Privileged Access Management Solutions: Everything You Need To Know
What Is Privileged Access?
“Privileged access” refers to the elevated access permissions that IT and security admins can assign to user accounts, that give those accounts administrative levels of access to critical systems and applications.
What Is Privileged Access Management?
Most organizations organize their systems in tiers, according to the severity of the consequences should the system be breached or misused; the higher the tier, the more damage a breach would cause. Privileged accounts, such as domain admin accounts, are granted higher levels of permissions than standard user accounts, which give them administrative levels of access to high-tier systems.
If a cybercriminal were to compromise a privileged account by stealing or cracking its credentials, they could easily access critical business systems and applications undetected. Depending on the level of privilege of the compromised account, the attacker could even make changes to the account or to business data. This makes privileged accounts attractive targets for cybercriminals.
Despite this, many businesses don’t have adequate protection around their privileged accounts—some don’t even have visibility into which accounts have elevated privileges. This is most common amongst organizations that use multiple cloud applications, which often deploy with default admin privileges assigned. This means IT and security admins need to be proactive in identifying privileged users and ensuring they have a reasonable level of access or removing them. This process is called privileged access management.
What Are Standing Privileges?
“Standing privileges” are elevated access privileges that are always on. If a user has standing privileges, it means that they always have those privileges assigned to their account, even if they’re not currently using them. A user may not even be aware that they have those privileges. A common example of standing privilege is the “admin” account that often comes pre-made with a new laptop or desktop, or when you install a new cloud application.
The problem with standing privileges is that if an attacker were to compromise a privileged account by stealing or hacking the user’s login credentials, they would be able to use that account to access critical business resources multiple times.
The best way to eliminate standing privileges is by implementing a “just-in-time” approach to elevating access privileges, also known as the “principle of least privilege”. This states that IT and security admins should only grant elevated permissions when they’re needed, and for the amount of time they’re needed. Once the user logs out of the system, the elevated permissions and revoked. So, if an attacker compromises an account with just in time privileges, they’ll only be able to utilize those elevated permissions once— this greatly limits the amount of damage they can do.
How Does Privileged Access Management (PAM) Software Work?
PAM software enables IT and security admins to assign, monitor, and secure privileged access to high-tier business systems and applications. This involves securely elevating privileges in line with the principle of least privilege, eliminating standing privileges, and monitoring user activity within high-tier systems.
PAM tools usually work in one of two ways to achieve this:
- The PAM solution stores privileged login credentials in a secure vault that is only accessible after identity has been verified through multi-factor authentication. This ensures that only legitimate, authorized users can access privileged credentials. Some PAM solutions give users access to the credential vault, others inject the credentials directly into the user’s login session once they’ve authenticated, so that they never see the credentials. This prevents users from exposing credentials in a phishing attack. In both cases, the PAM solution logs who requested access, when, from where, and for how long.
- The PAM solution offers a system by which users can submit a request for elevated privileges on-demand. The solution then notifies IT or security admins of the request, and they can grant or deny the user access on a case-by-case basis or set up automatic, role-based provisioning.
The best PAM tools take access management a step further by enabling admins to monitor a user’s activities during their privileged session. This can help to identify malicious activity and can also be used for compliance and auditing. The level of monitoring varies between solutions; some offer activity logs, while others offer full video recordings and keystroke monitoring.
What Are The Benefits Of Privileged Access Management?
There are numerous benefits to implementing a PAM solution:
- Secure your data. By reducing the number of accounts that have elevated privileges, a PAM solution can help you minimize the likelihood of an attacker gaining access to a privileged account using stolen credentials. This, in turn, reduces the likelihood of a data breach, or a malware attack that requires elevated privileges to run, such as an SQL injection.
- Identify compromised accounts. PAM solutions provide greater visibility into account use, thereby making it much easier to spot an attack.
- Reduce repeat attacks. By eliminating standing privileges and rotating login credentials in between privileged sessions, PAM solutions prevent attackers from using the same credentials to access your company’s systems twice, greatly limiting the damage they can do.
