In the same way you wouldn’t give unauthorized staff access to personal customer data or sensitive financial documents, you shouldn’t allow just anybody to have free roam of your IT network.
But, your system admins – known as privileged users – will always have the keys to the castle, and that means they must be protected. So how do you protect privileged accounts, and what should you be looking for? Let’s talk about PAM.
In this article:
- What is privileged access management (PAM)?
- 5 steps to implementing best practice PAM
- Common challenges with PAM implementations
- Top 10 PAM tools to investigate
What is privileged access management (PAM)?
Privileged access management is a security concept designed to control and protect privileged accounts. That is, accounts which have admin-level access to a system.
Admin user accounts have to be protected far more carefully than normal, due to the extra access they’re typically granted. They can change systems, add new elements or remove them, install new applications, perform maintenance operations, patch software, and so on.
Why is PAM important?
Imagine if a cyber attacker got their hands on the credentials for one of your privileged accounts.
It could be devastating – giving them total control to install their malware, destroy data, spy on sensitive information, steal customer data, and anything else they can think of. Credential harvesting is one of the most common system entry points for a cyber attacker – you absolutely cannot let this harvesting gain access via an admin account.
Learn more: The most common cyber attack vectors of 2022
How does PAM work?
PAM covers a number of security principles involving staff training, technology adoption and process optimization. By combining all three together, it creates a system of competent people following competent policies using modern tools, which can greatly reduce the risk that your privileged accounts will fall into the wrong hands.
It may come as no surprise to you though that the specifics of PAM change depending on the organization. However, it roughly follows the same process:
- Discovery: Who has admin access right now? Do they need it? Who should have access?
- Clean-up: Adjusting who does or does not have access.
- Policy writing: Create a policy that defines who gets privileged access, what training they require to receive it, and for how long they’re allowed it at one time.
- Process optimization: The implementation of new admin account policies, including the establishment of an accountable person or department. Additionally, who will monitor privileged accounts? Who will sunset unnecessary privileged accounts, or accounts of those who have resigned from the business?
- Staff training: Training up key people on their responsibilities as an admin, including how to use a privileged account safely and how to protect it from cyber attackers.
- Technology adoption: Various technologies can help with PAM, including the same software as wider identity and access management. But there are PAM-specific tools that we’ll talk about below. These aren’t a magic wand – good tools require good processes behind them.
Difference between PAM and IAM
Identity and access management (IAM) is a broad umbrella for the various security and trust concepts involved with protecting access to a system. PAM is one such concept.
PAM tends to work best when built on a strong IAM foundation. Some of the steps involved in PAM require at least a basic level of IAM maturity, to ensure a company has an access management strategy, the beginnings of a policy and accompanying processes, and has begun to train staff about keeping their accounts safe.
That said, you wouldn’t treat them separately. Companies don’t usually pick up PAM on its own, and it’s relatively rare that a wider IAM project would not include at least some of the components of PAM. They are both vital.
PAM vs. the Principle of Least Privilege
The Principle of Least Privilege is something we’re going to refer to again in this article, and it’s intrinsically linked to good access management.
This principle says that users, applications and devices should only ever have the minimum access they require to perform their duties within a system – and that’s it. Their account access is probably on a timer, and even with an admin account they will still be limited in what they can modify.
The training, policies and tools involved in implementing IAM and PAM can help you to enforce the principle of least privilege. This principle ensures that even if someone gains unauthorized access to your system, their access will always remain stifled and temporary – making it harder for them to perform any long-term espionage.
5 steps to implementing best practice privileged access management
1. Start by finding all of your privileged accounts
Discovery is a key component of PAM. After all, you can’t protect what you don’t know is there.
Hunt through your system, all of its accounts, and look for users, applications and devices which:
- Have privileged access, and will need to continue to do so in some capacity.
- Have privileged access, but shouldn’t have it anymore.
- Have privileged access, but won’t need it for much longer.
- Don’t have access, but should.
A note on orphan accounts: It’s likely that, during this process, you will find orphan accounts. These are privileged accounts which have admin-level access, but no valid user – that is, nobody owns them anymore. It’s common for orphan accounts to appear, for instance, when someone resigns without their account being deleted at the same time.
To help you find orphaned accounts, create a list of all privileged accounts and a list of all active employees, and match them together. That way, if there’s a privileged account with no user, you’ll spot it.
2. Identify high-risk accounts and prioritize
Risks are not made equal. In all cyber security, from building a basic security architecture right up here to PAM, you will need to keep in mind that you can’t protect your business from every single risk. It would cost a fortune to do so, and even then you can never truly hit 100% security – it’s just not possible.
So, figure out which risks are the greatest, and prioritize your spend on those.
For this you will need to know:
- All of your PAM accounts.
- Your wider business goals.
- Your risk appetite.
- The threats facing your business within the global cyber landscape.
To help you compare all four and determine what is or is not a priority, it pays to consider risk from two perspectives: likelihood of an attack, and impact of an attack. Any account with a high likelihood and high impact will be a natural choice for prioritization, and the opposite is true.
