Privileged access management (PAM) is used to control the use of systems and data to protect resources from threats. Combining people, processes, and technology, privileged access management provides visibility into what privileged users (e.g., IT and security administrators, human resources (HR) professionals, and executives) do while accessing restricted resources. Privileged access management also ensures that users with elevated privileges can access the resources they need while preventing misuse of access rights and blocking unauthorized access.
In addition, privileged access management helps IT teams right-size elevated permissions by enforcing the principle of least privilege. This helps organizations reduce their attack surfaces by minimizing the users, accounts, applications, systems, devices (e.g., Internet of Things, or IoT), and computing processes that can access sensitive resources to the least required level to perform their assigned duties.
What are privileges and how are they created?
In terms of enterprise IT, privilege describes the rights granted to an identity, account, or process within a computing system or network that are above the normal access granted. Privileged access management is used to provide authorized users with elevated access and the ability to perform a number of restricted functions, such as:
- Access sensitive data or resources
- Configure networks or systems
- Load device drivers
- Open or close ports
- Override, or bypass, certain security restraints
- Provision and configure accounts and cloud instances
- Shut down or restart systems
In some cases, privileges for various user accounts and processes are embedded into applications, cloud management platforms, databases, file systems, hypervisors, and operating systems. Privileges can also be assigned based on the role of privileged users, such as system and network administrators or finance team members. Lastly, privileges can be assigned based business units (e.g., IT, finance, HR) or other criteria such as seniority, time of day, or geographic location.
It is important to grant privileges to authorized users to perform key operational tasks as part of their jobs; however, privileged access is inherently risky.
Privileged access management helps minimize the possibility of misuse or abuse by insiders or attackers who steal privileged access credentials.
Definition of privileged accounts
A privileged account, also referred to as an administrative account, is a login credential (i.e., username and password) that grants access to a server, firewall, cloud service or storage, or another admin account. Privileged access management is used to administer these accounts to ensure that the users requiring access have the requisite privileges.
In most cases, privileged accounts refer to those used by IT teams and resources that use the access to administer and manage the organization’s systems, infrastructure, and software. Privileged accounts can also be granted to other users to access data or systems. Using privileged access management, privileged accounts can be assigned to different entities, including:
- Application owners
- Database administrators
- Help desk workers
- IT administrators
- Operating systems
- Security teams
- Services accounts
- Third-party contractors
Privileged access management is used to control what users with elevated access can do. In the case of IT, this usually includes administrative tasks, such as:
- Accessing sensitive data and systems (e.g., medical records, credit card details, social security numbers, and government files)
- Backing up data
- Creating and modifying user accounts
- Installing software
- Updating security settings and patches
Privileged access management is also used to control infrastructure, services, and system accounts on-premise and in the cloud, such as:
- Cloud environments
- Databases
- Endpoints
- Operating systems
- SaaS applications
- Servers
- Service accounts
Special types of privileged accounts, known as superuser accounts, can also be controlled with privileged access management. Superuser accounts are referred to as “Root” in Unix/Linux and “Administrator” in Windows systems.
Specialized IT employees use these superuser accounts to execute commands and make system changes. Privileged access management oversees superuser accounts to monitor and log activity as these accounts have vast privileges that can provide:
- The ability to render systemic changes across a network (e.g., creating or installing files or software, modifying files and settings, and deleting users and data)
- The power to grant and revoke permissions for other users
- Unrestricted access to files, directories, and resources with full read, write, and execute privileges
Privileged access management helps prevent and mitigate the effects of human error (e.g., accidentally deleting an important file or mistyping a powerful command) and malicious insider activity.
Types of privileged accounts
Following are examples of the types of privileged accounts found in organizations and typically managed using privileged access management.
Application administrator accounts
Application administrator accounts have full administrative access to specific applications and the data stored in them. They are used to ensure that applications can access required resources to perform automated and updates, as well as database and networking updates. Application administrator accounts also ensure that configuration changes can be made.
Domain administrator accounts
The highest level of access in a system is given to domain administrator accounts. These accounts can access every workstation and server as well as control system configurations, admin accounts, and group memberships.
Domain service accounts
These are powerful accounts and very complex. Because they are used to connect multiple systems and applications to communicate and provide access to resources (e.g., to access databases, call APIs, and run reports), a change to a domain service account credential breaks connections and can wreak havoc. This makes these credentials susceptible to compromise, since they are rarely, if ever, changed.
Emergency accounts
Sometimes referred to as a “break the glass” account, emergency accounts have privileged access and are meant to be used by unprivileged users when elevated access is needed to restore systems and services in the wake of a critical incident.
Local administrator accounts
A local administrator account has administrative control over specific servers or workstations. This type of privileged access account is commonly created to enable IT to perform maintenance tasks.
Local administrator accounts are powerful; they can be used to create local users and assign user rights and access control permissions, and to take control of local resources by changing the user rights and permissions.
Service accounts
Service accounts are used to facilitate secure interactions between applications and operating systems. The security issue with service accounts is that they can be used in operating systems to execute applications or run programs, but their access is usually either in the context of system accounts (highly privileged accounts without a password) or a specific user account (usually created manually or during software installation). Although service accounts typically are not permitted to log on to systems, they often have passwords that never change, and the accounts do not expire.
Superuser accounts
Superuser accounts are assigned to administrators. This type of account provides users with unrestricted access to the files, directories, and resources they need to do their jobs. Privileged access management oversees their activities, which include installing software, changing configurations and settings, and adding and deleting users and data.
