as monitor the activities of privileged users while access high-tier systems.
ARCON’s risk-management solutions are designed to secure data and safeguard privacy through predicting risk situations, protecting organizations against those risks and preventing them from progressing into incidents. ARCON | Privileged Access Management (PAM) allows enterprise security teams to secure and manage the entire lifecycle of their privileged accounts. It protects privileged credentials from the exploits of compromised insider attacks and third-party cybercrime.
ARCON | PAM features a secure password vault that automates frequent password changes. The vault generates and stores strong, dynamic passwords, which can only be accessed by authorized users. Users must go through multi-factor authentication (MFA) in order to access the vault. ARCON offers native software-based one-time-password (OTP) validation to verify users’ identities, and this tool integrates with third-party authentication solutions should an organization want to build layers of authentication around the vault. The security of MFA allows ARCON | PAM to run single sign-on (SSO) access to all critical systems without users having to share their credentials. This makes the sign-on process more efficient, whilst protecting critical data from the threat of password breaches. Finally, all privileged access is just-in-time, which reduces the threat surface by favouring access as needed over standing privileges.
Advanced session monitoring allows admins complete insight as to who is using the privileged access environment and why, which enables faster risk mitigation. ARCON | PAM also provides a complete audit trail of privileged activities, as well as reports and analytics of the results, via the solution’s reporting engine. This allows managers and auditors to assess the organization’s compliance status as needed.
On top of the solution itself, ARCON offers 24/7 support to all of its clients as a base support offering, and they don’t differentiate between tiers for technical support. ARCON | PAM is also highly scalable. For these reasons, though using enterprise-level technology, we recommend ARCON | PAM for any sized organization looking for a robust PAM solution.
BeyondTrust is a market-leading vendor in privileged access management. They offer a range of solutions that deliver high levels of visibility and security across endpoint, server, cloud, DevOps and network device environments. Privileged Remote Access is BeyondTrust’s solution for managing and auditing internal and third-party remote privileged access, without the need for a VPN. It’s designed to enable employee productivity, no matter their location, whilst keeping bad actors from accessing critical business systems.
Privileged Remote Access stores passwords in a secure cloud-based on-appliance vault. Alternatively, this solution integrates with BeyondTrust’s Password Safe, which is delivered as software. Both options enable BeyondTrust’s credential injection capabilities, which allow BeyondTrust to securely inject credentials from the vault directly into a session. This means that users don’t expose credentials at any point during sign in. The solution also features strong monitoring capabilities, with tracking and auditing capabilities all accessible in a single interface. Admins can set authorization and notification preferences to receive alerts when a user is accessing Privileged Remote Access. These notifications are also remote worker-friendly, so that admins can approve access requests and monitor usage on their mobile devices from any location. Comprehensive audit trails and session forensics allow IT teams to review and monitor privileged account use, as well as generate reports to prove compliance.
Privileged Remote Access features desktop consoles for Windows, Mac and Linux. It also allows privileged users to access critical systems via a web-based console or a mobile app for privileged access anytime, anywhere. This makes it a strong PAM solution for any organization with remote workers who need to access privileged systems.
Bravura Security delivers easily deployable, user-friendly identity, entitlement and credential governance solutions. Their solutions enable organizations to strengthen internal controls and harden their network security, as well as lower their operating costs by offering cloud deployment and management. Bravura Privilege, their PAM solution, secures privileged users, applications and services. Highly scalable, it supports over a million password changes every day across the world.
Bravura Privilege randomizes passwords and stores them in an encrypted vault that requires users to verify their identities before they’re able to access them. The solution enforces pre-authorized, one-time access so that users have just-in-time access to critical accounts, and can’t stay signed in when they don’t need to be. Login extensions are launched automatically through a browser extension, and all access requests and sessions are logged with video capture and keylogging. This allows admins full visibility into privileged account activities. Bravura Privilege uses special agent-based application fingerprinting and automatically rotates one-time keys to eliminate shared and static credentials, reducing the risk of a breach due to credential theft. The solutions also logs all user access cases, creating strong accountability and allowing admins visibility into who’s accessing which systems.
