April 12, 2019//Ellen NeveuxLast Updated: June 13, 2019
Privileged access management (PAM) refers to a segment of network security solutions that control and monitor internal employee privileged user activity. These tools address the vulnerabilities that are introduced when users with high-level permissions require access to critical systems.
Why is PAM important?
Strong perimeter protections installed to stop malicious attacks are rendered powerless if a bad actor has already bypassed firewall defenses using an active user account. Compromised accounts are a very common vulnerability and a particularly difficult challenge for network managers. In fact, Verizon’s 2017 Data Breach report cited 81% of hacking-related breaches leveraged either stolen and/or weak passwords. This type of system breach is hard to detect unless strict controls and comprehensive activity monitoring is in place. For PAM tools, this is the primary function.
Privileged accounts, also known as administrative accounts, have access to critical data and infrastructure. Certain users play a vital role in ensuring network efficiency, however, the embedded permissions of their privileged accounts make them high-value targets for bad actors.
A well-executed privileged access management strategy establishes regulated individual user access controls and behavior transparency to mitigate security risks. PAM tools are introduced to ensure that users only have access to what is required to do their job and nothing more.
An effective privileged access management tool will address several key areas of network defense – advanced credential security, systems and data access control, and user activity monitoring. Oversight in these target areas reduces the threat of unauthorized entry and make it easier for IT managers to spot suspicious or risky operations.
Understanding credential storage and PAM
When privileged accounts are created or defined, credentials for that account need special protection. A credential storage solution, or password management system, is utilized to prevent theft or mismanagement.
By storing credentials in a “vault,” privileged users must go through their PAM tool for authentication – and a record of this process is logged. Further, this centralized storage method allows credentials to be reset after each use. This achieves advanced protection and allows for thorough auditing.
Access control and PAM
Privileged accounts are governed by the permissions granted to them. These permissions define the scope of access a user has. Best practices indicate that least privilege protocols should be enforced, and network managers need to have the ability to restrict or expand access in real-time.
Least privilege and granular controls
Compliance with least privilege will see accounts segmented by roles and rights. Creating these silos confines even privileged users to only the areas and activities necessary to complete authorized operations.
Admins need granular controls to make individual changes or impact access en masse. Proper implementation of access controls should allow network admins to manage permissions at a very granular (port) level. For example, a user could be restricted to read-only access on a particular directory. In addition, user access expiry schedules provide additional control and protection that’s desired.
Another valued consequence of these detailed permissions being linked to an individual is that activity can be tied to that user. So if something goes wrong, network admins can go right to the source.
The importance of auditing and monitoring
The ability to produce a comprehensive audit of user activity is essential to network security and a requirement to be in compliance with several federal regulations. Each time a privileged credential is used, that session should be logged. A complete report includes the name of the user, what time their session began, how long it lasted, and what was done under the power of that credential. It’s important to monitor this activity to ensure privileged credentials are being used appropriately and that a user’s behavior is not a threat to the network.
Privileged access management for vendors
Privileged accounts are not just given to internal employee users. Organizations that utilize external technology vendors or contractors need protection against threats unique to third-party remote access users. Vendor privileged access management (VPAM) refers to solutions that specifically address these risks.
Traditional PAM solutions work effectively to manage internal privileged accounts because they operate based on the assumption that admins know the identity of each individual accessing the network. This is not the case with third-party users.
Multi-factor authentication becomes a critical element. Network managers must be able to identify and authenticate users through advanced methods that tie them to active vendor accounts. In addition, admins need ready offboarding controls.
A robust VPAM solution will monitor vendor user activity at all times. External users pose a unique threat because network managers cannot control the security best practices of their vendor partners, they can only protect against risky user behavior. Detailed tracking is key and will protect against unauthorized use.
Privileged access management is a crucial part of network security and should be implemented for all users – internal and external – that are granted advanced permissions. Organizations need these solutions to ensure comprehensive protection of critical data and systems.