1 Introduction
In the age of digital transformation, not only the requirements for IT, but also the way IT is done, are constantly evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology initiatives such as digital workplace, DevOps, security automation and the Internet of Things continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek newer ways of assessing and managing the security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats.
Privileged Access Management (PAM) represents the set of critical cybersecurity controls that address the security risks associated with the use of privileged access in an organization. There are primarily two types of privileged users:
- Privileged Business Users - those who have access to sensitive data and information assets such as HR records, payroll details, financial information, company’s intellectual property, etc. This type of access is typically assigned to the application users through business roles using the application accounts.
- Privileged IT Users – those who have access to IT infrastructure supporting the business. Such access is generally granted to IT administrators through administrative roles using system accounts, software accounts or operational accounts.
The privileged nature of these accounts provides their users with an unrestricted and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish individual accountability for privileged activities. Privileged accounts pose significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations. Security leaders therefore need stronger emphasis on identifying and managing these accounts to prevent the security risks emanating from their misuse.
Available Identity and Access Management (IAM) tools are purposely designed to deal with management of standard users’ identity and access, and do not offer the capabilities to manage privileged access scenarios such as use of shared accounts, monitoring of privileged activities and controlled elevation of access privileges and applications. Privileged Access Management tools are designed to address these scenarios by offering specialized techniques and unique process controls, thereby significantly enhancing the protection of an organization’s digital assets by preventing misuse of privileged access.
Privileged Access Management (PAM), over the last few years, has become one of the most relevant areas of Cyber Security closely associated with Identity and Access Management technologies that deal with facilitating, securing and managing privileged access for both IT administrators and business users across an organization’s IT environment.
At KuppingerCole, we define PAM solutions to constitute of following key tools and technologies:
While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring have been the focus of attention for PAM tools, more advanced capabilities such as privileged user analytics, risk-based session monitoring and advanced threat protection are becoming the new norm - all integrated into comprehensive PAM suites being offered. We see a growing number of vendors taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.
Among the key challenges that drive the need for privilege management are:
- Abuse of shared credentials
- Abuse of elevated privileges by authorized users
- Hijacking of privileged credentials by cyber-criminals
- Abuse of privileges on third-party systems
- Accidental misuse of elevated privileges by users
Consequently, multiple technologies and solutions have been developed to address these security risks as well as to provide better activity monitoring and threat detection. Among all these solutions, technologies for limiting local administrative rights on the endpoints along with application control play an important role. These technologies, under the umbrella term ‘endpoint privilege management’ or EPM are fast becoming strong and effective second-in-line defense mechanisms for endpoint threat protection and advanced threat mitigation.
At KuppingerCole, we define EPM solutions to primarily consist of three distinct technologies:
- Application Control: This technology allows organizations to control what applications can be allowed to run on an endpoint. This is usually achieved through application whitelisting in which only known good applications are placed on the pre-approved list and allowed to run. Application control provides effective protection against shadow IT challenges for most organizations.
- Sandboxing: This technology uses the approach to isolate the execution of unknown applications or programs by restricting the resources they can access (for eg., files, registries etc.). This technology, also known as application isolation, provides an effective protection against cyberattacks by confining the execution of malicious programs and limiting their means to cause the harm.
- Privilege Management: This is predominantly the least privilege technology that encompasses user and application privilege management. User privilege management deals with controlled and monitored elevation of user account to an administrative account including local system account. Application privilege management deals with exception or policy-based elevation of administrative rights for known and approved applications or processes to execute successfully.
Endpoint systems such as desktops and laptops are the most vulnerable part of an organization’s attack surface. As the most common entry points for advanced threats such as malwares, spywares and other malicious programs, these endpoints are far more vulnerable than servers or other similar endpoints that operate in secure network zones. Most advanced attacks target endpoint systems with elevated privileges or administrative rights for successful execution and propagation.
Endpoint protection platforms (EPP) technologies are focused on identifying advanced threat vectors and attack signatures to restrict their entry onto the endpoint for which they rely heavily on conventional signature databases and therefore are not very effective against altered or obfuscated signatures. Even with advanced threat protection techniques such as behavioral analysis, machine learning and static analysis, recognition rate for altered or mutated signatures can be significantly low. EPM tools provide a promising addition here by offering an effective and strong second-in-line defense by limiting or confining successful execution of these attack vectors or malicious programs. Most of these programs require elevated privileges for successful execution and EPM tools can render them ineffective by depriving them of required privileges to cause the targeted damage. EPM tools offer multiple layers of defense to restrict the successful execution of these programs, ranging from application control to application isolation and least privilege management.
Therefore, restricting execution of such malicious programs, getting a grip on the applications, programs and processes that are allowed to run on the corporate endpoints and ensuring that they use approved entitlements and accounts such as user account, local administrator account, service or application account is an essential piece in protecting the information assets of the organization. These tools, which are commonly referred to as Endpoint Privilege Management (EPM), must support commonly prevalent endpoint platforms, i.e. Windows and Mac.
In this Executive View we discuss our analysis of endpoint privilege management product from Thycotic – Thycotic Privilege Manager and provide our views on the strengths and challenges associated with the product.
For a detailed overview of the leading PxM vendors, please refer to the KuppingerCole Leadership Compass on Privilege Management[^1].