- Prove compliance. PAM solutions generate reports explaining which users have elevated access privileges and for which applications. These reports should detail when those privileges are used, and what activities the user performs during a privileged session. These reports can be used to prove compliance with strict data protection regulations such as HIPAA, PCI-DSS, and SOX—all of which require that businesses apply least-privilege access policies to critical accounts containing sensitive data.
What Features Should You Look For In A PAM Solution?
The features offered by PAM solutions will vary between different products, but there are some features that any good PAM solution should offer. These include:
- Support for “just-in-time” or “zero standing privilege” (ZSP) access that only grants users the minimum level of privilege they need to carry out their task, and only for as long as they actively need it
- A credential vault that encrypts and securely stores privileged credentials
- Credential rotation after each privileged session, to prevent users (and attackers) from being able to sign into a critical system multiple times, using the same credentials
- In-built multi-factor authentication (MFA) or integrations with MFA providers to verify users’ identities before they’re granted access to high-tier systems, and to verify admins’ identities before signing into the PAM solution and granting other users’ elevated privileges
- Session tracking either via a breadcrumb-based audit trail or full session recording, to enable IT and security admins to detect anomalous or malicious activity in real-time and prove compliance with data protection standards such as HIPAA, PCI-DSS, and SOX
- Real-time alerts that notify admins of anomalous account activity, and on-demand access requests
- In-depth reporting into privileged access across the organization, including who has access to which systems, and when a user “checks out” a password from the credential vault or is assigned elevated privileges by an admin
PAM Vs. IAM: What’s The Difference?
Identity and access management (IAM) and privileged access management are similar, but not the same. IAM is a series of tools and processes (such as multi-factor authentication and single sign-on) that are used to verify and authorize users across an entire organization. These processes enable IT and security teams to decide who can access what, from which locations, when, and how. In IAM, the verification process usually takes place when a user first signs into their user account. A user’s credentials (including alternative authentication factors) are used to verify their identity.
PAM, on the other hand, is a subset of IAM that focuses solely on privileged users who need to access more sensitive data. In PAM, verification takes place when a user tries to access a specific resource. And while PAM solutions often include MFA as a means of verifying users before they can be granted elevated privileges, PAM ultimately bases its identity validation on attributes, rather than credentials.
Why Do You Need A PAM Solution?
There are two key use cases for investing in a PAM solution. First and foremost is to prevent account takeover attacks caused by credential theft. Credential theft, as the name suggests, is when a bad actor steals a user’s login information to gain unauthorized access to that user’s account, often undetected by security teams. There are two main methods by which an attacker can steal someone’s credentials:
- They send their target a spearphishing email, in which they pose as a trusted source, such as a colleague, and trick their target into sending them their credentials. For example: “Hi Kate, I’ve forgotten the password to the shared OneDrive, could you ping it over when you get the chance? Thanks!”
- They program a computer to crack their target’s password, starting with the most commonly used passwords then working character by character through every possible combination until it finds the right one. This is known as a brute force attack.
Once an attacker has successfully stolen their target’s credentials, they can use them to log into their corporate accounts, performing what’s known as an “account takeover” attack. From here, they can access corporate data, install malware on the user’s device, or carry out further internal attacks to gain access to higher-level systems.
Privileged accounts are a prime target for account takeover attempts; in the last two years, over a third of identity-related breaches involved the compromise of privileged accounts.
PAM solutions mitigate the risk of account takeover by requesting that all users authenticate themselves in two or more ways before they’re granted privileged access. This means that, even if an attacker manages to steal a user’s password, they won’t be able to verify their identity to log in.
The second key use case for implementing a PAM solution is to achieve compliance. Many compliance standards, including HPAA, PCI DSS, FISMA and SOX, require that organizations apply least privileges access policies to high-tier systems to ensure the security of sensitive data such as payment information or personal health information.
But there are two sides to compliance: firstly, the act itself of being compliant. Secondly, being able to prove your compliance. PAM solutions not only enable organizations to enforce least privileges access policies, but also prove that they’re doing this by generating reports of user activity in relation to accessing sensitive data. Some solutions even provide recordings of privileged session activity, making it possible for security teams to create a comprehensive audit trail, stating with confidence exactly who is accessing which data, and what they’re using it for.