What is Privileged Access Management (PAM)?

February 18, 2021

What is PAM?

PAM or privileged access (or account) management is a way to define and control privileged users and administrative accounts. Managing these types of users is essential to preventing identity-based and other types of malware attacks because the elevated privileges granted to these accounts can give adversaries access to most or all of the environment.

“Privilege” denotes the level of access an entity should have. For instance, all HR personnel should have access to policy manuals, but only some HR personnel should have access to executive compensation information. An API should be able to retrieve data from a public database, but not from the host’s own corporate databases.

Some examples of privileged accounts are:

  • User website logins
  • User accounts with heightened login or group privileges
  • User administrative accounts
  • Emergency accounts used by IT and sysadmin personnel
  • Domain admin accounts
  • Root accounts
  • APIs
  • Service accounts

PAM vs. IAM

PAM is frequently confused with identity access management (IAM). PAM and IAM are focused on the same problem in a broad way, but PAM is recommended as the primary solution because it helps enterprises control privileged users and accounts

IAM controls the access and experience of users. However, it doesn’t provide visibility into when and how privileged access is granted to applications, services, and databases. Therefore, IAM is recommended as a complementary solution to PAM, or — ideally — they are integrated together.

PAM, on the other hand, is focused on protecting access to business and technical accounts. PAM centralizes management of administrator profiles and ensures least-privileged access to sensitive data. It provides visibility into how identities are being used, logs session reports, and audits and monitors the actions of system administrators, which is relevant to compliance and is reviewed during periodic audits.

How to Eliminate Insider Threats

Read this white paper to learn how to stop insider threats without logs, no tuning, and 50% less cost.

Download Now

Why is privileged access management important?

In short, a PAM solution is important because it allows organizations to: 

  • Control privileged access to the most sensitive resources
  • Comprehensively discover and manage all privileged access
  • Detect insider threats
  • Stop targeted attacks and misuses of protocol
  • Support regulatory compliance
  • Reduce administrative and security operations costs and inefficiencies

Learn More

Can your PAM solution give you instant insight into all privileged accounts? Watch this webinar to learn how attackers exploit privileged access gaps and how CrowdStrike Falcon Zero Trust can help instantly discover and gain insights into privileged accounts.Watch: A Modern Approach To Privileged Access Management (PAM)

Benefits of PAM

PAM lets organizations control privileged access to the most sensitive resources. It is frequently used for gatekeeping systems such as HR, SWIFT, transactional databases or websites, intellectual property repositories, and other types of highly-regulated or sensitive resources that need the greatest security.

Most enterprises struggle to comprehensively discover and manage all privileged access. They are often host to thousands or even millions of abandoned privileged accounts that are not being managed and can be used as backdoors for disgruntled employees. PAM can discover and deactivate these zombie accounts.

PAM helps secure the ever-expanding attack surface. For instance, there are about 31 billion IoT devices in use today, and they are often shipped with default passwords that their owners never change. Adversaries are aware of this and seek out unprotected IoT devices to use as a launch point for other types of attacks, such as malware distribution, DDoS, phishing, etc. A PAM solution should be able to automatically discover default login and passwords as well as improperly-secured IoT devices and provide visibility into their access behavior.

PAM delivers business benefits as well as security benefits. Chiefly, PAM can deliver cost savings. Of course, failure to adequately manage privileged access can open the door to adversaries, but it can also cause server failures and downtime that reduce productivity and require IT man-hours to repair. Modern PAM solutions save those hours by automating the process of granting and revoking privileged access. Credentials are only valid for as long as they’re needed, so the problem of abandoned privileged accounts is eliminated. And now, PAM solutions may be part of a broader security platform that can dynamically protect hybrid clouds and DevOps environments

The obvious risk of poor privilege management is granting too much access and allowing an unauthorized person to interact with data or services to which they are not entitled. But overly-restrictive privileges are risky as well.

For instance, if an API prevents access to a public endpoint, the supply chain can break. If a customer logs in to update their credit card information but is not able to accomplish that task, their user experience is poor and their call to the support desk increases operational costs. If an IoT device is not allowed to upload data, inventory decisions will be based on inaccurate information. For these reasons, privilege access management isn’t just a security concern, it’s a concern for anyone responsible for the success of an enterprise.

