At your company, if there were a data breach, would it be worse for the account to belong to your summer intern or your IT director?
The question should be an easy one to answer. While a summer intern probably has limited access to your organization’s applications and data, an IT director is much more likely to have a privileged account, an account that, depending upon the resource in question, has access to more data, settings, or other “privileges” that allow it to do more than a typical user account. In short, an account that would be catastrophic were it compromised.
Cybercriminals tend to target these privileged accounts, since gaining access to them provides the keys to obtain sensitive data or systems. Gaining access to privileged accounts is often easier than breaking into the protected system directly (and less noticeable, since the account is supposed to access the target data or system already). This becomes especially problematic when users (like the summer intern) have too many privileges built into their accounts.
Since the implications of hacked privileged accounts are so severe, extra layers of security must be added to protect them. Privileged access management, or PAM, is an approach that incorporates processes, policies, and products to secure these critical accounts, and minimizes what cybercriminals can do with them if they’re compromised.
In this article, we’ll explain what PAM is, why you need it, and how to implement it in your security strategy.
What Is Privileged Access Management?
PAM is a way to protect your user identities that have extended privileges beyond the typical employee. A privilege is anything a particular account can do, like which IT resources it can access, the features available while using the IT resource, or the commands it can run against the underlying operating system of that resource.
If you’re familiar with identity and access management (IAM), PAM is the counterpart that focuses exclusively on privileged accounts — those accounts with permissions and access beyond the average user. The concept of privileged access management revolves around how to protect accounts with uniquely powerful permissions, and it operates based on a principle called least privilege.
Least Privilege, Privileged Access, and PAM
To fully understand the concept of privileged access management, you first have to understand the principles PAM operates on: privileged access and least privilege.
Privileged access is defined as any user whose identity has access to accounts above and beyond the “standard” user. These people, sometimes called superusers, may have some type of admin privileges, or access to sensitive information, like company financials for an accountant, or personnel files for an HR professional.
Least privilege, on the other hand, is the concept of giving all users access to the fewest apps and accounts possible, without restricting what they need to do their job.
Combining least privilege and privileged access together means that only certain accounts are privileged with the more sensitive information and admin rights, but all accounts have the most limited access possible at the same time.
Following these two principles is what PAM is all about: managing who has privileged accounts while ensuring all accounts have the least privileges necessary.
Privileged Access Management Examples
The concept of PAM may seem a little nebulous and abstract at this point, so let’s look at a few examples of PAM in action in a typical organization.
An in-house IT administrator’s account would be considered privileged, since they typically have access to the underlying tools that manage user passwords, remote overrides, and the ability to push new software updates remotely.
However, least privilege would ensure this admin account can’t access apps and servers not directly related to his or her job — meaning, this account can’t see sensitive financial info or employee files. The system of deciding what this privileged account should and should not have access to, and how it’ll be protected, is PAM.
A CFO’s account is privileged, since he or she will be able to access all company financial documents, spreadsheets, and servers. But under least privilege, even the CFO shouldn’t be able to access IT admin resources, or cloud-based applications used by Marketing, for example.
A contracted web designer — that is, someone who is hired externally on a project-by-project basis — may still have a privileged account if they have access to the backend of the company website, for example. But the principle of least privilege will ensure they can’t access any employee-only resources or information.
As you can see, privileged access isn’t specifically limited to one pay grade or team. Any application or server that only a select group of employees can access has the potential to be considered “privileged,” and must therefore be treated with caution.
Why Is Privileged Access Management Important?
Now that the overall concept of PAM is fleshed out, it’s important to also understand why it matters. While there are myriad benefits for implementing a privileged access strategy, there’s a few especially key upshots to be aware of.
Greater User Visibility
Because the security of privileged accounts is so critical, IT admins need more visibility over them than an average user account. PAM can offer this oversight through solutions like user behavior analytics (UBE) and session management.
UBE tracks patterns in the user’s computer habits, and constantly analyzes them for abnormalities that might suggest a threat, like an unauthorized person using the account. The software tracks specific “personality quirks” in the issued user’s behavior, like typing speeds or patterns, for example, and compares them to an established baseline. If a break in the typical user’s patterns is detected, the software notifies IT of the change.
Session management, on the other hand, can set time restrictions on a user’s ability to access certain apps and servers, similar to how computers at a public library have set internet surfing limits before you’re kicked off. These time limits can increase security by forcing a user to log back in regularly, ensuring no unauthorized person is using the account.
Increased Identity and Access Management
While multi-factor authentication (MFA) is increasing in popularity with the surge of more and more remote-first organizations, it still isn’t the commonly accepted security standard it should be. But additional layers of security like MFA are more important than ever with privileged accounts.
