a good thing!
Privileged access management is a top cybersecurity priority for enterprises. According to Gartner, "nearly every successful security breach involves a failure of privileged access management (PAM)." While PAM isn't something we offer here at Ping, we recognize it as an important part of any security strategy and work with multiple partners to help put these critical controls into place. Read on to learn more about PAM and its importance.
Privileged access refers to the access or power granted to certain users above that of standard users to protect access to systems and sensitive data. Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure. Privileged access can be granted to human users or programmed applications. Types of privileged accounts include:
Privileged accounts with the broadest abilities are known as superuser accounts. They have unrestricted capabilities, including the ability to implement system changes, access all files and directories, install software and delete data.
Here is a quick explanation of terms you may encounter and how they compare to privileged access management.
Privileged accounts are high-value targets for cybercriminals. "In 85% of the privileged credential theft instances, cybercriminals were able to access critical systems and/or data," a recent study by ThycoticCentrify found. In addition to outside bad actors stealing credentials, company insiders were found abusing administrative privileges to illegitimately access critical resources.
Standard user accounts have limited access when access controls are in place. Privileged accounts provide access to the most sensitive and mission-critical parts of the enterprise, which is why privileged account management is so important in preventing internal and external bad actors from compromising your organization. PAM can be used to disable multiple attack vectors, protecting against internal and external attacks.
Privileged access management is used in conjunction with identity and access management (IAM) solutions, which will be discussed in more detail below. IAM requires users to authenticate and prove they are who they claim to be before access is granted to resources, with risk-based multi-factor authentication adding layers of security.
Privileged access management solutions reduce the risk and scope of security breaches. Privileged users keep your organization running smoothly, from upgrading services to overseeing IAM solutions to making sure domains are protected for DDoS attacks. Having that type of access and power over your network is why privileged user accounts are such attractive targets for bad actors. Taking over superuser accounts, with unlimited power to execute commands and make system changes, has the greatest potential for exploitation and abuse.
Top benefits of PAM include:
PAM serves as a deterrent to bad actors and can improve insights into vulnerabilities, network inventory and identity governance. Restricting access to key resources, systems and processes to privileged accounts increases accountability and helps reduce the risk of downtime.
By limiting privileges to a minimal number of people, processes, and applications, bad actors have fewer attack vectors. For example, malware often requires privileged access to install or execute. Should an attack occur, a PAM solution lets you quickly audit privileged accounts, see where changes were made, and identify compromised applications and processes.
Privileged access management helps create a more compliant, audit-friendly environment. Many regulations require least privilege access policies to ensure proper data stewardship and systems security, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Regular review of every user and account with privileged access, including third-party contractors, reduces the risk of security breaches. If role-based access control is used, make sure new users are added to privileged accounts and former employees and/or contractors are quickly removed.
Privileged access management solutions offer the ability to monitor, report and record privileged access activity. This allows administrators to keep track of privileged access and identify where it may be being misused. Administrators should be able to easily identify anomalies and potential threats so that they can take immediate action to limit damage. Ideally, the PAM solution will have an in-built alert system to bring any unexpected activity to an administrator's attention.
Privileged access management operates on the principle of least privilege, so even privileged users are only allowed access to what they need. Privileged access management tools are elements of the wider PAM solution designed to target and address various challenges involved in monitoring, protecting and managing privileged accounts.
PAM tools can be used to:
Manage credential sharing across services to limit exposure.
Let's start with what they have in common. Identity and access management (IAM) and privileged access management (PAM) work together to secure an enterprise's resources. Both PAM and IAM limit access to resources using the principle of least privilege, where permission is limited to only those resources needed by that user. For example, IAM access controls can ensure sales teams are able to access CRM systems, but not the HR department's confidential personnel files. PAM controls help ensure a local administrator does not have access to the same resources as a superuser account. Both IAM and PAM also help eliminate the need to manually on-board and off-board users with automated provisioning. Just-in-Time (JIT) privileges serve as an additional layer of security by granting access only for a specific purpose and/or for a limited period of time.
According to IBM's Cost of a Data Breach Report 2021, "The most common initial attack vector, compromised credentials, was responsible for 20% of breaches at an average breach cost of USD 4.37 million." Enterprises need solutions that protect all users from having their compromised credentials used, including privileged administrators of critical infrastructure, data and applications. Organizations are moving to the Zero Trust approach to security, where you should trust no one and verify everyone, especially users with privileged access. Both IAM and PAM are part of the Zero Trust security approach.
Identity and access management (IAM) is a security framework that allows organizations to authenticate users and control their access rights. IAM solutions are available for an enterprise's customers, workforce and partners. While its capabilities are broad in scope, IAM typically refers to authorization and authentication, including:
Privileged access management (PAM) focuses on privileged users to monitor and control their access to servers, cloud applications and APIs, DevOps, databases, directories and other resources.
The combination of privileged access management and identity and access management makes your enterprise more secure. PAM and IAM share a role in supporting and protecting each other. IAM helps provide seamless, secure access for privileged users. PAM solutions help secure the credentials for IAM administrators and privileged users. Users are first authenticated using single sign-on, then multi-factor authentication is applied given the sensitive nature of these users' access requests, which protects the privileged accounts.
Adhering to best practices allows you to protect your systems and get the most out of your PAM solution. Gartner lists its four pillars of PAM as follows:
Those pillars can be broken down into the following PAM best practices:
To learn more about Ping's identity and access management (IAM) solutions that can be used in conjunction with our partner's privileged account management (PAM) solutions, please read What is Identity and Access Management (IAM)?