A network security survey sponsored by Dell Computers and performed by Dimensional Research Group discovered over 80 percent of businesses are not diligent when it comes to managing administrative accounts and passwords. Additionally, 37 percent of survey respondents stated multiple users share a common set of credentials. Obviously, this does not bode well for securing critical network systems.
Privileged Access Management, or PAM, refers to managing the people who have been granted some form of administrative user rights to a secure computer network. These administrators, known as “privileged” users, will typically have access to manage critical data and systems like financial records, email accounts and website programming. However, as with any privilege, PAM should only be given to trusted individuals.
From a strict security standpoint, even the most trusted employees should have their access monitored, controlled when needed and privileges revoked if necessary. Because the need to control access to vital systems is crucial to network security, C-level administrators must have a way of protecting privileged access.
Securing Privileged Access
Securing PAM is especially important for large and expanding organizations, as these types of companies can sometimes have more privileged users than full-time employees. Taking company employees, consultants, contractors and remote users into account, some companies can actually have as many as three times more privileged users than employees!
Having so many uncontrolled privileged users can create serious security breaches as they may be able to override existing protocols, execute covert system changes, access restricted data and then conceal their actions. A PAM solution provides a streamlined and secure way to grant access to and monitor all users. PAM provides for:
- Granting privileges to users for only the specific systems they actually need to access.
- Granting access only when it is required and revoking user access when it is no longer needed.
- Negating the need for privileged-access users to have system-wide passwords.
- Easily managing access over a set of assorted systems.
- Creating a permanent and traceable audit trail for all privileged-access operations.
Components of Privileged Access Management
Privileged access management software solutions will vary in architecture, but most programs will offer similar features and components that work in concert.
Access Manager Module
An Access Manager module regulates access to privileged-user accounts by allowing top-level managers to set up parameters for all users. For example, privileged users will requests access to a part of a system via the Access-Manager module. The Access Manager is programmed to tell which systems a specific user may access and what level of privilege that user is entitled to. A top-level administrator can add, delete or modify user privileges via the Access Manager. This greatly reduces the risk that someone who no longer has the right to access the network will retain access to vital systems.
A well designed PAM system will keep privileged users from learning the actual passwords to important systems. This is designed to prevent the user from executing a manual override, as the PAM system secures all vital passwords in a “vault” and will grant the user access to a system once he has been authorized by the Access Manager.
Session Control Manager
Simple access control is not sufficient. Top-level IT managers need to be aware of every action each privileged user performs. As such, the Session Manager tracks all privileged-user actions during the current session and maintains a permanent record of the activity.
Privileged Access vs. Identity Management Systems
Privileged Access Management software is occasionally confused with the broader group of Identity Management programs, or IdM. While there is some overlap between functions, the two systems are designed for different purposes.
PAM focuses on privileged user access, whereas identity management involves recognizing, authenticating and granting permissions to any authorized user who accesses a system. For example, an employee who needs to log into an application would only need to be authenticated by an IdM program.
Typically, IdM programs are not suited to carry out privileged access management functions, as IdM programs do not have the same ability to limit user interactions as PAM programs do. Additionally, not all devices set up with privileged user management systems will integrate easily with other similar software programs.
IdM solutions are typically designed to provide open access, whereas PAM systems, by nature, are purposely restrictive. For example, an IdM system may enable an application to permit access to a third-party mobile app, such as a stock-trading program designed to allow a mobile user to check the balance of stock accounts managed by a separate entity. An IdM may use “security-assertions” protocols to confirm a user’s identity before granting access to third-party data. However, PAM software does not use such protocols as it would defeat the entire purpose of privileged access management control.
Protection from Cyber Attacks
Cyber criminals need to gain privileged access to implement their dirty deeds, and data breaches often begin with a single compromised privileged account. In fact, a recent study done by American cyber-security firm Mandiant revealed that every single data breach they investigated involved stolen privileged -user credentials. Once a hacker has access to one system he can easily move anonymously throughout the entire network. Just thwarting this risk alone makes having the most up-to-date PAM program a prudent investment.
In addition to being the editor at designrfix and writing about tech, web and graphic design among other subjects, I love “unplug” and be outdoors hiking and enjoying nature. If you can’t reach me, it’s probably because where I am at doesn’t have cell phone reception.