1 Introduction
In the age of digital transformation, the requirements for IT are constantly evolving. To remain relevant, organizations must reinvent themselves by being agile and more innovative. Emerging technology such as the digital workplace, DevOps, containers, security automation and the Internet of Things (IOT) continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek newer ways of assessing and managing security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon the security posture of the organization by identifying and implementing appropriate controls to prevent such threats. Controlling access to privilege accounts is a key area of securing the new IT landscape.
Privileged Access Management (PAM) solutions are critical cybersecurity controls that address the security risks associated with the use of privileged access in organizations and companies. Traditionally, there are primarily two types of privileged users:
- Privileged Business Users - those who need access to sensitive data and information assets such as HR records, payroll details, financial information or intellectual property, and social media accounts.
- Privileged IT Users – those who need access to the IT infrastructure supporting the business. Such permissions are usually granted to IT admins who need access to system accounts, software accounts or operational accounts.
In recent years the picture has become more complicated with many more non-traditional users requiring and getting privileged access to IT and business data. Some will be employees working on special projects, others may be developers building applications or third-party contractual workers.
If not managed, privilege accounts provide users with unrestricted and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish individual accountability for privileged activities. Privileged accounts pose a significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations.
Security leaders therefore need stronger emphasis on identifying and managing these accounts to prevent the security risks emanating from their misuse.
Existing Identity Governance and Administration (IGA) tools are purposely designed to deal with the management of standard users’ identity and access and do not offer the capabilities to manage privileged access scenarios such as the use of shared accounts, monitoring of privileged activities and controlled elevation of access privileges, and ultimately perform governance actions on privileged users and elevated access. Privileged Access Management solutions address these challenges by offering specialized techniques and unique process controls, thereby significantly enhancing the protection of an organization’s digital assets.
In recent years, PAM solutions have become more sophisticated making them robust security management tools in themselves. While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring are now almost standard features, more advanced capabilities such as privileged user analytics, risk-based session monitoring, advanced threat protection, and the ability to embrace PAM scenarios in an enterprise governance program are becoming the new standard to protect against today’s threats - all integrated into comprehensive PAM suites.
Among the key challenges that drive the need for privilege management are:
- Abuse of shared credentials;
- Abuse of elevated privileges by unauthorized users;
- Hijacking of privileged credentials by cyber-criminals;
- Abuse of privileges on third-party systems;
- Accidental misuse of elevated privileges by users.
- The requirement to perform attestations on privileged users and admin accounts
Furthermore, there are several other operational, governance and regulatory requirements associated with privileged access:
- Discovery of shared accounts, software and service accounts across the IT infrastructure;
- Identifying and tracking of ownership of privileged accounts throughout their lifecycle;
- Establishing Single Sign-on sessions to target systems for better operational efficiency of administrators;
- Auditing, recording and monitoring of privileged activities for regulatory compliance;
- Managing, restricting, and monitoring administrative access of IT outsourcing vendors and MSPs to internal IT systems;
- Managing, restricting, and monitoring administrative access of internal users to cloud services.
Consequently, multiple technologies and solutions have been developed to address these risks as well as provide better activity monitoring and threat detection. A specific area is the in-depth protection of server platforms such as Unix, Linux, and Windows. These focus on protecting the accounts such as “root” or “admin” on these systems as well as delivering in-depth protection against unwanted privilege elevation, altogether with capabilities of restricting the use, e.g., of specific shell commands. While they do not cover everything, such tools are an essential element in a holistic PAM architecture, delivering the in-depth protection for defined target platforms.