What is PEM, and why should I care?

Imagine all the computers in your organisation. That's a lot.

There are many you've probably not included (unless you work in an IT Infrastructure or Operations team). For example, the shared servers and other devices that are hidden away in server rooms or behind locked doors. That's where Osirium PAM is used for Privileged Access Management (PAM) to protect access with administrator-level permissions.

But, the largest population of computers could be the workstations or laptops on every desk across the business.

PAM is fast becoming a standard part of every IT operations team toolkit for keeping valuable shared services and devices secure. After all, it has repeatedly been highlighted as a recommended priority by Gartner and other experts.

But the same attention hasn't (yet) been applied to that vast sea of end user's workstations (often called, in the jargon, "endpoints").

The Challenge of Administrators on endpoints

Back in the golden days (if you can call them that) of Windows 95, computer operating systems were simple to manage. Anyone could install any software or make any changes they needed or wanted to. Happy days!

Not unsurprisingly, that led to a lot of problems. Users might install software they shouldn't or code that had been infected with malware. In response, from around Windows Vista onwards, Microsoft started to introduce "User Account Controls (UAC)" to limit what users could do with their computers in the corporate environment. With the right controls enabled, and these days they're on by default, the user was presented with a pop-up window before running an application or installer that needed administrator rights.

They would have to log in with user credentials (i.e. username and password) that had been granted permission to make changes on that computer whenever trying to make system-level changes. These accounts were known as "privileged accounts" or if the permission was granted only for that computer, "local administrator" accounts and only made available to expert administrators.

This made IT managers happier as it prevented end-users installing risky software or making changes they shouldn't. But, end-users were far from happy. Every time they wanted to make a change, they'd have to raise a request with their IT help desk and wait for an administrator to be available to visit the user's desk to make the change. Now, IT wasn't happy as they were getting swamped by a multitude of requests for small changes when they had more strategic work to do.

A Cunning Plan!

In the end, many IT teams started creating a second account on those endpoints that had local administrator privileges. For most of the time, the user ran with their normal user account, which had very limited permissions. When they needed to install software or make system changes, they would be presented with the UAC prompt but could provide their local admin account credentials without calling IT.

But there's a catch!

Everyone seems happy at that point: end-users have only mild interruptions, and IT have off-loaded a lot of calls to the help desk. But it's only a temporary state. Now there's a proliferation of administrator accounts out across the business. There's no control to stop users from installing unwanted software, being compromised by malware or leaking those powerful account credentials.

There is a solution - Privileged Endpoint Management

Osirium's PEM is a new offering as part of the Privileged Access Security suite. It's entirely focused on the issue of allowing users to run specific applications or processes with elevated privileges. With PEM, IT can easily build lists of approved applications (sometimes called a "whitelist"). Permissions can be granted to a group of users, using Active Directory, to run selected applications. Being policy-based, it's easy to manage who gets which permissions and to use existing tools and skills to deploy the policies.

A major advancement with PEM is its "Learning Mode." During an implementation phase, PEM is used in a passive mode, recording all activity by users where they use the Windows "Run as Administrator" option. The list of applications is reviewed by IT to ensure that the app is one that should be allowed, it comes from a reputable source, and the executable is "fingerprinted" to ensure it hasn't been contaminated by malware.

After a few weeks, the vast majority of privileged applications will have been discovered. Once reviewed and policies created, PEM is switched to "Enforce" mode. At that point, the Local Administrator accounts can be deleted, and users are only allowed to run approved privileged applications. Because the approved list was built based on real user behaviours, they will see very few instances of applications that haven't been reviewed. If there are new applications the user needs, they can request access via normal help desk channels. As these are the exceptions, there are few calls for the help desk to handle.

Balancing productivity vs security

With PEM deployed and active, the balance between productivity and security is restored. Users can do the work they need with few calls to the Help Desk. IT gets fewer interruptions and can focus on more valuable work. Auditors can see who had access to which applications and logs show the actual users, not an arbitrary administrator account.

Sometimes, "Endpoint Management" is used to describe a broad range of capabilities from operating system deployment to desktop customisation. That can generate even more administrative effort and need complex infrastructure. With PEM's approach, the focus is on being lightweight, easy to deploy, and focused on the most pressing security problem to solve: removing administrator accounts from across the business.

If you'd like to learn more about Osirium PEM, please get in touch.

Related Topics