3 Noteworthy Examples of Breaches that Leveraged Privileged Accounts

Seventy-four percent of data breaches start with the abuse of privileged credentials. Below are three real-life examples of high-profile companies that suffered breaches involving privileged accounts:

1. Twitter

In July 2020, hackers were able to use a phone spear-phishing attack to obtain the credentials of Twitter employees who had access to account management tools. With this access, the attackers were able to tweet from 45 accounts and access the DM inbox of 36. Read Twitter’s statement

2. Uber

In 2011, it was discovered that attendees at an Uber launch party had access to the app’s “God View,” which allowed them to see the real-time whereabouts of actual Uber riders. A 2016 settlement with the New York Attorney General, Uber was required to limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process.

3. Yahoo

The 2014 Yahoo breach took place after hackers were able to acquire the credentials of a “semi-privileged” Yahoo employee using a spear-phishing email. Once the hackers had access to Yahoo’s internal network, they were able to locate the user database and eventually gain access to targeted user accounts.

How PAM Solutions Work

PAM solutions protect privileged accounts by providing the ability to:

  • Change, add or remove users and passwords
  • Enforce password hygiene according to the organization’s security policy
  • Monitor privileged account accesses, detect anomalies in privileged account behavior and respond by shutting down or changing passwords
  • Broker administrative access controls through the use of either a jump server or a privileged access workstation (PAW)
  • Require configuration and loading with particular privileged accounts that need additional monitoring.

PAM solutions can be divided into two categories: traditional and modern. Traditional PAM tools rely on static, prescriptive or binary approaches, such as password vaults, session replay, and the temporary elevation of privileges. They may also include integrated support for multifactor authentication and privileged account monitoring.

An important caveat is that traditional PAM solutions do not offer analytics, so enterprises have to integrate their PAM product with their security analytics product. Finding and containing the source of a threat in these circumstances takes an average of 73 days — which leads directly to the next limitation of traditional PAM solutions: they are not good at spotting lateral movement, especially not in the complex hybrid environments that are common today. During the time it takes to identify a threat, the adversary is inside the network, learning, exploring, and getting to their payload at leisure.

Modern PAM solutions have those capabilities as well, but they are much more powerful because they address risk dynamically in real-time. Modern PAM solutions protect all user and service accounts, deploy adaptive policy-based controls and responses, monitor behavior, perform protocol detection and provide visibility into all network traffic, including access by all users and all service accounts in real time.

Learn More

Solenis CISO Adrian Giboi explains how he approaches the challenges of privileged access management without the user friction seen in other solutions.Watch: Reducing User Friction With Privileged Access Management

Features

Look for a modern PAM solution that offers:

  • Automated privileged account discovery across on-premises domains as well as cloud services
  • Ease of use with clean processes for on-boarding and off-boarding accounts
  • The use of security policy best practices for password management, including length, complexity and comparison against known and overused passwords in public lists, such as HaveIBeenPwned.com
  • The use of two-factor authentication and enforcement for all privileged accounts
  • Controlled access to master keys with specific time limits for resets
  • Audit capabilities for all privileged accounts and the ability to schedule regular reports on activity

What are the challenges of PAM implementations?

Administration of a PAM can be time-consuming and manual. Consider the following implementation and operational challenges where you are creating PAM rules for a specific server:

  • Manual set up time to add a specific set of users to a service or application
  • Likewise, creating domain groups specific to PAM systems can be time-consuming for the domain administrator
  • The same care needs to be taken when removing users from a service or application – even when changing positions within an organization to remove privileged access
  • Users often use the same password across multiple accounts, making the privileged account and service vulnerable to pass-the-hash type attacks
  • If required by the PAM implementation, unique passwords set up locally for only one account or service are more frequently forgotten, resulting in overhead via support and ticketing, and adding complexity and friction for the end user
  • Access logs held on each server can be wiped by malicious actors, eliminating the forensics trail; centralized visibility is preferred
  • It can be difficult to see what visibility and access an individual user has to which systems without running additional access discovery software

9 Best Practices to Prevent Breaches From Privileged Accounts

PAM requirements are evolving rapidly as work-from-home, connected workplaces, IoT/5G and other trends emerge. However, there are a few fundamental best practices that apply to every enterprise:

  1. Automate privileged account discovery
  2. Segment privileged accounts
  3. Practice rigorous employee on-boarding and off-boarding policies and procedures
  4. Automate threat detection and prevention for PAM
  5. Force all privileged accounts to access the jump server or PAW for abnormal behavior
  6. Enforce frictionless policies for PAM users
  7. Execute device tracking and coverage when privileged credentials suddenly appear on new or un-sanctioned endpoint devices
  8. Combine PAM with identity protection to verify identity and trigger multifactor authentication, reduced permissions and mandatory password changes
  9. Block access based on policy and context