An Introduction to Privileged Access Management

What is Privileged Access Management?

Privileged Access Management (PAM) is a critical cybersecurity tool to separate users from valuable administrator credentials used to manage shared servers, devices, and systems.

PAM goes beyond Identity Access Management (IAM) which focuses on proving the identity of the user. PAM takes that identity and applies policies to determine which systems they can access, and with what privilege level. Advanced PAM solutions such as Osirium PAM, take this further and include capabilities to run privileged applications in a protected environment, monitor and record privileged sessions, and automate processes that need privileged access.

Privileged Access is needed everywhere

All systems, services, applications, and devices have powerful administrator accounts.

Those “admin” accounts can make substantial changes to those systems. For example, they can access valuable corporate IP, reveal personally identifiable information (PII), or control how customers, staff, and partners do their work.

It’s no surprise that these accounts are the most prized targets for cyber attackers as they are so powerful.

Controlling access to those accounts is a foundational need for the organization. When not managed, all the IT and cybersecurity systems are at risk.

The ultimate goal is to ensure that anyone accessing a system has the minimum level of elevated rights they need to do their work.

They should only have access to the systems they need. And have that access for the shortest period to get their work done.

Good PAM is not optional. Every organization is subject to regulation, such as GDPR, PCI DSS or Sarbanes-Oxley. They often need to implement best practices such as Cyber Essentials or ISO 27001 to improve customer service and reduce risk. Every one of those standards has a requirement to manage privileged access. Osirium has several whitepapers to show how PAM is relevant to ISO270001, Cyber Essentials and Digital Security and Protection in the NHS.

PAM is not the replacement for the rest of a cybersecurity stack, but it is a foundation for that stack. Every security tool, for example firewalls, anti-malware, ATP, backup management, and many more, have administrator accounts. If those admin accounts aren't protected by PAM, then they are vulnerable to attack.

PAM cannot be an optional purchase. The decision for the company is how to acquire and implement the best PAM for their organization in the most cost-effective and business-enhancing manner possible.

If you would like more information, please get in touch.

Benefits of Privileged Access Management

Credential Management

Separate users from passwords

Privileged accounts such as Admin or Superuser are the most powerful and dangerous in your organization.
The best way to start protecting them is to make sure users can't actually get access to them.
That's where Privileged Access Management (PAM) is key.

Learn more about protecting valuable admin credentials

Session Management

Monitor and track privileged sessions

Once a user has gained access to a system using privileged access credentials, you need to know what they're doing.
That's especially true if it's a remote worker or third-party supplier where you don't have so much control over who is using the access.
That's where Session Management and Recording is so important.

Learn more about managing and recording privileged sessions

APPLICATIONS WITH PRIVILEGED ACCESS

Protect privileged applications

In some cases, IT experts need full access to a system or devices and need to use "root" level connections. In most cases that's more access than is really needed. The best practice is to only let the user access just the applications they need to do their work.
With Osirium PAM, the MAP Server ensures the user can only use the applications they need.

Learn more about protecting applications with Osirium MAP Server

Automation

Protect privileged work

The best, and most proactive, protection of privileged access is to ensure it can only be used to perform the work that it should.

By wrapping applications, services and devices with Automation can't do anything they shouldn't and a full audit trail is tracked.

See how Osirium's unique Automation is the ultimate privileged access protection.

Learn more about automating privileged tasks and processes

An overview of Privileged Access Management

Read this high-level overview to see how PAM can protect your shared devices and services, manage privileged users and accounts and simplify remote access.

overview of Privileged Access Management

Critical PAM Capabilities

Privileged users manage every piece of IT infrastructure, including physical devices, services, applications, and databases. Users such as SysAdmins have elevated access to ensure that the uptime, performance, resources, and security of the computers meet the needs of the business.Privileged account abuse presents one of today’s most critical security challenges.
Privileged account credentials are the hacker’s favoured way of breaching defences. They can access the most sensitive data or cause the most damage. Privileged account management must be a critical priority for IT security teams.
Credential management should do more than be a password vault (although important). It should take care of the entire lifecycle of privileged credentials: creation, rotation/regular update, and removal when no longer needed.

