Commissioned by PATECCO
1 Introduction
Traditionally, the management of identities and their access to IT systems within an organization have been split up within different disciplines. Business users, the so-called standard users, have been managed within the traditional Identity and Access Management (IAM) systems and have been more recently covered within Access Governance and access analytics systems. Privileged Access Management (PAM) is the term for technologies that manage administrative accounts, that help monitor and limit elevated rights and support in managing shared accounts. In the past, Privilege Management developed out of the management of shared accounts and passwords.
In recent years, the perception of privilege management has changed considerably. Various vendors have significantly expanded their offerings, while various acquisitions have also resulted in infrastructure vendors offering a broader product portfolio and evolving from specialized niche vendors to market leaders. Within the last 5 to 10 years Privilege Management has been added to the portfolio of identity and access capabilities provided by IAM, Corporate Governance or Security teams.
Why should an attacker be satisfied with taking over the account of a regular user if he can instead take over entire segments of an IT infrastructure as an illegitimate administrator?
Managing privileged users or, as KuppingerCole refers to it, Privilege Management, is a significant undertaking for an organization. An insider is often more knowledgeable and aware of the business’ process and technical landscape. And if an insider account gets hijacked, the outsider has the same opportunities for attacking. The malicious insider (or the hijacked one) with privileged credentials can cause significant damage including, but not limited to:
- Delete, modify or read all email and other communication records;
- View or modify salary records of all employees;
- Leak of intellectual property;
- Share confidential data, including personal information, with shareholders or hacktivists.
But it is not only threats that have changed and increased. The last decade has seen significant changes in business requirements and IT. Business models have changed, the ubiquitous digitalization has completely transformed enterprises, their networks and their application infrastructure. New infrastructure concepts in the cloud, delivered as infrastructure as a service, up to completely new offerings through business-software as a service create a multitude of new administrative accounts. New applications and platforms based on mobile devices create new work concepts and business models on the one hand, and present IAM and Privilege Management with new challenges on the other.
In a time of increasing numbers of cyber-attacks and data breaches, it is obvious that these incidents are related to privileged user accounts. In addition, analyses of the latest security incidents suggest that large scale data theft is likely to be caused by users with elevated privileges, typically administrative users. So, it's not surprising that privilege management is not just an issue that executives (CIOs and CISOs) have to deal with but is increasingly an area that auditors and regulators have to put on the agenda. In positive terms, the impact of privilege management (and therefore the benefits of investing in this area) on overall risk mitigation is exceptionally high compared to other types of IT and security technologies.
Privileged Access Management represents the set of critical cybersecurity controls that deal with the management of security risks associated with privileged access in an organization.
This white paper describes how Privilege Access Management is integrated into a comprehensive IAM architecture. It provides an overview of essential components and current enhancements and trends in this area. The final section shows the importance of an adequate implementation of Privileged Access Management in a user company, exemplified by the consulting activities of PATECCO and its range of services.