Privileged accounts are among an organization's biggest cybersecurity concerns. These accounts give admins control over data, applications, infrastructure and other critical assets that average system users don't have permission to access or change. If a hacker gains access to a privileged account, he or she could inflict significant damage, so any unauthorized access to a privileged account is about as dangerous as a cyberattack can get.
Enter Privileged Access Management (PAM). PAM solutions monitor, manage and secure privileged credentials by detecting threats and brokering access while optimizing users' efficiency to complete tasks. PAM tools are based on the principle of Least Privilege Access, which is about granting users access to and control over only the specific segments of a network they need to do their job. Credentials must be verified before users can enter a system and policies assigned to limit what actions they can take. This methodology improves security throughout the overall system while also optimizing workflows and productivity by removing the ability to waste time with unnecessary systems and applications.
PAMs leverage powerful automation capabilities and user-friendly features to build just-in-time (JIT) privileged access programs and zero trust security frameworks. These solutions are typically available as software products or software-as-a-service (SaaS) offerings, depending on the environment, whether on-premises data centers, or hybrid and cloud systems.
Privileged Access Management vs IAM
PAM and Identity and Access Management (IAM) go hand in hand but serve different purposes. PAM is focused on defining and controlling privileges for more robust administrative tasks for sysadmins. IAM manages access for general users and customers within applications, such as logging into accounts for emails or subscription services.
IAM generally has a smaller attack surface, as it focuses on users who only need access to a small number of business-specific applications. PAM focuses on larger actions such as the bulk download or alteration of databases that might give sysadmins access to a large number of accounts or critical data. These tasks create a much larger attack surface and a greater risk of a data breach, making PAM an essential tool in securing a network and its assets.
PAM is usually a subset of broader IAM frameworks, but it should be first in line as it delivers the connection between privileged users and the role-based accounts they require to do their job.
Privileged Access Management and Zero Trust Security
The Zero Trust Security model embraces the philosophy of trust nothing and verify everything, as opposed to traditional castle-and-moat models focused primarily on perimeter security. Least privilege access is at its core, requiring every single connection within a network to be authenticated and authorized before they are granted access to a system. This relies on governance policies for authorization. PAM is the utility that verifies the permissions for administrative users according to these policies. Without PAM, zero trust security can't exist.
Best Privileged Access Management products
Jump ahead to:
- Arcon Privileged Access Management
- Broadcom (Symantec)
- Centrify Privileged Access Service
- CyberArk Privileged Access Security
- Krontech Single Connect
- One Identity Safeguard
- Senhasegura Privileged Access
- Wallix Bastion
- PAM best practices
- PAM market
Arcon Privileged Access Management can be delivered as both software or SaaS. It provides Privileged Account and Session Management (PASM) capabilities for all systems, as well as Privilege Elevation and Delegation Management (PEDM) for Windows and UNIX/Linux systems. Its impressive discovery capabilities can monitor and identify Active Directory (AD) users, network devices, databases and some applications. The smart session management feature can flag access to the most high-risk systems to help prioritize remediation efforts.
Arcon lacks many out-of-the-box technology integrations and primarily leans on APIs, which means more effort left on security teams for implementation and support. This PAM solution is best suited for midsize to large enterprises with mature use cases and the ability to support approaches through open APIs for adjacent integrations.
BeyondTrust Privilege Management is available as software or as a virtual appliance coupled with hardware for Windows, macOS, and UNIX/Linux. It has powerful discovery capabilities that include network and IaaS asset scanning. It beats out Arcon with more out-of-the-box adjacent technology integrations. Privilege Management also supports sandboxing and allow/deny/isolate functions for applications and Windows. File integrity monitoring is supported on Windows and UNIX/Linux systems.
It does provide clustering and high availability functions, however, it relies on high availability for Disaster Recovery (DR) scenarios and lacks a true "break glass" capability to allow access to passwords in emergency situations. But it remains an advanced tool that caters to large global enterprises with mature PASM and PEDM use cases.
Symantec Privileged Access Management, part of Broadcom's wider Identity Security suite, is available as both a hardware or software appliance. It offers PEDM services provided by their agent-based Server Control product for Windows and UNIX/Linux. Its discovery capabilities do not blow out the competition but it is able to discover assets in virtual environments, such as Azure, AWS and VMware.
For more advanced functionality, this solution relies heavily on integrations. It can provide detection and mitigation of suspicious activity with integration with the Symantec Threats Analytics function. It falls behind in native governance but for an additional cost, it can be integrated with the Symantec Identity Governance and Administration tool. This solution is best suited for midsize to large enterprises.
Centrify Privileged Access Service is available as software but is primarily offered as SaaS to cater to hybrid and cloud environments that require on-demand scaling. This is a good option for organizations with a focus on making data-driven decisions, as it provides advanced privileged access logging and analytics presented through a variety of built-in reports and support for SQL queries. Centrify also caters to largely remote companies by including a remote PAM tool.
Its account discovery capabilities are lacking with primary focuses only on Active Directory and simple network scanning. But it's break glass capability through what they call the escrow function is a big win for emergency access. It's able to export passwords and other sensitive data into CSV files that can then be encrypted and stored securely. Centrify is a good option for global enterprises with a need for AD bridging capabilities but not for macOS systems.
CyberArk Privileged Access Security is a robust solution that offers PEDM capabilities for Windows and Mac, as well as an On-Demand Privileges Manager (OPM) for UNIX/Linux systems. It also has a separate SaaS offering called CyberArk Privilege Cloud for hybrid and cloud environments.