Find out more about credential management in Osirium PAM

Credential Management

Separate users from passwords

Although the general principle is good, emphasis should be on those valuable administrator accounts. It's also important to start with the assumption that the endpoints used by those admins are compromised. Admins are human and can be victims of phishing attacks.

A guiding standard should be that credentials never pass through endpoints or be revealed to humans. Although, there are a few situations where it can't be avoided, for example, in "break glass" emergencies.

PAM can be used as a 'credential-injecting proxy'. Credentials only travel between PAM and the target device.

PAM can also manage the admin credentials and passwords, ensuring they comply with corporate policies, are rotated regularly and retired when no longer needed.

Mapping IDs to roles

People have identities (who they are), while accounts on systems have roles (what they can do). That's a key difference between an "identity management tool (IAM)" and "Privileged Access Management (PAM)".

IAM confirms that a person is who they say they are, compared to PAM controls what that person can do by assigning that person a "role." Using roles allows for more granular control over privileged operations. For example, one user might have a role that allows them to reset a user's password, but a different role is needed to create or delete users.

Knowing which identity used which role, on which system, and when is important, especially when investigating a breach or preparing reports for a security audit.

For ease of management, roles can be grouped as "Profiles", which map Identities through tools and tasks to roles on systems.

Multi factor authentication

Once users are separated from the credentials, proving the identity of the user becomes important.  

Multi factor Authentication (or MFA) adds an extra level of verification to incoming identities. The PAM tool may handle this or integrated with an identity and access management system.

Most MFA approaches are based on something you know, something you've got, or something about you. Authentication services can either be handed off to Active Directory or defined as a series relationship.

For example, a user can be identified either locally or by Active Directory and then through an additional MFA stage such as Google Authenticator which confirms identity via biometrics or one-time passcodes.

Just-in-time access

The best security is to not let anyone have access to systems and devices. This is sometimes known as "zero standing privileges".  

The best practice is to not grant access until it's actually needed and then only for the minimum time access is required. This is known as "Just In Time" or JIT privileges.

Just as for access to an account, the privileged accounts should only be created when they are needed and removed immediately afterwards.

There will often be a few standing privileged accounts for emergency or "break glass" scenarios. Extra care is needed to protect these accounts and ensure they are only in extreme situations.

Session Management

It is important to know exactly what has been done to a system, by whom and when.

Osirium PAM's Privileged Session Management (PSM) enables security managers to monitor admin sessions in real time. Sessions can also be recorded, stored and reviewed later.

Privileged Session Management not only ensures full user access accountability but also acts as a unique deterrent against SysAdmin malpractice.

Recording screen and keyboard interactions provides irrefutable evidence of  privileged activities.

Find out more about session management in Osirium PAM

PAM is never by-passed!

All sessions can be recorded, or just those for particular users such as external suppliers. The visual capture allows a video playback of each session along with a thumbnail layout to evaluate sessions at a glance.

Because all admin sessions have to pass through Osirium PAM, there is no way to bypass recording.

Deterring Privilege Mis-use

Most users can be trusted, but there's nothing like the security of being able to prove correct processes are used. That's particularly useful for new staff or external partners.

With Osirium PAM, every session, or selected users, can be shadowed in real-time - think of it like watching over their shoulder. If something isn't right, you can immediately terminate the session. Since the users have no alternate means of access, the user can't bypass PAM to access your IT systems.

Knowing that sessions may be monitored or recorded is enough to deter misuse of privileged accounts in many cases.

Search recordings and metadata

In addition to recording a video of a session, all keystrokes are also captured. Therefore, a SuperAdmin can search by all types of meta-information, including fuzzy keystrokes patterns.

Investigating Incidents

Session recordings provide key insights in why and when a device misconfiguration takes place. They allow for the careful examination of changes and provides a quicker return to a stable and working environment.

Good session recordings could even be be made into mini training videos and shared in standard MP4 format.