Bravura Privilege simplifies the challenge of coordinating password changes and access to shared accounts across multiple platforms. It can integrate with all clients, servers, hypervisors, guest operating systems, databases and applications, and can be deployed on-premises or in the cloud. This versatile solution provides strong access management for any enterprise looking to secure a large number of privileged accounts.
Symantec, the cybersecurity services unit of global software manufacturer and supplier Broadcom, is a market-leading producer of enterprise data loss prevention (DLP), endpoint protection and web security solutions. Symantec Privileged Account Management (PAM) is their PAM solution designed to help organizations more easily monitor and govern access to high-tier corporate accounts, in order to reduce the risk of credential-related breaches and ensure compliance with industry standards such as PCI-DSS.
Symantec PAM stores all privileged credentials—including root and admin passwords, and SSH keys—in a secure vault. Users must verify their identities via two-factor authentication before they’re granted access to the vault, and credentials are automatically rotated as per admin-configured policies to ensure compliance with data protection standards and help prevent breaches as a result of using standing credentials. Symantec PAM continuously monitors the activity of privileged users, applying machine learning techniques to compare current actions to historical actions in order to identify suspicious or anomalous behavior. Admins can configure automatic remediation of such behaviors to help limit the lateral spread of attacks throughout the network. Finally, the platform captures audit data from each privileged session, linking all activities to a named user and storing that data in an encrypted vault, where it can be used for auditing and compliance, or used as forensic evidence of risky behaviors. Admins can also choose to video record all privileged sessions for the same purposes.
We recommend Symantec Privileged Access Management for mid- to large organizations looking to implement a PAM solution to help prevent credential-related breaches and lateral account compromise attacks. The platform is also well suited to businesses already leveraging Symantec’s other security technologies, as they would benefit from ease of integration and a unified overview of their security tools.
CyberArk holds one of the largest shares of the PAM market, offering enterprise-level, policy-driven solutions that allow IT teams to secure, manage and record privileged account activities. Their Core Privilege Access Security (PAS) solution provides multi-layered access security for privileged accounts, and comes with over 500 “out of the box” integrations. Centralized management and reporting gives admins a clear insight as to who is accessing critical systems, and why.
Core PAS scans the network continuously to detect privilege access. IT teams can choose to validate access attempts by adding them to a queue, or automatically rotate accounts and credentials based on the company’s policies. Credentials for accessing critical assets are isolated in a secure vault, helping to prevent credential exposure. From the central management console, IT teams can choose to record and audit privileged sessions within an encrypted repository. Recordings include video playback, so admins can view specific activities and keystrokes and monitor them for suspicious activity. If suspicious behavior is detected, Core PAS automatically suspends or terminates the privileged session based on the level of risk. Automatic credential rotation on suspension or termination ensures that bad actors or compromised inside account can’t re-gain access to the system.
CyberArk also offers an Advanced version of their Core Privileged Access Security, which includes centrally managed granular access controls for least privilege server protection and network monitoring for threats to domain controllers. Both of these modules integrate fully with the Standard solution. CyberArk’s solution comes with on-premises, cloud and SaaS deployment options, making it suitable for all organizations, no matter their state of cloud transition. We recommend Core Privileged Access Security for any enterprise looking for a trusted, flexible PAM solution.
Delinea, a cybersecurity provider born of the 2020 merger between Thycotic and Centrify, is a specialist in providing enterprise-level access management solutions. Secret Server is Delinea’s privileged access management tool, designed to help organizations monitor, manage and secure access to their most sensitive corporate databases, applications, hypervisors, security tools and network devices. Secret Server offers a range of powerful security features as well as robust session monitoring and auditing tools, to help businesses protect company data against account takeover attacks and ensure compliance with data protection regulations.
