What is PAM?
What is Privileged Access Management (PAM)?
Privileged Access Management (PAM) is a cyber security domain within Identity and Access Management (IAM) that focuses on monitoring and controlling privileged users and privileged accounts within an organization.
Who are privileged users?
In an organization, privileged users have access to IT and network infrastructure for operation and administration purposes or have access to sensitive information or assets, such as customer records, employees’ payroll and financial records. Sample privileged users are:
- System, database and application administrators who have continuous and unrestricted access to a broad range of assets
- Help desk agents who have restricted access to a broad range of assets
- Business Application (e.g. ERM, Salesforce) users or users of an organization’s social media (e.g. LinkedIn, twitter) accounts
- Nonemployees such as vendor support, consultants, contractors
Why is PAM critical for an organization?
Privileged users access an organization’s critical systems, resources and assets using elevated or unrestricted accounts, i.e. privileged accounts. These accounts include local and domain administrative accounts, service accounts, emergency accounts, application accounts, and are referred to as “the keys to the kingdom”. They are primary targets of both external and internal malicious users and have been used in successful attacks to gain access to an organization’s critical systems and resources, resulting in data breaches or service outage that have material business impact. So, privileged accounts are a potential source of threats to the security posture of any organization because of their elevated/unrestricted access to critical systems and sensitive information.
What are the common capabilities of PAM solutions?
PAM solutions provide monitoring, auditing, tracking and authentication controls to prevent unauthorized access to critical systems and privilege misuse. Common capabilities are:
- Privileged Account Management (e.g. discovery of system/service accounts, securely storing and randomizing such passwords, including making them invisible to users)
- Event logging (e.g. access requests, logins, added/deleted users or systems)
- Session recording (e.g. video records of sessions, key stoke logging, command logging)
- Least Privilege Management (who can access which systems and under what restrictions)
- Integration with Enterprise Applications (e.g. Active Directory, Asset Inventory, IT service management, 2-Factor-Authentication)
- Emergency/break-glass access
- Audit trails and reports to meet regulatory compliance mandates