PAM deploys measures like MFA to create more barriers between cybercriminals and privileged accounts’ sensitive information. While the time and inconvenience to the superuser is negligible, using MFA creates an account that is much, much more difficult to compromise.
That’s because it requires not only the typical username/password login information, but that the user must enter an additional factor to be authenticated (think: a time-based one-time password [TOTP] or a fingerprint scan hackers are unlikely to be able to replicate).
PAM also means tightening up your superusers’ passwords, specifically ensuring they aren’t repeating well-used passwords that may be associated with personal accounts from websites with unknown or questionable security practices. Enter: single sign-on (SSO).
SSO allows users to log on to just one platform, and through that platform get automatic login access to all apps they need to use for a certain length of time. The “passwords” used during the SAML handshake (or equivalent process) are typically highly complicated, computerized access keys, making them nearly impossible for cyberattackers to infiltrate.
Risks of Not Implementing PAM
The most obvious risk of ignoring a PAM strategy is cyberattacks. Privileged account holders, more or less, hold the “keys to the kingdom.” These accounts offer the utmost in user features and permissions, making them a natural target for criminals.
And cybercriminals have long figured out that gaining access through legitimate accounts is an easier prospect than covertly exploiting a critical application or server remotely. That means not having a PAM strategy could mean unprecedented damage if these high-clearance identities were compromised.
Beyond the risk from hackers, not creating a PAM strategy also makes compliance harder to satisfy. If you don’t have one centralized platform to control your PAM strategy from, ensuring privileged account holders remain compliant with federal or industry regulations becomes more difficult, which can result in fines or worse.
What’s more, most PAM systems include password protection benefits like MFA and SSO that are hard to enforce without a foolproof strategy in place that all parties must comply with.
Developing a Privileged Access Management Strategy
At this point, if you’re sold on the need for PAM, you’re probably wondering where to start on designing your organization’s strategy. While no strategy is one size fits all, here’s a few tips to get you heading in the right direction.
Step 1: Amp Up Privileged Account Login Security
An easy first step for your PAM strategy is to increase the security requirements for access for privileged users. If your privileged accounts aren’t currently under management, they need to be. That way, you have close oversight to ensure privileged users are following policies and security best practices, like:
- Using unique passwords across multiple accounts
- Using complex passwords
- Using complex security answers
- Utilizing multi-factor authentication wherever possible
Once you’re managing privileged accounts, you should have a good grasp of who has access to what. Then, to further increase security, perform a least-privilege audit of these accounts to ensure no user has access to any apps or information that isn’t vital to their role.
If you do find superusers with unnecessary access, remove those privileges so only active, necessary users can access sensitive information. The fewer people who are authorized to access critical company info, the more secure your PAM strategy is.
Step 2: Extend PAM Beyond User Identities
Privileged credentials aren’t the only thing cybercriminals target: your business-critical applications (and the systems they reside upon) are at risk, too.
The next step to tightening your security strategy is to bring your server infrastructure (built largely on Unix and Linux servers) and end user devices (Windows, Macs, and Linux desktops and laptops) under the same management platform as user identities. Having the ability to delegate privileges and authorizations without giving away passwords for the root account increases your application security tenfold.
Once you have this increased control, another PAM power move is to bring your devices and infrastructure into single sign-on. SSO increases convenience for end users by limiting their password management needs even further, and makes security management and oversight easier for IT admins.
Step 3: Combine your IAM and PAM Strategies with a Cloud-Based Solution
The gold standard in a PAM/IAM strategy is integration with a cloud-native platform. Remote and hybrid workplace models already call for these technologies, but they also streamline access management for IT teams. In the privileged access management market, this tech is called a Cloud Directory Platform.
A modern Cloud Directory Platform offers an efficient, combined approach to PAM and IAM by converging directory services, privileged account management, directory extensions, web app SSO, and multi-factor authentication into one optimized SaaS-based solution.
These platforms offer centralized privileged identities instantly mapped to IT resources like devices, applications, and networks, regardless of platform, provider, location, or protocol. They also leverage multiple protocols such as LDAP, RADIUS, SAML, and SCIM so IT admins can seamlessly provision and deprovision, while users have secure, frictionless access to their resources.
JumpCloud Directory Platform: Modern PAM
If you’re interested in learning more about how to implement a PAM solution, drop us a note. We’d love to chat about how you can leverage JumpCloud’s Cloud Directory Platform, or try it yourself by signing up for a free account.
Your first 10 users and 10 systems are free. If you have any questions, access our in-app chat 24×7 during the first 10 days and a customer success engineer will be there to help.