In the same way you wouldn't give unauthorized staff access to personal customer data or sensitive financial documents, you shouldn't allow just anybody to have free roam of your IT network.
But, your system admins - known as privileged users - will always have the keys to the castle, and that means they must be protected. So how do you protect privileged accounts, and what should you be looking for? Let's talk about PAM.
In this article:
Privileged access management is a security concept designed to control and protect privileged accounts. That is, accounts which have admin-level access to a system.
Admin user accounts have to be protected far more carefully than normal, due to the extra access they're typically granted. They can change systems, add new elements or remove them, install new applications, perform maintenance operations, patch software, and so on.
Imagine if a cyber attacker got their hands on the credentials for one of your privileged accounts.
It could be devastating - giving them total control to install their malware, destroy data, spy on sensitive information, steal customer data, and anything else they can think of. Credential harvesting is one of the most common system entry points for a cyber attacker - you absolutely cannot let this harvesting gain access via an admin account.
Learn more: The most common cyber attack vectors of 2022
PAM covers a number of security principles involving staff training, technology adoption and process optimization. By combining all three together, it creates a system of competent people following competent policies using modern tools, which can greatly reduce the risk that your privileged accounts will fall into the wrong hands.
It may come as no surprise to you though that the specifics of PAM change depending on the organization. However, it roughly follows the same process:
Identity and access management (IAM) is a broad umbrella for the various security and trust concepts involved with protecting access to a system. PAM is one such concept.
PAM tends to work best when built on a strong IAM foundation. Some of the steps involved in PAM require at least a basic level of IAM maturity, to ensure a company has an access management strategy, the beginnings of a policy and accompanying processes, and has begun to train staff about keeping their accounts safe.
That said, you wouldn't treat them separately. Companies don't usually pick up PAM on its own, and it's relatively rare that a wider IAM project would not include at least some of the components of PAM. They are both vital.
The Principle of Least Privilege is something we're going to refer to again in this article, and it's intrinsically linked to good access management.
This principle says that users, applications and devices should only ever have the minimum access they require to perform their duties within a system - and that's it. Their account access is probably on a timer, and even with an admin account they will still be limited in what they can modify.
The training, policies and tools involved in implementing IAM and PAM can help you to enforce the principle of least privilege. This principle ensures that even if someone gains unauthorized access to your system, their access will always remain stifled and temporary - making it harder for them to perform any long-term espionage.
Discovery is a key component of PAM. After all, you can't protect what you don't know is there.
Hunt through your system, all of its accounts, and look for users, applications and devices which:
A note on orphan accounts: It's likely that, during this process, you will find orphan accounts. These are privileged accounts which have admin-level access, but no valid user - that is, nobody owns them anymore. It's common for orphan accounts to appear, for instance, when someone resigns without their account being deleted at the same time.
To help you find orphaned accounts, create a list of all privileged accounts and a list of all active employees, and match them together. That way, if there's a privileged account with no user, you'll spot it.
Risks are not made equal. In all cyber security, from building a basic security architecture right up here to PAM, you will need to keep in mind that you can't protect your business from every single risk. It would cost a fortune to do so, and even then you can never truly hit 100% security - it's just not possible.
So, figure out which risks are the greatest, and prioritize your spend on those.
For this you will need to know:
To help you compare all four and determine what is or is not a priority, it pays to consider risk from two perspectives: likelihood of an attack, and impact of an attack. Any account with a high likelihood and high impact will be a natural choice for prioritization, and the opposite is true.
Here are some things to think about when analyzing privileged accounts for these two factors:
PAM cannot be a set-and-forget thing. Everything changes all of the time, from the way cyber attackers operate to the way your business runs itself. Even subtle changes can have a big impact on security, so you must review all of your policies and settings on a regular basis.
It'll be up to you to determine how regularly you should review your privileged account settings, whether quarterly, annually, or some other frequency.
Some things to think about include:
All organizations no matter how big or small must identify a particular person who will be accountable for PAM.
As a part of their job, they are in charge of the tools and policies regarding PAM, and will be the person who conducts the regular reviews. This is also on this person who will ensure that those who require training, get it.
So who should be accountable?
It depends on the size of the business, and its complexity. In smaller organizations, it's usually the IT team who is in charge of network access - so perhaps it is the team leader here who is ultimately accountable.
In larger organizations, the IT team may continue to lead access accountability, but it may also fall to other members, such as:
A note about segregation of duties: In order to further prevent tampering, fraud, misuse, or error, consider also implementing a segregation of duties within PAM.
Segregation of duties is an internal control that breaks down a task that could otherwise be completed by one person into a task that must be completed by multiple people, in order to block potential misuse.
Within the PAM context, this would mean that the person accountable for assigning privileged access rights cannot assign themselves (or their devices) unlimited privileged access. This way, everyone in the business must always go to a qualified authority above them in the hierarchy in order to receive privileged access to the IT system.
Password vaults can add an extra layer of security over your privileged accounts.
While they're all a little different, generally what they do is store passwords and automatically rotate through different versions as many as several times a day. Someone who needs admin access can go into this vault, get the latest password, and use that to gain privilege.
Or, to go deeper, look into ephemeral access
Ephemeral access is a type of temporary-only privileged network connection that requires no password at all.
Whenever someone wants to establish a privileged connection to the system, they log in to a certificate authority instead, which issues them a temporary user ID (and expires within a matter of minutes). So, the person gains access but there is no password created or left behind for someone else to steal.
This one is a bit more technical, however, and won't work with every system. You may require third-party assistance to get this one rolling.
Before you dig into this list, just remember that tools aren't a magic wand - you need the right policy, training and processes in place before making big software investments. That said, when you're ready to investigate solutions, have a look at these:
Need help? We'll walk you through it
Here at dig8ital, we're experts in cyber security and access management. If you're looking at any of the above and thinking you're not sure that you - or your team - have the expertise required to get this done smoothly and efficiently, know that you're not alone.
Learn more about our technical security services, including IAM, PAM, cyber resilience strengthening, and vulnerability management.