It boasts advanced discovery capabilities and service account management to support virtually any use case. Its break glass capability provides access to information even when the PAM tool is unavailable. It leads the pack in governance and administration with short-term, long-term and ephemeral access policies.
Privileged Access Security provides automation features for deployment but users still report deployment and upgrades are more complex to manage compared to competitors. The scanning and discovery tools in the SaaS offering are less mature than in the software product version but it's a good choice for midsize to large enterprises that require on-demand scaling.
Krontech's Single Connect solution offers privileged session management for PASM and some limited PEDM capabilities for Linux systems only. Its advanced network scanning and discovery capabilities integrate with the Configuration Management Database (CMDB) and IT Service Management (ITSM). Its unique governance capabilities can recognize out-of-policy privileged access through built-in Terminal Access Controller Access Control System (TACACS) and Remote Authentication Dial-In User Service (RADIUS) servers for network devices and systems.
Krontech also lacks many adjacent integrations so users must lean on APIs and include no native break glass capabilities. This intermediate PAM solution is good for midsize and large enterprises with mature PASM use cases and who can accommodate extensive scripting.
One Identity's Safeguard for Privileged sessions is only available as a hardware or virtual appliance. Its discovery capabilities aren't market-leading but they are integrated into the main product instead of requiring customers to purchase a stand-alone software solution. It has impressive session management functionality with transparent gatewaying, OCR analysis for live sessions, command filtering, and SQL protocol logging for Microsoft SQL Server. Native governance and administration capabilities are pretty basic but can be improved thanks to integration with the One Identity IGA tool.
This is not the tool for companies looking to automate a lot of PAM processes. It requires users to build scripts for basic automated admin tasks. It also lacks break glass capabilities.
Senhasegura Privileged Access is delivered only as a virtual image. Its account discovery capabilities are highly extensible with many automation and input connectors, as well as prebuilt integrations with change management database (CMDB) and IT operations monitoring (ITOM) systems. Users praise its logging and analytics features that come with searchable out-of-the-box reporting templates and an impressive graphical user interface (GUI).
Senhasegura Privileged Access is certainly not the best choice for a team looking for easy ways to extend functionality. The solution relies heavily on scripting yet the product documentation is surprisingly limited. So expect to perform a lot of independent research.
Thycotic's PAM solution, Secret Server Platinum, is available as both software and SaaS. Its credential management is great for Windows systems as it offers extensive support for a variety of Windows service accounts. Thycotic offers some useful add-ons to their solution at an additional cost, including its Account Lifecycle Manager and the Connection Manager to support remote privileged access.
It does not have break glass capabilities and advises file copy backups for DR scenarios. It's software is an efficient tool for midsize and large enterprises and is likely the better option over the SaaS offering unless on-demand scalability and availability are a prime concern.
The main selling point of Wallix Bastion is its session management functionality and advanced governance and administration, which offers advanced features, such as Office for Civil Rights (OCR) analysis for live sessions. It also makes automation a priority with options to automate repetitive password policy tasks. Its unique break glass function uses email encryption to gain access when the PAM tool is not available.
Wallix Bastion's account discovery is lacking as it's limited to Active Directory and local account and network scanning. Its event trigger automation controls are also limited to SIEM systems. Overall, it's an intermediate PAM solution for midsize to large enterprises.
Here are some tips and best practices for ensuring your privileged access management lifecycle stays secure.
Identify what a privileged account is
The exact parameters that determine what a privileged account is varies for every organization according to the needs of the business. Not knowing exactly what a privileged account looks like creates vulnerabilities. Without this knowledge you can’t create concrete governance policies. Start by mapping out what functions of your organization rely on different data, systems and applications. Then create a profile of who in your organization will have privileged access to these resources and when those accounts will be used. This information will inform your governance, which ensures that privileged accounts are properly monitored and controlled.
Well-defined privileged access governance is key to effectively monitoring and controlling privileged accounts throughout the entire lifecycle. Comprehensive governance entails defining roles, policies and mechanisms for access requests, approvals and delivery. After identifying what a privileged account is within your organization, you can draft policies that ensure accounts only gain access to the information they need, when they need it.
Continuously monitor account activity
Continuous session monitoring and auditing should always be in place in the privileged account lifecycle. When breaches occur, records of account use will help security teams quickly identify the root cause of the issue. This information can also be cross-referenced with the account privileges to identify what policy controls need to be re-configured and improved.
Get buy-in from your organization
Members of your organization need to understand what privileged access is, what access they have and why. Without this knowledge they may make critical errors with their actions that contradict policies and leave backdoors in the network for attackers. If you don’t already, include PAM in your company’s security awareness training.
Gartner has identified PAM solutions as a top 10 security control. They deemed it, "one of the most critical security controls, particularly in today's increasingly complex IT environment." In a recent survey of IAM leaders, Gartner found that 30% have already implemented PAM solutions, with 36% planning to by 2021. Another 22% plan on adopting SAM practices by 2023 or 2025. Only 13% have not included PAM in their future security developments. These figures are extremely similar for SaaS offerings, with 34% already using PAM solutions and 29% planning to adopt by 2023 or 2025.
As organizations increasingly move to cloud infrastructures, there is a shift in PAM solutions increasingly offered as SaaS rather than software, hardware appliances or virtual machine (VM) images. Gartner expects 84% of all organizations to have a SaaS-based PAM solution implemented in their security architecture by 2025, as the market continues to grow by double-digits.
The push for more remote work throughout organizations, especially due to the global pandemic, leads Gartner to expect a large rise in the need for remote administration access - not just for employees but for remote vendors and contractors as well. Remote access features will likely become standard in PAM solutions in the years to come.