October 25, 2019//Tony HowlettLast Updated: April 29, 2020
Privileged Access Management (PAM) is a newer technology within the Identity and Access Management (IAM) space that focuses on applying additional controls and protections on accounts with privileged or administrative rights. It’s one of the fastest-growing segments of the cybersecurity technology space and is a combination of tools and technologies used to secure, control, and monitor access to an organization’s critical information and resources via privileged accounts. Subcategories of PAM include privileged password management, privileged session management, vendor privileged access management, and application access management.
Privileged user accounts are significant targets for attacks as they have elevated permissions, access to confidential information, and the ability to change settings. If compromised, considerable damage could be made to organizational operations. Types of accounts that should be managed by a PAM program include local administrative, Microsoft Active Directory application or service, domain administrative, server administrators and external services administrative, such as cloud infrastructure, and SaaS providers.
PAM software and tools work by gathering the credentials of privileged accounts into a secure repository to isolate their use and log their activity. This separation is intended to lower the risk of admin credentials being stolen or misused. Some PAM platforms won’t allow privileged users to choose their own passwords. Instead, the password manager of the platform will issue one-time passwords each time an admin logs in or issues a password for the day. The PAM platform holds the actual admin credentials, obfuscating them from user view and rotating them frequently with very complex variants that would be difficult for a human to manage.
PAM is important for companies that are rapidly expanding their IT systems or already have complex systems with many privileged credentials across a broad variety of IT infrastructure. In fact, it’s so important that analysts at Gartner have named it as a top security project of 2019.
PAM tools and software typically provide the following features:
Vendor privileged access management (VPAM) is a subset of PAM that focuses on high-level external threats that come from an organization’s reliance on external partners (vendors or third parties) to support, maintain, or troubleshoot certain technologies and systems inside their corporate network. Representatives from these vendors require privileged remote network access to complete their tasks, thus posing a unique threat to overall IT management, security, and compliance if not properly managed.
VPAM solutions are specifically built for managing the distinctive, high-stakes threats that third-party vendors present. Third-party users complicate threat management as they cannot be tracked and managed in the same way as internal employees. Since employees working for vendors fall outside the control of their customers, companies may have little understanding about who they are, how they are using a company-provided login, and when they are no longer working for the vendor. VPAM helps organizations control and monitor third parties’ privileged access to critical applications and systems while streamlining the management of all transient users.
VPAM products provide three key areas of value to mitigate risks associated with third-party vendor remote access:
Together, PAM and VPAM create layered protection for organizations. PAM protects valuable privileged accounts with additional control; VPAM makes sure that external resources using privileged accounts, such as third-party vendors, are given access only to the networks, applications, and resources they need in order to do their job.