Privileged identity management is a security solution used to control, manage, monitor, and audit the access rights of privileged identities for crucial resources within an organization. Specifically designed to help IT teams enforce granular controls and strict governance, privileged identity management solutions are used to mitigate the security risks that are inherent with elevated access.
Privileged identities and accounts can be found and tracked with privileged identity management. In an enterprise environment, privileged identities include service accounts, database accounts, passwords, SSH keys, and digital signatures.
Privileged identity management provides safeguards allowing superuser accounts, which have historically been poorly monitored and maintained, to use their access privileges securely and effectively. IT administrators can be given safe, controlled access to important IT resources to align security initiatives with identity and access management (IAM) solutions. In addition, privileged identity management makes it possible to secure superuser access without manual processes.
Why use privileged identity management?
The drivers for using privileged identity management vary based on each organization’s nuances. The following are several commonly cited reasons why privileged identity management is included in the security ecosystem.
- Allows just-in-time privileged access to resources
- Assess eligibility for membership or ownership of groups
- Centralizes provisioning and storage for privileged accounts
- Contains cyber attacks
- Discovers all privileged accounts in an organization across all platforms, systems, devices, and applications
- Drives the enforcement of the principle of least privilege
- Enables privileges to be temporarily assigned and revoked when no longer needed
- Enforces role-based, granular authorization policies for privileged accounts
- Facilitates access reviews to ensure users still need roles
- Forces the use of strong password policies
- Makes it possible to provide time-bound access to resources using start and end dates
- Offers download audit history for internal and external audits
- Protects cloud and containerized systems
- Provides reporting and auditing of security-critical events (e.g., access requests, changes to permissions and configurations, and login/logout events)
- Satisfies continuously changing regulatory requirements
- Sends notifications when privileged roles are activated
- Supports access governance restrictions
- Tracks and monitors all activity associated with privileged accounts (e.g., who accessed them, when they were accessed, and what was done when they were accessed)
How privileged identity management works
Privileged identity management is used differently depending on the organization’s requirements. However, there are five basic steps that most organizations use; these steps demonstrate how privileged identity management works.
- Provisioning roles
Create privileged roles that are associated with specific sets of permissions. An example of a role created as part of provisioning is a database administrator who is granted elevated access privileges for particular databases or a pool of databases. - Activating users in roles
Once roles have been created using privileged identity management, identities can be authorized to assume a role or request authorization to assume a role. PIM can be used to define which identities are authorized to assume privileged roles. Assignments or requests for assignment can be reviewed automatically based on pre-defined approval workflows. - Approving or denying access requests
Following pre-defined workflows, privileged identity management checks requests for access to confirm that the user has the necessary authorization or rights to assume the privileged role. If the requirements are met, the user’s credentials are injected into the user session, granting them access. If the approval workflow fails, the request is denied, and a security incident is recorded in the log files as audit records. - Revocation or extension of privileges
When the authorized session period ends, privileged identity management can automatically revoke time-restricted privileges. The session is automatically terminated at the end of the period or when the user logs out, whichever comes first. If a session requires more time, the user can make a request. - Monitoring and auditing
Most privileged identity management solutions provide session replay, monitoring, and auditing functionality. This allows authorized IT administrators to track the usage of privileged users to ensure proper usage and identify unusual behavior that could be signs of cybercriminal activity. The session replays capabilities to facilitate investigations that require in-depth reviews.
Additional privileged identity management features and functions include:
- Controlling access for users and superusers
- Restricting access to least privilege
- Reducing the potential attack surface
- Increasing visibility over users
- Recording privileged user’s rights and the justification for them
- Preventing orphaned accounts
- Monitoring sessions and providing relevant alerts related to upgrades, changes, and other changes to IT infrastructure, as well as any data transfers
- Stopping malicious software from running unchecked
- Strengthening authentication by enforcing policies
Five main phases for implementing privileged identity management:
- Create policies to govern privileged accounts that include:
- How highly privileged accounts will be controlled
- What rights and restrictions apply to the users of these accounts
- Develop a management model that:
- Establishes processes for policy enforcement
- Designates who is accountable for ensuring that policies are followed
- Document all privileged user accounts and create an inventory that details:
- Who or what the user is
- When privileged access was granted
- Terms of privileged access—to what and for how long
- Establish procedures for privileged account management, including how to handle:
- Provisioning
- Deprovisioning
- Revocation of access
- Monitoring usage
Privileged identity management roles
With privileged identity management, two types of roles can be assigned—active and eligible. An active identity has persistent access based on authorizations.
Eligible identities can activate and terminate access based on when they require it to perform privileged functions. For active and eligible roles, privileged identity management enables access start and end times to be applied to the role assignment. If a role expires, it can be renewed by an authorized administrator (i.e., a superuser).
Permanent roles
- Permanent active
- Permanent eligible
Time-restricted roles
- Time-restricted active, with specified start and end dates for assignment
- Time-restricted eligible, with specified start and end dates for assignment
Functions that privileged identity management provides administrators
Key functions that privileged identity management provides to enable privileged users to control, manage, and monitor users’ access to crucial resources within an organization include the following.
Extend access to resources for time-restricted users
Authorized IT administrators commonly use this function to support the access requirements of short-term employees or contractors. This capability allows authorized IT admins to provide access for the duration of their time with the organization (e.g., six months or a year).
