An Introduction to Privileged Access Management

Why is PAM so Important?

Every system, service, application, and device in your organization has powerful administrator accounts. Those “admin” accounts have huge power. They can make substantial changes to those systems, access valuable corporate IP, or reveal personally identifiable information (PII). It’s no surprise that these accounts are prized targets for cyber attackers as they are so powerful.

Controlling access to those powerful accounts is a foundational need for the organization. When those accounts are not managed, all the IT and cybersecurity systems the business depends on are at risk. The ultimate goal is to ensure that any person accessing a system has the least level of elevated rights needed, on only use they systems they need, and for the shorted period of time to get their work done.

Good PAM is not optional. Every organization is subject to regulation, such as GDPR, PCI DSS or Sarbanes-Oxley, or wants to implement best practices such as Cyber Essentials or ISO 27001 to improve customer service and reduce risk.

Every one of those standards has a requirement to manage privileged access. Osirium has several whitepapers to show how PAM is relevant to ISO270001, Cyber Essentials and Digital Security and Protection in the NHS.

For all these reasons, PAM is not an optional purchase. The decision for the company is how to acquire and implement the best PAM for their organization in the most cost-effective and business-enhancing manner possible.

If you would like more information, please get in touch.

“Privileged access represents a significant security risk for every organization, and privileged access management (PAM) is a discipline that must be considered a core part of every security program.” – Gartner, “Buyers’ Guide for Privileged Access Management”

Key Benefits of Osirium PAM

Credential Management

Separate users from passwords

Privileged accounts such as Admin or Superuser are the most powerful and dangerous in your organization. The best way to start protecting them is to make sure users can't actually get access to them.

That's where Privileged Access Management (PAM) is key.

Learn more about protecting valuable admin credentials

Session Management

Monitor and track privileged sessions

Once a user has gained access to a system using privieged access credentials, you need to know what they're doing. That's especially true if it's a remote worker or third-party supplier where you don't have so much control over who is using the access.

That's where Session Management and Recording is so important.

Learn more about managing and recording privileged sessions

MAP Server

Protect privileged applications

In some cases, IT experts need full access to a system or devices and need to use "root" level connections. In most cases that's more access than is really needed, so best practice is to only let the user access just the applications they need to do their work.

With Osirium PAM, the MAP Server ensures the user can only use the applications they need.

Learn more about protecting applications with Osirium MAP Server

Automation

Protect privileged work

The best, and most proactive, protection of privileged access is to ensure it can only be used to perform the work that it should. By wrapping applications, services and devices with Automation can't do anything they shouldn't and a full audit trail is tracked.


See how Osirium's unique Automation is the ultimate privileged access protection.

Learn more about automating privileged tasks and processes

An overview of Privileged Access Management

Read this high-level overview to see how PAM can protect your shared devices and services, manage privileged users and accounts and simplify remote access.

Read the Overview
Talk to an expert
overview of Privileged Access Management

Osirium PAM Capabilities

Every IT infrastructure is managed by privileged users. Users such as SysAdmins are granted elevated control through accessing privileged accounts to ensure that the uptime, performance, resources and security of the computers meet the needs of the business. Privileged account abuse presents one of today’s most critical security challenges and is increasingly the hacker’s favoured way of breaching your defences so privileged account management becomes a critical priority for IT security teams.

The Osirium PAM solution addresses both security and compliance requirements by defining who gets access to what and when. Find out below about the rich breadth of PAM capabilities that allow Osirium customers ranging from mid-market organisations to divisions of global enterprises to protect their businesses.

Find out more about credential management in Osirium PAM

Credential Management

Separate users from passwords

Or more accurately, ‘Separating SysAdmins from Credentials’. Osirium PAM is designed with the assumption that endpoints are compromised, and people are phishable. Therefore, from the outset, we decided that credentials should never pass through end points or be revealed to humans (except in breakglass).

You can think of this as a 'credential-injecting proxy'. This means that credentials only travel between Osirium PAM and the end device.

Osirium PAM also takes on management of the admin credentials and passwords, ensuring they comply with corporate policies, are rotated regularly and retired when no longer needed.

ID to role mapping

People have identities, accounts on systems have roles. That's the difference between an "identity management tool (IAM)" which confirms that a person is who they say they are compared to a "privileged account management" tool that controls what that person can do by assigning that person a "role."

It's important to know which identity used which role, on which system, and when. Osirium PAM implements privileged account management policies through Profiles, which map Identities through tools and tasks to roles on systems.

Multi-factor authentication

Osirium PAM is, in essence, an Identity IN - Role OUT system. Therefore the quality of identity proof is crucial for highly secure operations. Multi-factor Authentication (or MFA) adds an extra level of verification to incoming identities and may be provided by an identity and access management system.

