Privileged Access Management
What is Privileged Access Management?
Privileged Access Management (PAM) is a program an organization adopts to manage privileged accounts throughout an organization. There are many different types of privileged accounts that can exist including, but not limited to database accounts, directory modification accounts, human resource access accounts, accounting access accounts and for some companies, intellectual property accounts. Privilege access programs can dictate policies regarding session management, password rotation, privilege escalation management, service account management and Single sign-on management.
Session Management
Session management is the ability for an organization to control and dictate how privileged connections are established. The most common type of connection used in IT environments is an RDP (remote desktop protocol) connection, typically to a Windows-based server. A session management tool will broker the connection, pass the privileged credential to the server for authentication, then record everything done during the session.
Service Account Management
Service accounts are typically used in organizations to access databases, perform administrative tasks, act as break-glass or backup accounts among other things. Organizations should carefully consider policies that govern such accounts. An organization could say all service accounts can only be used non-interactively, meaning they cannot log on to a server. An organization could mandate longer password lengths for such accounts. They could also say that service accounts cannot access the internet.
Privilege Escalation Management
Many permissions are granted based on membership in a group. In many cases, it may not be necessary to keep an account in the privileged group on a permanent basis. The concept of Just-In-Time access suggests that accounts should be given access when it is needed, then pulled away after the task is performed. The key to this concept is finding a technology to grant and remove the access, but more and more this will be implemented across IT infrastructures.
Password Rotation
A key part of a Privileged Access Management program is the ability to rotate passwords. In mature IT environments, a password management tool is used to manage privileged account passwords. Admins check out privileged account passwords and some time later the same day the password is rotated on the account by the tool. Great password complexity can be used with such tools and privileged account passwords are frequently rotated. Tools like CyberArk and Delinea are current leaders in this space.
The implementation of a good Privileged Access Management program can help protect organizations from privileged account compromises that could lead to data exfiltration and other unauthorized access.