When the time limit is reached, the identity is deactivated, and all access is terminated. If the contract or term of employment is extended, an authorized IT administrator can adjust the access period accordingly. Privileged identity management can also be used to provide limited access to non-humans (e.g., Internet of Things (IoT) devices and applications).
Generate privileged access reports
With privileged identity management, it is easy for authorized IT administrators to generate privileged access reports. This is a requirement for most compliance audits, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), and for internal security audits.
Provide “just-in-time” access
In cases where a user (e.g., users, applications, devices, or systems) requires one-time or short-term privileged access, privileged identity management enables just-in-time access. This is helpful for various use cases, including audits, troubleshooting, and forensic analysis.
View access privilege history
Privileged identity management creates logs of all activities associated with privileged users. This makes it possible to quickly look back and find out exactly what was done by which user at what time. This is of particular help for security forensics teams when they work to determine the source of a cyber attack or a data breach.
Privileged identity management enables authorized IT administrators to ascertain what privileges were granted to which users and when; this can inform optimization and mitigation tactics to avoid future issues.
Privileged identity management terminology
The following terminology relates to privileged identity management; the definitions provided are in terms of IT nomenclature.
Privilege
Privilege is the authority to access sensitive information on or change network or computer configurations. It can be assigned to human and non-human users. Privilege levels can be scaled based on need and authorizations.
Privileged
Privileged is the adjective used to describe people or things with privileges, such as privileged accounts and privileged users. When privileged is appended to a noun, it means that it has a higher level of access than average. For instance, IT administrators have privileged accounts.
Privileged account
A privileged account can be assigned to a human or a non-human. These accounts exist primarily to allow IT teams to manage applications, software, and servers.
However, privileged accounts are sometimes granted to other users, such as to applications that need to access sensitive databases or to finance teams that need to access sensitive information. Some privileged accounts created for IT administrators include highly elevated access rights that allow them to manage an environment or specific software or hardware. These are considered superuser accounts.
For instance, a superuser IT account may be able to configure servers, firewalls, and cloud storage. Other superusers may be granted broad privileges for Windows servers (e.g., Windows administrators) or printer configuration (e.g., help desk staff).
Privileged identity
Privileged identity refers to pre-built accounts that have elevated access. These are included in most operating systems and applications by default and are meant to be assigned to IT administrators to facilitate management. In other cases, privileged identities are created by IT teams and then assigned to users.
Just-in-time access
Just-in-time access allows privileges to be granted, giving a user access to applications or systems for a limited time on an as-needed basis. This allows users to get the access they need without expanding the attack surface.
Least privilege
Least privilege is the concept of limiting access to the minimum needed by a role to execute duties. It applies to all users, human and non-human.
Least privilege prevents over-provisioning privileged access by restricting access to actual needs and only for as long as required.
Rather than providing persistent privileges, least privilege directs that access is restricted to the minimum time required and then terminated.
PIM vs PAM vs IAM
| Privileged Identity Management (PIM) | Privileged Access Management (PAM) | Identity and Access Management (IAM) |
| Security controls and policies to manage and protect privileged identities, which includes access to sensitive information and systems Involves managing which resources identities with elevated privileges can access Includes security controls and policies to manage and secure privileged identities (e.g., service accounts, usernames, passwords, SSH keys, and digital certificates) Concentrates on the rights assigned (i.e., typically set by IT departments or system administrators) to various identities Focuses on managing and securing the identities of privileged accounts, including the creation, maintenance, and revocation of accounts with elevated permissions | Supports building an access control framework to protect, manage, monitor, and control privileged access pathways and activities across an organization Refers to the systems that manage accounts with elevated privileges Secures levels and the data that a privileged account can access Maintains privileged identities under protection and ensures the ones with administrator rights do not engage in the abuse of privileges | Controls who can access an organization’s resources (e.g., applications, assets, databases, networks, and systems) Allows roles to be assigned to groups according to departments or users’ roles Provides a security framework made up of unique rules, measures, and approaches that make it easier to manage digital identities Consists of policies, controls, and solutions to facilitate the management of digital identities Manages and secures user identities and access to resources, including privileged users |
Risks of unmanaged privileged identities
Privileged identity management addresses the risks associated with unmanaged privileged identities, including:
- Abandoned privileged identities
- Access privileges that are an abstraction without connections to the recipient
- Default accounts for new devices that are not inventoried or protected
- Every unknown account increases vulnerability and presents an opportunity for an intrusion
- Inability to confirm the strength of passwords used for privileged identities
- Lack of visibility into users’ privileges and associated rights
- Limited monitoring of privileged identity usage
- Unknown privileged identities
Benefits of privileged identity management
The most commonly cited benefits of implementing privileged identity management include:
- Automates processes for vetting privileged access
- Detects and prevent suspicious user activities and privileged account misuse
- Eliminate standing privileges and threats from non-operational, active accounts
- Enables complete control and visibility of privileged identities
- Ensures compliance with industry and government standards and regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), Sarbanes-Oxley Act of 2002 (SOX))
- Facilitates accessibility of privileged identity inventory
- Minimizes attack surface and threat vectors
- Monitors privileged access activities and remote sessions in real-time
- Reduces IT and auditing costs
- Supports data-driven incident response
Safeguarding superusers with PIM
Privileged identity management enables superuser accounts to be assigned and used safely. By enforcing tighter governance of privileged identities, providing monitoring, and enabling audits, PIM allows organizations to realize the operational benefits of superuser accounts without adding to cybersecurity risk or increasing attack surfaces.