MFA generally works based on something you know, something you've got, or something about you. Authentication services can either be handed off to Active Directory or defined as a series relationship. For example, a user can be identified either locally or by Active Directory and then through an additional MFA stage such as Google Authenticator.

Just-in-time access

The best security is to not let anyone have access to systems and devices, but clearly, that's not realistic. The next best option is to not grant access until it's actually needed and then only for the minimum time access is required. Osirium PAM provides "just-in-time" access by allocating time windows during which privileged access is allowed and by the user requesting access just when they need it.

Session Management

Often it is vital to know exactly what has been done to a system from where and by whom. Unusual behaviour or audit purposes are perfect reasons for this.

Osirium PAM's Privileged Session Management (PSM) enables security managers to record, store and playback any activities that take place across their entire hybrid-cloud infrastructures. As a result, Privileged Session Management not only ensures full user access accountability but also acts as a unique deterrent against SysAdmin malpractice. In conclusion, this provides irrefutable evidence of their privileged activities.

Find out more about session management in Osirium PAM

No bypassing PAM - ever!

All sessions can be recorded. A visual capture allows a video playback of each session along with a thumbnail layout to evaluate sessions at a glance. Because all sessions have to pass through Osirium PAM there is no way to bypass recording. Users never get access to the Privileged Credentials therefore they cannot make a session outside Osirium PAM's control.

Mis-use Deterrent

Every session with Osirium PAM can be shadowed in real-time. This allows all admin sessions, including 3rd party service providers to be monitored as they happen. Session termination means that any session can be terminated immediately. This happens in Osirium PAM, and since the users have no alternate means of access, terminated stays terminated. If a session is deemed malicious there’s the one touch terminate and disable user button

Search recordings and metadata

In addition to recording a video of a session, all keystrokes are also captured. Therefore, a SuperAdmin can search by all types of meta-information, including fuzzy keystrokes patterns.

Post-incident investigation

Key insight can be gained from session recordings as to why and when a device misconfiguration takes place. Consequently, this allows for the careful examination of changes and provides a quicker return to a stable and working environment. Good session recordings can be made into mini training videos.

Application Protection - Osirium MAP Server

Legacy applications refer to software older than the current ‘official’ release. In any IT environment, there are legacy applications that cannot be replaced. To combat this, companies use legacy management tools or ‘thick clients’, but this can cause a number of issues…

What is MAP Server?

Legacy applications all have dependencies, be it their own Dynamic Link Library (DLL)’s, or versions of .NET and Java. Furthermore, it can be tricky or even impossible to have multiple versions of some management tools concurrently installed.

SysAdmins are forced to work across different versions of management tools, or install specific versions on jump boxes and access those. Resource intensive and a security risk, jump boxes are only accessible via a dedicated desktop, often shared by team members.

Find out more about MAP Server

Seamless Integration

Applications are presented on the user's desktop alongside their other applications.

Secure Environment

Secure environment for running legacy applications.

Reduce Compatibility and Dependency Issues

No need to ensure the user's desktop has all the necessary supporting libraries for each legacy application.

Separate People from Passwords

Credentials are injected in the mapped application and never revealed to the user.

Increase Security and Control

IT has control over who has access to which applications and the credentials that are used.

Jump Box on Steroids!

Multiple versions of management applications can be available to SysAdmin or DevOps desktop without any dependencies at the workstation.

Automation

Moving beyond protecting privileged accounts is to protect privileged activities - what users are doing with those accounts. Osirium PAM now includes free Osirium Automation licenses. Osirium Automation, available standalone and as part of Osirium PAM is a flexible, secure framework to automate tasks that normally need expert administrators. Automation uses the admin credentials from Osirium PAM which are never exposed to the user.

Find out more about automating privileged actions with Osirium Automation

Flexible, open architecture

Osirium Automation is built on the Privileged Process Automation (PPA) framework to automate processes on IT services, devices and applications via API, REST or web services.

Automated playbooks are built using a low-code task development environment and pre-built example playbooks and plug-ins are available in the PPA Resource Hub.

Safely delegate admin operations

As privileged credentials are alway protected, users can't do anything they shouldn't and there's a full end-to-end audit trail, it is safe to delegate tasks to the help desk or even to end-users.

Broad range of applications

Osirium Automation can be used to automate any task that might normally need IT help. That can range from resetting account passwords to provisioning accounts for a new starter or setting firewall configurations. The list is endless.

Get Osirium PAM for free!