Application Protection

Legacy applications refer to software older than the current ‘official’ release. In any IT environment, there are legacy applications that cannot be replaced. That may be for good reason: the application may be tied to a piece of hardware such a medical scanner, or doesn't support the latest operating system version.

To combat this, companies use legacy management tools or ‘thick clients’, but this can cause a number of issues…

Legacy applications all have dependencies, be it their own Dynamic Link Library (DLL)’s, or versions of .NET and Java. Furthermore, it can be tricky or even impossible to have multiple versions of some management tools concurrently installed.

As a result, SysAdmins are forced to work across different versions of management tools, or install specific versions on jump boxes and access those. Resource intensive and a security risk, jump boxes are only accessible via a dedicated desktop, often shared by team members.

The solution is Osirium's MAP Server, part of its Privileged Access Management package.

Find out more about MAP Server

Seamless Integration

Applications are presented on the user's desktop alongside their other applications.

Secure Environment

Secure environment for running legacy applications.

Reduce Compatibility and Dependency Issues

No need to ensure the user's desktop has all the necessary supporting libraries for each legacy application.

Separate People from Passwords

Credentials are injected in the mapped application and never revealed to the user.

Increase Security and Control

IT has control over who has access to which applications and the credentials that are used.

Jump Box on Steroids!

Multiple versions of management applications can be available to SysAdmin or DevOps desktop without any dependencies at the workstation.

Automation

Moving beyond protecting privileged accounts is to protect privileged activities - what users are doing with those accounts. Osirium PAM now includes free Osirium Automation licenses.

Osirium Automation, available standalone and as part of Osirium PAM is a flexible, secure framework to automate tasks that normally need expert administrators.

Automation uses the admin credentials from Osirium PAM which are never exposed to the user.

‍Find out more about automating privileged actions with Osirium Automation

Flexible, open architecture

Osirium Automation is built on the Privileged Process Automation (PPA) framework to automate processes on IT services, devices and applications via API, REST or web services.

Automated playbooks are built using a low-code task development environment and pre-built example playbooks and plug-ins are available in the PPA Resource Hub.

Safely delegate admin operations

Privileged credentials are always protected. Users can't do anything they shouldn't. There's a full, end-to-end audit trail. All of which mean it's safe to delegate admin tasks to the help desk, or even to end-users.

A broad range of applications

Osirium Automation can be used to automate any task that might normally need IT help. That can range from resetting account passwords to provisioning accounts for a new starter or setting firewall configurations. The list is endless.

Promotion

Ransomware Protection for Backups

Ransomware attacks destroy your data and backups. Get Osirium Fast Protect for just £4,995 to stop attacks deleting your backups.

PAM Fundamentals

What are Privileges?

Privileges are the permissions, or powers, that an account on a device or service has. A standard user may have very limited privileges, for example, to read records in a database, but not to create or edit data. An administrator on a Linux server running as "root" will have the maximum powers available to install/remove software, create/delete user accounts, change system settings and much more.

What is a Privileged Account?

Any account that has more power, or permissions, than a regular user can be considered a “privileged account.” Often, they’re called “administrator,” “supervisor,” or “system” accounts. These accounts have the power to, for example, create/update/remove other user accounts, change system settings, install software, access sensitive databases, … the list is endless.

What is PAM?

PAM or Privileged Access Management system is used to manage the powerful admin accounts. This management covers the actual account credentials (i.e. usernames and passwords), who has access to those accounts, and how those accounts can be used.

An important factor with Osirium PAM is that no user will ever have direct access to those privileged account credentials. If a user can’t see the username & password, they cannot reveal those details to an attacker.

A modern PAM solution, like that from Osirium, goes further and monitors users while they use privileged connections. If necessary, the session can be interrupted to prevent malicious changes from being made. The sessions can also be recorded for later investigation if a security incident occurs.

What is the threat?

The threat of privileged access abuse can come from different areas, not all may be obvious.

