1 Introduction
PAM (Privileged Access Management) has its traditional focus on administrators and operators that are using consoles or graphical user interfaces with highly elevated access privileges, including granting them full access to the systems they are working on. PAM solutions avoid password sprawl for such sensitive (and frequently shared) accounts by delivering one-time passwords. They allow monitoring and recording of sessions. They support analysis of such sessions at run-time and ex post.
However, the access of administrators and operators accessing consoles or administrative user interfaces (UIs) with extensive entitlements is just a subset of privileged access. Many tasks require some privileges but working through the consoles and admin UIs is not adequate, neither from the perspective of risk and security, nor regarding usability.
Most privileged access is operator access for people that must perform highly specialized tasks, e.g. in managing users, customer accounts, or other operator tasks. Performing these tasks rarely requires extensive access to a console. Even more, running such tasks through complex UIs and having users to select the few commands or actions they need to perform, from a large set of features, is neither user-friendly nor efficient. Poor usability can be expensive as it’s easy to make errors with manual processes. A significant portion of help desks calls relates to failed changes.
Furthermore, many of these tasks are repetitive. Performing them from consoles and feature-rich administrative UIs is not efficient. It is not secure. And it does not automate what better should be automated. The latter is frequently addressed by creating scripts. Unfortunately, many of these scripts are written by individuals, but not tested well, not documented well, and not managed well. That creates new risks, including the challenge of maintaining such risks once the employee who wrote them leaves the company.
IT Service Management (ITSM) focuses on addressing such challenges. However, there remain two challenges. One is dealing with the specifics of privileged access, such as shared account passwords and system accounts, but also the proper logging and auditing. The other, closely related, is that many of the common use cases span a variety of systems. When creating accounts manually for a new user, this commonly involves various operator accounts across the target systems. Furthermore, it is not that much about requesting an administrator or operator activity via a ticket, but about supporting the execution of this task and limiting the scope of what administrators and operators can do, ideally to a minimum.
Factually, by automating tasks and/or narrowing down what an operator can do (and what not), there is a huge potential for optimizing the work of service desks. The simpler and the more focused tasks are, the easier it is to run these by 1st level support, instead of moving it up to 3rd level support for manual execution using complex UIs. Given that there is always a skills gap of qualified, experienced workers, there is a need for optimizing the execution of privileged IT tasks.
Osirium, an UK-based vendor, started in the field of PAM (Privileged Access Management) and focused on a task-based approach very early, differentiating from many of the other vendors in that market segment. With their new Opus offering, they focus even more on Privileged IT Process Automation, i.e. combining automation and process optimization with the specific requirements of properly handling privileged access.