Secure your infrastructure with the fastest to deploy Privileged Access Management solution. Introducing PAM Express from Osirium. For free, for 10 servers or network devices for production use.

Get PAM Express
Talk to an expert

PAM Fundamentals

What is a “Privileged Account”?

Any account that has more power, or permissions, than a regular user can be considered a “privileged account.” Often, they’re called “administrator,” “supervisor,” or “system” accounts. These accounts have the power to, for example, create/update/remove other user accounts, change system settings, install software, access sensitive databases, … the list is endless.

What is PAM?

A Privileged Access Management, or PAM, system is used to manage the powerful admin accounts. This management covers the actual account credentials (i.e. usernames and passwords), who has access to those accounts, and how those accounts can be used.

An important factor with Osirium PAM is that no user will ever have direct access to those privileged account credentials. If a user can’t see the username & password, they cannot reveal those details to an attacker.

A modern PAM solution, like that from Osirium, goes further and monitors users while they use privileged connections. If necessary, the session can be interrupted to prevent malicious changes from being made. The sessions can also be recorded for later investigation if a security incident occurs.

What is the threat?

The threat of privileged access abuse can come from different areas, not all may be obvious.

External Attack

The most obvious source of risk is that of an external party trying to gain access to IT systems. Whether that’s through hacking firewalls to get inside, spearfishing staff to acquire their login credentials or planting malware to open backdoors or exfiltrate data.

Insider Threat

Insiders, or staff, can be a risk in several ways. The most obvious might be the disgruntled employee trying to do damage or steal customer information before leaving. The less obvious risk is the “over-enthusiastic amateur” – someone who has managed to get admin credentials then tries to make changes they’re not fully trained for. It’s too easy for them to make a catastrophic change such as shutdown all internet traffic through the firewall or delete customer records (something seen recently at the Home Office in the UK).

With the increasing adoption of “shadow IT” and prevalence of cloud-based services being purchased by business units without involving IT, there are more users with admin rights across the business than ever.

Third Party or Supplier

Every organization depends on close relationships with suppliers, partners and outsourced staff. To do their work, they typically need access to corporate IT systems. For example, you may outsource management of your e-commerce web server or a supplier needs access to manage your heating and ventilation systems (the source of the famous breach at Target).

It’s hard to ensure that all these vendors have the same level of security hygiene as is used internally. It’s also hard to ensure that the people who have been granted access don’t share their credentials.

How does PAM compare to IAM?

Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing user’s credentials – usernames and passwords. They may include tools for generating passwords or support multi-factor authentication (MFA) to aid logging into IT services.

So IAM is essentially about proving “who you are” but it doesn’t provide any help in controlling what users can do once they’ve retrieved credentials and logged in. However, Privileged Access Management (PAM) controls “what you can do” and “how you do it.”  Admin users are only allowed the access the systems they need, with the least amount of privileged needed, for the shortest period of time needed.

The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the system access for that user.

PAM is a crucial addition and complement to existing IAM to protect the most valuable accounts.

What is POLP or Principle of Least Privilege?

"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the amount of privilege they need (which may be none) on only the systems they need and only for the time they need it. This is where PAM is a vital asset - when all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems. Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.

What are Privileged Sessions?

A "privileged session" is a connection being made by a user to a device, service or system using credentials that have elevated privileges such as those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely (see "Principle of Least Privilege" above). The best Privileged Access Management systems include tools to monitor privileged sessions in real time, close the sessions if risky behaviour is shown and to record the sessions for later investigation or audit.

What is PIM?

Privileged Identity Management (PIM) is feature often provided in IAM tools. It goes some way towards improving management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used. However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.

What is Privileged User Management?

Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM) with the same limitations in how admin and privileged account credentials are used.

What is Privileged Process Automation?

Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes. However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation are needed. When all admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users and lets admins get on with more interesting work. For more information, see https://www.osirium.com/ppa.

What is PEM?

PEM, also known as Privileged Endpoint Management, is Osirium’s solution for removing local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.

What is Privileged Endpoint Management?

Privileged Endpoint Management (PEM) allows approved applications to be run with elevated privileges, what would typically be by using the “Run as Administrator” option on an applications context menu. Importantly, the privileges of the application are elevated without exposing valuable administrator credentials or having to call the IT help desk. Find out more at https://osirium.com/pem.

What is Privileged Access Security?

Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation. It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.

What is PASM, PEDM, SUPM, SAPM?

These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM. They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.

Complimentary Gartner Report: Four Pillars for PAM Success

There are four key pillars to a successful PAM project. Read this complimentary Gartner report to learn how to make the most of PAM.

Get your Free Report
Talk to an expert
PAM  Gartner Report
Click to chat