Privileged Access Management (PAM) refers to a set of cybersecurity processes that control, secure, manage and monitor elevated privileged access to critical assets (systems, endpoints, or servers). Not only do these solutions provide secure authentication for an organization’s privileged user community and its assets, they also provide a place to store and rotate passwords for these privileged accounts. With this technology, tedious tasks (e.g. changing a service account’s password when an administrator leaves the organization, or after an allotted amount of days has passed) are no longer necessary. This can all be automated, depending on the PAM solution you decide is best for your organization.
Examples of privileged accounts:
- Local or Domain Admin accounts – used for server management
- Domain Admin accounts – used for Active Directory user management
- SA accounts – or System Admin accounts, used for managing databases
- Root accounts – used for Unix/Linux server management
- Service accounts – used to run and manage applications, services, and scheduled tasks
Simplify the process for your privileged user community by adding Single Sign-On (SSO) technology. This lets one set of credentials get the user from their device to the PAM tool. The technology can easily be integrated with any Enterprise Directory platform, such as Microsoft Active Directory. Which SSO solution you choose depends on how your tool is configured for authentication. The types of authentication that can be integrated with an SSO solution are provided by the vendor of the tool. Examples are OpenID, SAML, and OAuth for Cloud applications or password-based, Integrated Windows Authentication and header-based for on-premises applications.
Additional security measures may also be included by adding or turning-on a Multi-Factor Authentication (MFA) solution to your PAM solution. This measure will add an additional non-password-related solution that can be delivered to a smartphone or client on a device for the privileged user to authenticate to the PAM Tool. This means that if the privileged user’s credential is compromised, the attacker must also have access to the device receiving the MFA code in order for them to compromise the privileged user.
Why the need for Privileged Access management?
The answer is: to protect your organization from being a victim of a data breach. Each privileged account adds risk to the organization. When these accounts are not controlled, secured, managed, or monitored on a consistent basis, they can be compromised. PAM provides an effective way to minimize this risk. Verizon’s 2019 Data Breach Investigations Report (DBIR) provides real-world examples of what can happen.
PAM Best Practices
1. Know your privileged accounts
A source of truth that provides details of where privileged accounts exist, and who is using them, must be in place. The accuracy of this may depend on how well the system and application administrators have documented their processes. Privileged accounts can be shared with employees, consultants, automated processes, and even machines. But before you can start to secure these privileged accounts, you must know what they are.
2. Build policies around your privileged accounts
Each organization, department, and team has its own way of doing things. In order to better protect these privileged accounts, standard polices must be created around when and how these privileged accounts are created, used, shared and deleted.
3. Get buy-in
Your efforts in this area are only as good as those who know about them. There must be awareness and commitment from all organizations. Training must be provided for each team that has privileged accounts. Communication is key to getting organizational buy-in.
4. Document and operationalize
Once the PAM solution is running, make sure PAM administrators document and own their processes. Documentation of installations, configurations, processes, tasks, etc. is key to making sure things are being done correctly. Documentation will also be important when issues arise or when key people transition.
The PAM journey may seem like a hard one. But keep in mind that “As long as the needle is moving in the right direction, that is progress.” If you look for perfection, it may never come. Believe in what you’re doing and work through it with what you have. Persevere and you will find the right balance.
If you’d like assistance implementing a PAM solution for your organization, please be sure to sign up for our Identity & Access Management (IAM) Modernization Assessment. Let us assess your IAM Program with a proven approach that guarantees success in about 2 weeks. You’ll gain strategic direction and learn the necessary steps to strengthen, mature and modernize your Identity Management Program.