1 Introduction
In the age of digital transformation, the requirements for IT, but also the ways IT is done, are changing. Organizations need to reinvent themselves and become agile and more innovative, while meeting ever increasing regulation all in addition to constantly improving security, by having the right counter measures and preventing attacks. On the other hand, with the vast number of attacks that organizations are facing and the burgeoning of regulations, organizations must invent new methods of meeting these needs while still perfectly serving their customers. In addition, smart manufacturing and the internet of things massively expand the attack surface of organizations. Among the various countermeasures Privilege Management plays a central role.
Privilege Management describes the domain of technologies that help better manage and control so-called “privileged accounts”, i.e. accounts having elevated privileges and thus exposing a higher risk. Such accounts also include shared accounts, which frequently have elevated privileges, but are at even higher risk due to the nature of shared credentials. The capabilities of Privilege Management services nowadays range from Shared Account Password Management to Session Management and Privileged Behavior Analytics.
Privilege Management can be considered a domain of Cybersecurity since attackers usually go after the high privilege accounts. The users of the privileged accounts have the broadest access to sensitive company data such as HR records, financial information, payroll details or a company’s IP. Therefore, a strong emphasis needs to be placed on protecting these accounts, which eventually results in a reduced risk of breaches.
Furthermore, Privilege Management is an essential element in protecting organizations against attacks that are not yet identified. What commonly are called zero-day attacks have usually, in fact, been running for a shorter or longer period of time, sometimes for years. All attacks go through a phase where they are run but are not yet detected. Traditional technologies such as signature-based Anti-Malware don’t help in these scenarios. New Cybersecurity tools looking for anomalies and outliers can help identify such long-running attacks.
Privilege Management helps in two ways in these situations. On the one hand, it increases the protection of digital assets by protecting the most critical accounts and access to these systems. On the other hand, Privileged Behavior Analytics helps in identifying anomalies in privileged user behavior.
Additionally, Privilege Management also is part of the IAM (Identity and Access Management) domain, because it is about managing accounts and their passwords, as well as their access at runtime, e.g. by monitoring sessions.
Privilege Management thus is an essential element of both Cybersecurity and IAM infrastructures of organizations. It helps in mitigating risks and in protecting the crown jewels of organizations, their valuable digital assets and systems. Thus, it is no surprise that the market for Privilege Management is evolving, with new vendors entering and new and modernized offerings delivering better ways to tackle the challenges of Privilege Management.
When looking at the core area of Privilege Management, we expect to see Shared Account Password Management, Privileged Single Sign-On, Privileged Account Discovery and the management of their lifecycles, and Session Monitoring capabilities, which are a common feature in products nowadays. The main features we look at in these areas include, but are not restricted to, the following:
- Shared Account and Privilege Password Management
- Central management of shared account privileges
- Automated credential rotation or OTPs
- Secure Access to privileged credentials
- Privileged Single Sign-On (SSO access to multiple privileged sessions)
- Simple management of session assignments to users
- Ad-hoc and upfront authorization of access with support of approval lifecycles
- Simple yet secure UIs
- Privileged Account Discovery and Lifecycle Management
- Automated discovery of privileged accounts on servers, clients, and other systems in scope (e.g. network devices)
- Integration into CMDBs
- Simple (automated) grouping of accounts and systems
- Session Monitoring, Analysis, and Recording
- Session Monitoring
- Session Recording
- Session Analysis
- All for both CMD based and GUI based sessions