Privileged Access Management (PAM) is a newer technology within the Identity and Access Management (IAM) space that focuses on applying additional controls and protections on accounts with privileged or administrative rights. It’s one of the fastest-growing segments of the cybersecurity technology space and is a combination of tools and technologies used to secure, control, and monitor access to an organization’s critical information and resources via privileged accounts. Subcategories of PAM include privileged password management, privileged session management, vendor privileged access management, and application access management.
Privileged user accounts are significant targets for attacks as they have elevated permissions, access to confidential information, and the ability to change settings. If compromised, considerable damage could be made to organizational operations. Types of accounts that should be managed by a PAM program include local administrative, Microsoft Active Directory application or service, domain administrative, server administrators and external services administrative, such as cloud infrastructure, and SaaS providers.
PAM software and tools work by gathering the credentials of privileged accounts into a secure repository to isolate their use and log their activity. This separation is intended to lower the risk of admin credentials being stolen or misused. Some PAM platforms won’t allow privileged users to choose their own passwords. Instead, the password manager of the platform will issue one-time passwords each time an admin logs in or issues a password for the day. The PAM platform holds the actual admin credentials, obfuscating them from user view and rotating them frequently with very complex variants that would be difficult for a human to manage.
PAM software features
PAM is important for companies that are rapidly expanding their IT systems or already have complex systems with many privileged credentials across a broad variety of IT infrastructure. In fact, it’s so important that analysts at Gartner have named it as a top security project of 2019.
PAM tools and software typically provide the following features:
- Multi-factor authentication (MFA) for administrators.
- An access manager that stores permissions and privileged user information.
- A password vault that stores secured, privileged passwords.
- Discovery of administrative accounts.
- Session tracking once privileged access is granted.
- Dynamic authorization abilities. For example, only granting access for specific periods of time.
- Automated provisioning and de-provisioning to reduce insider threats.
- Granular and centralized audit logging tools that help organizations meet compliance.
Vendor privileged access management (VPAM)
Vendor privileged access management (VPAM) is a subset of PAM that focuses on high-level external threats that come from an organization’s reliance on external partners (vendors or third parties) to support, maintain, or troubleshoot certain technologies and systems inside their corporate network. Representatives from these vendors require privileged remote network access to complete their tasks, thus posing a unique threat to overall IT management, security, and compliance if not properly managed.
VPAM solutions are specifically built for managing the distinctive, high-stakes threats that third-party vendors present. Third-party users complicate threat management as they cannot be tracked and managed in the same way as internal employees. Since employees working for vendors fall outside the control of their customers, companies may have little understanding about who they are, how they are using a company-provided login, and when they are no longer working for the vendor. VPAM helps organizations control and monitor third parties’ privileged access to critical applications and systems while streamlining the management of all transient users.
VPAM products provide three key areas of value to mitigate risks associated with third-party vendor remote access:
- Identification and authentication: Vendor access is difficult to manage because of the lack of oversight and the potential number of users. Therefore, implementing multi-factor authentication and vendor identity management techniques are critical. VPAM tools provide customized authentication options that can easily onboard and off-board users. This functionality prevents vendor reps that exit the company from taking their access with them. It also speeds onboarding of new vendor reps by delegating that task to the vendor.
- Access control: Once a user is authorized, permissions need to be granted. A VPAM solution gives network managers the ability to give access permissions and create an efficient working system to meet a desired set of requirements. For admins, access control can be as granular as individual application ports or as general as allowing access to an entire network of servers or applications. Admins can also schedule access by supervised or unsupervised technicians at times convenient for monitoring, adding to the efficiency and security of an enterprise network.
- Recording and auditing: VPAM tools monitor user activity during every session and can document the exact who, what, where, when, and why of any remote support session. An audit functionality within a VPAM platform also means that enterprise organizations can ensure vendor accountability and compliance within industry regulations.
Combine PAM and VPAM for the best results
Together, PAM and VPAM create layered protection for organizations. PAM protects valuable privileged accounts with additional control; VPAM makes sure that external resources using privileged accounts, such as third-party vendors, are given access only to the networks, applications, and resources they need in order to do their job.
Author: Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.