Additional types of privileged accounts
These are just a few of the privileged accounts that organizations should prioritize and secure to reduce the risks of them being compromised and abused. Other types of privileged accounts include:
- Accounts used to access security solutions
- Firewall accounts
- Hardware accounts (e.g., BIOS and vPro)
- Network equipment
- Root accounts
- Wi-Fi accounts
Definition of privileged passwords
Privileged passwords are privileged accounts that give a limited number of users the ability to:
- Access critical systems, accounts, and applications (e.g., customer relationship management platforms, operating systems, directory services, social media accounts, IoT devices, and directory services)
- Perform restricted functions (e.g., create accounts and allocate access privileges to accounts)
- View, edit, or download sensitive information (e.g., customer information, financial data, and intellectual property
Privileged access management helps protect risky privileged passwords, which can be used for potentially devastating lateral movements if compromised.
Privileged passwords associated with human, application, and service accounts are at particular risk. Privileged access management provides monitoring and alerting to ensure that these, as well as human accounts, do not become attack vectors.
Why privileged access management is important
Privileged access management plays a critical role in reducing the risks associated with privileged access accounts. Following are several ways that privileged access management can prevent privileged accounts from being used for malicious activity and how it helps organizations.
Top 5 reasons why privileged access management is important
- Equips security teams to identify malicious activities that are the result of privilege abuse.
- Ensure that employees have only the necessary levels of access to do their jobs.
- Identifies malicious activities linked to privilege abuse.
- Provides secure access controls for systems to access and communicate with each other.
- Detects anomalous privileged access activities as they occur.
Privileged access management is also important for the following reasons.
Condenses attack surfaces
Privileged access management can protect against internal and external threats by limiting privileges for people, systems, and applications, thereby reducing exploitation opportunities.
Improves visibility
With privileged access management, security teams have a real-time view of users’ access to every application, device, network, and server, including session times. This makes it possible to identify attempts to access unauthorized areas quickly. Privileged access management can also be used to set up alerts when users are not following their typical behavior and flag possible compromised credentials.
Increases productivity
Privileged access management can automate manual tasks, such as password creation and password vaulting. Privileged access management reduces human error, saving teams time on correcting issues, and helps eliminate access issues that arise when users log in from multiple locations and devices.
Integrated access
Privileged access management provides a single dashboard for managing access to enterprise systems, including applications, databases, devices, servers, and workstations. This dashboard can also be used to generate a report that aggregates access data from multiple sources.
Minimizes the impact of a cyber attack
If a data breach does occur or malware gains a foothold, privileged access management helps limit its ability to spread, thereby keeping its reach to a minimum.
Protects against attacks by terminated employees
By making it easy to automatically remove access for terminated employees, privileged access management helps eliminate security gaps that occur when terminated employees retain access to systems.
Satisfies cyber insurance requirements
In response to the scope and cost of ransomware attacks, many cyber insurance policies mandate the use of privileged access management. This is because privileged access management controls have proven effective in reducing risk and neutralizing cyber threats.
Mitigates the weakest security link – humans
Experts agree that humans represent the weakest link in security efforts, especially as related to access. Privileged access management can prevent privileged users from abusing or misusing their level of access.
Privileged access management mitigates the potential risk from privileged users by ensuring they only have the minimum access needed to do their jobs; it also helps identify and link malicious activities to privilege abuse.
Supports compliance programs
Privileged access management can help achieve and verify compliance. It facilitates the implementation and enforcement of the principle of least privilege, which is a compliance requirement for a number of regulations, including the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX).
In addition, privileged access management records and logs all activities related to critical IT infrastructure and sensitive information, which provides data needed for compliance audits.
Threat vectors to privileged accounts and passwords
Privileged access management is an effective tool to neutralize threats that exploit privileged accounts and passwords. The most common ones involve lateral movement through networks to find a dormant or orphaned account that can be used escalate privileges.
Agents that utilize threat vectors to access privileged accounts and passwords include the following (some of whom are not acting with ill intent but simply make mistakes that lead to privileged account escalation):
- Accidental insiders (i.e., user errors)
- Hackers
- Malicious insiders
- Partners
Privileged access management provides effective defenses against weaknesses in privileged access allocation, including:
- Hardcoded and embedded credentials used for applications, systems, network devices, and IoT devices
- Lack of awareness of privileged accounts
- Over-provisioning of privileges
- Poor password management practices
- Remote access
- Shared admin accounts
- Third-party vendor access
Privileged access management best practices
Following is an overview of the most commonly cited privileged access management best practices.
- Avoid perpetual privileged access
- Create a complete inventory of all privileged accounts and credentials
- Determine baselines for privileged user behavioral activity (PUBA) and monitor deviations
- Document where and how privileged accounts are used and by whom
- Enforce least privilege for all end users, endpoints, accounts, applications, services, and systems, including all on-premises, cloud, and hybrid deployments, eliminating any default and standing privileges
- Establish and enforce a comprehensive privilege management policy
- Implement strong password security protocols, such as:
- Centralizing the security and management of all credentials (e.g., application passwords, privileged account passwords, and SSH keys)
- Mandate the use of strong passwords
- Update privileged passwords regularly
- Ban password sharing
- Monitor and audit all privileged activity
- Provide just-in-time access
- Require separation of privileges and separation of duties
- Remove default admin rights
- Segment systems and networks
- Take advantage of privileged access management automation
- Use activity-based access control
- Use dynamic, context-based access
- Use privileged access management to implement and maintain related security policies
Privileged access management and enhancing security
The use of privileged access is inherently risky. Privileged access management enables organizations to allow users to have elevated access without compromising security or increasing attack surfaces. It enhances security and helps security teams improve productivity and streamline operations.