Here are some things to think about when analyzing privileged accounts for these two factors:
- Which accounts are most likely to be targeted? Cyber espionage groups, especially those involved in social engineering or spear phishing, are often interested in specific individuals. If you can study which groups are attacking organizations like yours, and who they’re targeting, you can look to prioritize the protection of those specific accounts.
- Which accounts, if compromised, would do the most harm? It’s likely that, after this process is complete, your admin accounts will all have varied access levels (especially if you are using the principle of least privilege). Based on those access levels, which user accounts would be able to do the most harm if compromised by a malicious actor?
3. Review privileged account access regularly
PAM cannot be a set-and-forget thing. Everything changes all of the time, from the way cyber attackers operate to the way your business runs itself. Even subtle changes can have a big impact on security, so you must review all of your policies and settings on a regular basis.
It’ll be up to you to determine how regularly you should review your privileged account settings, whether quarterly, annually, or some other frequency.
Some things to think about include:
- Joiners, Movers, Leavers: As a part of your IAM policy (including PAM), you will need a JML component. That way you have a policy to review account access when someone joins, moves within, or leaves the business.
- Timed access: As a part of the principle of least privilege, you may wish to assign admin access on a timed basis. So, users can apply for admin access when they have a particular project requirement (i.e. upgrading the system), and keep admin access only for the duration of that project.
- Access levels: Make sure to review what level of access each admin account has, and to which systems it has that access. Does an HR admin really need access to, say, the IT network settings, or sensitive customer data? These are always good questions to ask.
4. Ensure accountability for privileged accounts
All organizations no matter how big or small must identify a particular person who will be accountable for PAM.
As a part of their job, they are in charge of the tools and policies regarding PAM, and will be the person who conducts the regular reviews. This is also on this person who will ensure that those who require training, get it.
So who should be accountable?
It depends on the size of the business, and its complexity. In smaller organizations, it’s usually the IT team who is in charge of network access – so perhaps it is the team leader here who is ultimately accountable.
In larger organizations, the IT team may continue to lead access accountability, but it may also fall to other members, such as:
- A specific IAM team.
- Someone in charge of IT risk and security.
- Someone in charge of governance and compliance.
A note about segregation of duties: In order to further prevent tampering, fraud, misuse, or error, consider also implementing a segregation of duties within PAM.
Segregation of duties is an internal control that breaks down a task that could otherwise be completed by one person into a task that must be completed by multiple people, in order to block potential misuse.
Within the PAM context, this would mean that the person accountable for assigning privileged access rights cannot assign themselves (or their devices) unlimited privileged access. This way, everyone in the business must always go to a qualified authority above them in the hierarchy in order to receive privileged access to the IT system.
5. Consider using a password vault
Password vaults can add an extra layer of security over your privileged accounts.
While they’re all a little different, generally what they do is store passwords and automatically rotate through different versions as many as several times a day. Someone who needs admin access can go into this vault, get the latest password, and use that to gain privilege.
Or, to go deeper, look into ephemeral access
Ephemeral access is a type of temporary-only privileged network connection that requires no password at all.
Whenever someone wants to establish a privileged connection to the system, they log in to a certificate authority instead, which issues them a temporary user ID (and expires within a matter of minutes). So, the person gains access but there is no password created or left behind for someone else to steal.
This one is a bit more technical, however, and won’t work with every system. You may require third-party assistance to get this one rolling.
Common challenges with PAM implementations
- Reduced productivity due to overly restrictive policies: IAM and PAM policies with a hard focus on authentication and little regard for usability can create very restrictive systems that are a pain to use. The more friction you create for users, the more they’ll hate it, and the less likely they are to follow the rules. Authentication and user experience must always be in balance to get the best of both worlds.
- Orphan accounts leaving a backdoor open to attackers: Orphan accounts are a free back door for attackers. They have the admin power required to steal and destroy, but no one is monitoring them or changing the password regularly. Someone may be able to get into these accounts and do their malicious work without the company ever knowing.
- Admins have too much access power: If all admins have unlimited power over the entire system, it only takes one attacker to compromise one privileged account to steal or destroy everything. Splitting up administrative privilege based on actual requirements (in line with the principle of least privilege) can help prevent this from happening.
- Users sharing privileged credentials: If someone needs admin access temporarily and doesn’t want to go through the process of getting it, they may ‘borrow’ someone else’s account – a friend, a supervisor, whoever. But if that person hasn’t gone through the training, their device isn’t tested, they don’t know the rules, then you can see the security risks posed here.
- Decentralized account management makes it hard to track: It’s common in some organizations for every department to cover its own access management. This lack of centralization makes it difficult to properly monitor the security of the business and ensure policies are being upheld. PAM should be centralized as much as possible to improve its efficiency.
Top 10 PAM tools to investigate
Before you dig into this list, just remember that tools aren’t a magic wand – you need the right policy, training and processes in place before making big software investments. That said, when you’re ready to investigate solutions, have a look at these:
Need help? We’ll walk you through it
Here at dig8ital, we’re experts in cyber security and access management. If you’re looking at any of the above and thinking you’re not sure that you – or your team – have the expertise required to get this done smoothly and efficiently, know that you’re not alone.
Learn more about our technical security services, including IAM, PAM, cyber resilience strengthening, and vulnerability management.