1 Introduction
In the age of digital transformation, not only the requirements for IT but also the way IT is done, are constantly evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology initiatives such as digital workplace, DevOps, security automation and the Internet of Things continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek newer ways of assessing and managing the security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats.
Privileged Access Management represents the set of critical cybersecurity controls that address the security risks associated with the use of privileged access in an organization. There are primarily two types of privileged users:
- Privileged Business Users - those who have access to sensitive data and information assets such as HR records, payroll details, financial information, company’s intellectual property, etc. This type of access is typically assigned to the application users through business roles using the application accounts.
- Privileged IT Users – those who have access to IT infrastructure supporting the business. Such access is generally granted to IT administrators through administrative roles using system accounts, software accounts or operational accounts.
The privileged nature of these accounts provides their users with an unrestricted and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish individual accountability for privileged activities. Privileged accounts pose significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations. Security leaders, therefore, need stronger emphasis on identifying and managing these accounts to prevent the security risks emanating from their misuse.
Available Identity and Access Management (IAM) tools are purposely designed to deal with management of standard users’ identity and access and do not offer the capabilities to manage privileged access scenarios such as use of shared accounts, monitoring of privileged activities and controlled elevation of access privileges. Privileged Access Management tools are designed to address these scenarios by offering specialized techniques and unique process controls, thereby significantly enhancing the protection of an organization’s digital assets by preventing misuse of privileged access.
While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment, and activity monitoring have been the focus of attention for PAM tools, more advanced capabilities such as privileged user analytics, risk-based session monitoring and advanced threat protection are becoming the new norm - all integrated into comprehensive PAM suites being offered. We see a growing number of vendors taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.
Among the key challenges that drive the need for privilege management are:
- Abuse of shared credentials;
- Abuse of elevated privileges by unauthorized users;
- Hijacking of privileged credentials by cyber-criminals;
- Abuse of privileges on third-party systems;
- Accidental misuse of elevated privileges by users.
Furthermore, there are several other operational, governance and regulatory requirements associated with privileged access:
- Discovery of shared accounts, software, and service accounts across the IT infrastructure
- Identifying and tracking of ownership of privileged accounts throughout their life-cycle
- Establishing Single Sign-on session to target systems for better operational efficiency of administrators
- Auditing, recording, and monitoring of privileged activities for regulatory compliance
- Managing, restricting, and monitoring administrative access of IT outsourcing vendors and MSPs to internal IT systems;
- Managing, restricting, and monitoring administrative access of internal users to cloud services.
Of the available Privileged Access Management (PAM) technologies, PSM (Privileged Session Management) remains one of the three core technologies that constitute a baseline PAM solution. IT infrastructure, operations, and security leaders are under increased business and regulatory pressure to assess and manage the security risks arising from increased cloud access patterns of IT administrators, third-party vendors, and privileged business users. To meet the security requirements of increased cloud adoption, PSM technology over the past few years has undergone a major transformation of its on-premises only approach to include the emerging privileged access patterns of an increasing cloud-dominated IT environment. PAM vendors are continuously adding native cloud-ready features to their PSM technology in order to address the security risks of administrative access to cloud platforms and services.
SSH.COM is one of the solution providers in the PAM space, focused primarily on delivering secure, privileged access to cloud and on premises services without the need to reveal passwords using an integrated session management capability. Offering Tectia SSH Client/Server for secure SSH connections and Universal SSH Key Manager for managing SSH keys, SSH.COM offers PrivX as a separate standalone solution for establishing and managing SSH and RDP sessions to target systems through a client browser. PrivX focuses on setting up secure connections to servers and controlling access within these sessions, without the conventional vaulting of passwords and thereby reducing the overheads commonly associated with the password vaulting approach of existing PAM tools. For a detailed overview of the leading PAM vendors, please refer to the KuppingerCole Leadership Compass on Privilege Management[^1].