1 Introduction
In the age of digital transformation, the requirements on IT infrastructure and IT business processes are constantly evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology initiatives such as digital workplace, DevOps, security automation and the Internet of Things continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and to comply with regulatory obligations and control objectives, organizations must actively seek newer ways of assessing and managing security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats.
Privileged Access Management represents the set of critical cybersecurity controls that address the security risks associated with the use of privileged access in an organization. There are primarily two types of privileged users:
- Privileged Business Users - those who have access to sensitive data and information assets such as HR records, payroll details, financial information, company’s intellectual property, etc. This type of access is typically assigned to the application users through business roles assigned to either application or directory login accounts.
- Privileged IT Users – those who have access to IT infrastructure. Such access is generally granted to system, network or database administrators through shared system, software or operational accounts which have unfettered access to system configuration and operations.
The unrestricted or highly elevated nature of these accounts provides their users with powerful and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish personal accountability for privileged activities. Privileged accounts pose a significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations. Security leaders therefore need to place a stronger emphasis on identifying and managing these accounts to prevent the security risks that arise from their misuse, as compared to the risk associated with misuse or compromise of business accounts with elevated privileges within individual applications.
Available Identity and Access Management (IAM) tools are designed to deal with management of business users’ identity and access, and do not offer the capabilities to manage privileged access scenarios such as use of shared accounts, monitoring of privileged activities and controlled elevation of access rights. Privileged Access Management tools are designed to address these scenarios by offering specialized techniques and unique process controls, thereby significantly enhancing the protection of an organization’s digital assets by preventing misuse of privileged access.
While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring have been the focus of attention for PAM tools, more advanced capabilities such as privileged user analytics, risk-based session monitoring and advanced threat protection are becoming the new norm - all integrated into comprehensive PAM solutions. We see a growing number of vendors taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.
Among the key challenges that drive the need for privilege management are:
- Abuse of shared credentials;
- Abuse of elevated privileges by unauthorized users;
- Hijacking of privileged credentials by cyber-criminals;
- Abuse of privileges on third-party systems;
- Accidental misuse of elevated privileges by users.
Furthermore, there are several other operational, governance and regulatory requirements associated with privileged access:
- Discovery of shared accounts, software and service accounts across the IT infrastructure, on premises and in the cloud
- Identifying and tracking of ownership of privileged accounts throughout their life-cycle
- Establishing Single Sign-on session to target systems for better operational efficiency of administrators
- Auditing, recording and monitoring of privileged activities for regulatory compliance
- Managing, restricting, and monitoring administrative access of IT outsourcing vendors and MSPs to internal IT systems;
- Managing SSH keys across all systems.
KuppingerCole defines the various areas of PAM as follows:
Shared Account Password Management (SAPM): Shared Account Password Management offers technology to securely manage privileged credentials including system accounts, service accounts or application accounts that are generally shared in nature. At the core of SAPM products is an encrypted and hardened password vault for storing passwords, keys and other privileged credentials for a controlled, audited and policy-driven release and update.
Privileged Session Management (PSM): Privileged Session Management offers the technology to establish a privileged session to target systems including basic auditing and monitoring of privileged activities. PSM tools also offer authentication, authorization and Single Sign-On (SSO) to the target systems.
Application-to-Application Password Management (AAPM): AAPM is an extension of SAPM tools to manage accounts used by an applications or systems to communicate with other applications or systems (such as databases etc.). AAPM tools offer elimination of hardcoded credentials in application code, scripts and other configuration files by offering a mechanism (generally APIs) to make credentials securely available when requested.
Session Recording and Monitoring (SRM): SRM is an extension of PSM tools to offer advanced auditing, monitoring and review of privileged activities during a privileged session, including but not limited to key-stroke logging, video session recording, screen scraping, OCR translation and others.
Controlled Privilege Elevation and Delegation Management (CPEDM): Technology that deals with controlled elevation and policy-based delegation of a users’ (normally unprivileged) privileges to super-user privileges for administrative purposes.
Privileged User Behavior Analytics (PUBA): PUBA uses data analytic techniques to detect and respond to threats based on anomalous behavior against established behavioral profiles of administrative groups.
Endpoint Privilege Management (EPM): EPM offers capabilities to manage threats associated with local administrative rights on windows, mac or other endpoints. EPM tools essentially offer controlled and monitored escalation of user’s privileges on endpoints and include capabilities such as application whitelisting for endpoint protection.
Privileged Access Governance (PAG): PAG deals with offering valuable insights related to the state of privileged access necessary to support decision making process. PAG includes privileged access certifications and provisions for customizable reporting and dashboarding.
While some of these are core PAM capabilities, such as SAPM, PSM and SRM, the others like EPM and PUBA are considered as optional PAM capabilities for evaluation of a PAM vendor.
Hitachi ID is one of the most established vendors in the PAM space, delivering a broad set of PAM capabilities based on its Privileged Access Manager product. The product is fully integrated with other products in the Hitachi ID Identity and Access Management Suite, namely, Identity Manager and Password Manager. All the three products are built using a common platform and code base.
For a detailed overview of the leading PAM vendors, please refer to the KuppingerCole Leadership Compass on Privilege Management[^1].