Secret Server stores all privileged credentials in an encrypted, centralized vault that users can only access via a two-factor authentication process. Once verified, users can only view the passwords they need to be able to do their job, as assigned by admin-configured access controls. From a centralized management portal, admins can provision and deprovision privileges for just-in-time access, as well as configure policies for password complexity and credential rotation. This eliminates weak and static passwords, reducing the risk of password theft. Admins can also set up a custom workflow to delegate access requests, including for third parties. Powerful session recording capabilities enable organizations to monitor privileged activities, both to ensure compliance and to detect the source of any fraudulent or suspicious activity.
Secret Server is available to deploy on-prem or in the cloud via two packages: the Professional package offers an encrypted password vault with AD integration, auditing and reporting, and CRM, SAML and HS integrations; the Platinum package offers all of the above, plus approval workflows, Unix protection, advanced scripting and disaster recovery. Overall, Delinea’s Secret Server is a strong solution for enterprises looking to secure and centrally manage access to their critical systems, accounts and applications, both to prevent account takeover attacks and to ensure compliance with federal and industry data protection standards.
Foxpass Privileged Access Management automates server and network access, protecting critical business systems whilst reducing the strain on an IT team’s resources. It is designed to integrate seamlessly with any systems that an organization already has in place, including cloud mail systems and existing SSO solutions, so that customers can set up their protection in just a few minutes.
Foxpass Privileged Access Management offers self-service SSH Key and password management with MFA and password rotation. Admins can set password requirements within an easy-to-use interface. The solution also offers a full API that allows admins to automate server access control, change user information, and manage group memberships. The API logs authentication requests so that admins have clear visibility into who is accessing critical systems, and these logs can also be used as proof of compliance. Cloud-hosted LDAP and RADIUS allow Foxpass PAM to provide single sign-on across an organization’s entire application stack, reducing the need for passwords. Admins can also enable MFA at this level for added security, and logging for LDAP and RADIUS requests for automated threat detection and response.
Foxpass’ PAM solution offers enterprise-grade security but is highly scalable and available both on-prem or in the cloud. It also integrates seamlessly with existing third-party products such as Google Workspace, Microsoft 365, and Okta. Customers praise Foxpass for their 24/7 technical support, particularly their live video support calls. Because of this, we recommend Foxpass Privileged Access Management as a strong solution for any sized organization looking for user-friendly PAM security that’s easy to integrate and deploy.
One Identity is a provider of identity-centric security solutions designed to reduce organizations’ attack surface from internal and external threats. All of One Identity’s PAM products are available as modules or as an integrated package, so that customers can build new capabilities onto their existing measures. Their Safeguard solution allows organizations to secure, control and audit privileged accounts for the entire duration of the session. It features powerful auto discovery and provisioning capabilities, which make it easy for admins to monitor and address suspicious or unauthorized behavior.
With One Identity’s Safeguard solution, users can access their privileged and non-privileged resources from a single account, which removes the risk of error in provisioning access. This also reduces the strain on help desk workloads, automating the process of granting privileged credentials according to the user’s role. Privileged accounts are stored in a secure vault for enhanced security, with centralized authentication and SSO for added protection and increased efficiency. Safeguard uses machine learning to analyze user activity both at the time of access and throughout the session. It also records keystrokes, mouse movement and windows viewed in order to detect unauthorized use of critical business systems and increase accountability. Admins can review these recordings remotely and search them like a database for specific events across sessions. They can also be used for governance and compliance purposes.
Safeguard enables admins to configure the level of authentication required from each user, from requiring full credentials through to limiting access with granular delegation for just-in-time or least-privileged access. This ensures security without compromising on employee productivity. Safeguard’s powerful recording and analysis tools make this a strong PAM solution for larger enterprises looking for more control over privileged activities.
What Is Privileged Access?