External Attack

The most obvious source of risk is that of an external party trying to gain access to IT systems. Whether that’s through hacking firewalls to get inside, spearfishing staff to acquire their login credentials or planting malware to open backdoors or exfiltrate data.

Insider Threat

Insiders, or staff, can be a risk in several ways. The most obvious might be the disgruntled employee trying to damage or steal customer information before leaving.


The less obvious risk is the "over-enthusiastic amateur." That's someone who has managed to get admin credentials and then tries to make changes.


Unfortunately, they haven't had the necessary training to do it safely, so making mistakes and leaving the system open to attack is easy. For example, they could make a catastrophic change, such as shutting down all internet traffic through the firewall or deleting customer records.


With the increasing adoption of "shadow IT" and the prevalence of cloud-based services purchased by business units without involving IT, more users have admin rights across the business than ever.

Third-Party or Supplier

Every organization depends on close relationships with suppliers, partners and outsourced staff. To do their work, they typically need access to corporate IT systems.

For example, you may outsource the management of your e-commerce webserver to a specialist agency. You may have a supplier that needs access to manage your heating and ventilation systems (the source of the famous breach at Target).

It’s hard to ensure that all these vendors have the same level of security hygiene as is used internally. It’s also hard to ensure that the people who have been granted access don’t share their credentials

How does PAM compare to IAM? How are IAM and PAM different?

Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing users' credentials – usernames and passwords. They may include tools for generating passwords or support multi-factor authentication (MFA) to aid in logging into IT services.

So IAM is essentially about proving “who you are.” IAM doesn’t provide any help in controlling what users can do once they’ve retrieved credentials and logged in. However, Privileged Access Management (PAM) controls “what you can do” and “how you do it.” Admin users are only allowed access to the systems they need, with the least amount of privileged needed, for the shortest period of time needed.

The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the system access for that user.

PAM is a crucial addition and complement to existing IAM to protect the most valuable accounts.

What is POLP or Principle of Least Privilege?

"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the minimum access privilege they need (which may be none). They should only have access to the systems they need.

They should only have access  for the time they need it. This is where PAM is a vital asset. When all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems.

Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.

What are Privileged Sessions?

A "privileged session" is a connection made by a user to a device, service or system using credentials that have elevated privileges. For example, those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely. See "Principle of Least Privilege" above for more information.

The best Privileged Access Management systems include tools to monitor privileged sessions in real-time. They can also close the sessions if risky behaviour is shown and record the sessions for later investigation or audit.

Can PAM be SaaS or is it on-premise only?

Most PAM systems are deployed on-premises, even if a cloud-hosted or SaaS option is available. Companies deploying PAM usually like to have complete control over the PAM system as it is such a critical part of their infrastructure. Also, the SaaS environment introduces new complexity, such as configuring networks and VPNs to allow a cloud-hosted PAM system to access on-premises services and devices.

What is PIM?

Privileged Identity Management (PIM) is a feature often provided in IAM tools. It goes some way towards improving the management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used.

However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.

What is Privileged User Management?

Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM)". PUM suffers the same limitations in how admin and privileged account credentials are used.

What is Privileged Process Automation?

Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Traditional approaches to automation aren't recommended for most IT processes.

Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes such as credit checks or claims processing.

However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation is needed. They can also be a concern when considering how to  control the admin account credentials needed by the automation scripts to access services and devices.

Scripting, using PowerShell or BASH scripts, are popular with Admins, but they usually end up duplicating effort and may even have account credentials backed in!

When admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users. Admins can get on with more interesting work. For more information, see https://www.osirium.com/automation.

What is PEM?

PEM, also known as Privileged Endpoint Management, is Osirium's solution for removing local administrator accounts from Windows computers. End users can still run approved applications with elevated permissions, so they aren't slowed down in their work.

What is Privileged Endpoint Management?

PEM, also known as Privileged Endpoint Management, is Osirium’s solution for reducing risk on user workstations. It allows IT teams to remove local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.

What is Privileged Access Security?

Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation.

It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.

What is PASM, PEDM, SUPM, SAPM?

These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM.

They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.