“Privileged access” refers to elevated access permissions that admins can assign to user accounts to grant them administrative levels of access to business-critical systems and applications.
Because privileged accounts can access such sensitive company data, they’re attractive targets for cybercriminals who want to steal that data.
Unfortunately, many businesses don’t have adequate protection in place to secure their privileged accounts—and many don’t even have true visibility into which accounts have elevated access privileges. This is commonly the case amongst organizations that use a multiple cloud service tools and applications. These apps often come with default admin privileges assigned on deployment, meaning that admins need to be more proactive when it comes to access management.
If an attacker were to hack into a user account with elevated privileges that wasn’t being proactively monitored, they could easily access critical company data undetected. Depending on the level of privileges that this account had access to, the attacker could access sensitive data or even make changes across accounts.
What Is PAM Software?
Privileged access management software, also called privileged account management software, enables businesses to monitor and control privileged access. This includes the ability to securely elevate user privileges in line with the principle of least privilege, eliminating standing privileges, and monitoring user activity in within high-tier accounts.
The principle of least privilege states that authorized users should only ever be granted the minimum access privileges they need to do their job. These elevated privileges should be revoked as soon as the user has finished their task. This is also known as granting “just-in-time” privilege, and it reduced the risks associated with standing privileges. It is much more secure to have this process time-based and automated, as this reduces the chances that any privileges will remain outstanding.
Standing privileges are privileges that are continuously assigned to a user account, granting that user constant access to the systems associated with those privileges. If a user account has standing privileges to access a payroll application, for example, they will be able to access that application whenever they want to, unhindered. This also means that, if an attacker were to access that user’s account, they’d be able to log into that payroll application multiple times without fear of being caught.
How Do PAM Tools Work?
PAM solutions usually work in one of two ways.
- They store the login credentials of privileged accounts in a secure vault that users can only access once they’ve verified their identity using multi-factor authentication. This ensures that only legitimate, authorized users can access privileged credentials. As it does this, their access will be noted in a log that monitors identity and contextual factors such as time, duration, and location.
- They give admins a system by which users can request elevated privileges on-demand, and admins can easily grant or deny that access on a case-by-case basis or set up automated provisioning.
The best PAM solutions then record a user’s activities during their privileged session. Some do this as an activity log, others provide a full video recording of each privileged session. This can be used for compliance and auditing, or to identify malicious activity.
What Are The Benefits Of Using A PAM Solution?
There are some key reasons why you should use privileged access management or privileged account management software:
- Minimize your attack surface. By reducing the number of accounts with elevated privileges and revoking privileged credentials after a user’s privileged session has ended, you’re preventing an attacker from accessing privileged accounts using stolen credentials. This means that you’re more likely to identify a case of privileged account compromise, as you’ll have greater visibility into privileged account use. This can help prevent account takeover attacks. This type of attack involves an attacker signing in and changing the login details of that account. This locks out the authentic user and makes the attacker the account owner. It can also help prevent sophisticated malware attacks, such as SQL injections, which require elevated privileges to run.
- Limit the damage an attacker can do. By rotating privileged credentials after a privileged session has finished, you’re preventing attackers from being able to log into a critical system twice. Even if they do manage to get their hands on a set of login details using brute force, they cannot gain access once the session has ended. This greatly limits the damage they’re able to do and the amount of data they can steal.
- Prove compliance. PAM solutions generate reports into which users have privileged access permissions, which applications they apply to, when they are used, and what they do within those applications. PAM solutions also log all user activities within privileged sessions—some solutions even provide video recordings of each session. This data can be used to prove compliance with strict data protection regulations such as HIPAA, PCI-DSS, and SOX—all of which require that businesses apply least-privilege access policies to critical accounts containing sensitive data.
The best PAM vendors help you maximise the benefits of their solution by enabling you to automate and secure the process of assigning and revoking elevated privileges and giving you the tools to monitor user activity within critical systems.