What are Privileges?
Privileges are the permissions, or powers, that an account on a device or service has. A standard user may have very limited privileges, for example, to read records in a database, but not to create or edit data. An administrator on a Linux server running as "root" will have the maximum powers available to install/remove software, create/delete user accounts, change system settings and much more.
What is a Privileged Account?
Any account that has more power, or permissions, than a regular user can be considered a “privileged account.” Often, they’re called “administrator,” “supervisor,” or “system” accounts. These accounts have the power to, for example, create/update/remove other user accounts, change system settings, install software, access sensitive databases, … the list is endless.
What is PAM?
PAM or Privileged Access Management system is used to manage the powerful admin accounts. This management covers the actual account credentials (i.e. usernames and passwords), who has access to those accounts, and how those accounts can be used.
An important factor with Osirium PAM is that no user will ever have direct access to those privileged account credentials. If a user can’t see the username & password, they cannot reveal those details to an attacker.
A modern PAM solution, like that from Osirium, goes further and monitors users while they use privileged connections. If necessary, the session can be interrupted to prevent malicious changes from being made. The sessions can also be recorded for later investigation if a security incident occurs.
What is the threat?
The threat of privileged access abuse can come from different areas, not all may be obvious.
The most obvious source of risk is that of an external party trying to gain access to IT systems. Whether that’s through hacking firewalls to get inside, spearfishing staff to acquire their login credentials or planting malware to open backdoors or exfiltrate data.
Insiders, or staff, can be a risk in several ways. The most obvious might be the disgruntled employee trying to damage or steal customer information before leaving.
The less obvious risk is the "over-enthusiastic amateur." That's someone who has managed to get admin credentials and then tries to make changes.
Unfortunately, they haven't had the necessary training to do it safely, so making mistakes and leaving the system open to attack is easy. For example, they could make a catastrophic change, such as shutting down all internet traffic through the firewall or deleting customer records.
With the increasing adoption of "shadow IT" and the prevalence of cloud-based services purchased by business units without involving IT, more users have admin rights across the business than ever.
Third-Party or Supplier
Every organization depends on close relationships with suppliers, partners and outsourced staff. To do their work, they typically need access to corporate IT systems.
For example, you may outsource the management of your e-commerce webserver to a specialist agency. You may have a supplier that needs access to manage your heating and ventilation systems (the source of the famous breach at Target).
It’s hard to ensure that all these vendors have the same level of security hygiene as is used internally. It’s also hard to ensure that the people who have been granted access don’t share their credentials.
How does PAM compare to IAM? How are IAM and PAM different?
Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing users' credentials – usernames and passwords. They may include tools for generating passwords or support multi-factor authentication (MFA) to aid in logging into IT services.
So IAM is essentially about proving “who you are.” IAM doesn’t provide any help in controlling what users can do once they’ve retrieved credentials and logged in. However, Privileged Access Management (PAM) controls “what you can do” and “how you do it.” Admin users are only allowed access to the systems they need, with the least amount of privileged needed, for the shortest period of time needed.
The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the system access for that user.
PAM is a crucial addition and complement to existing IAM to protect the most valuable accounts.
What is POLP or Principle of Least Privilege?
"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the minimum access privilege they need (which may be none). They should only have access to the systems they need.
They should only have access for the time they need it. This is where PAM is a vital asset. When all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems.
Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.
What are Privileged Sessions?
A "privileged session" is a connection made by a user to a device, service or system using credentials that have elevated privileges. For example, those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely. See "Principle of Least Privilege" above for more information.
The best Privileged Access Management systems include tools to monitor privileged sessions in real-time. They can also close the sessions if risky behaviour is shown and record the sessions for later investigation or audit.
Can PAM be SaaS or is it on-premise only?
Most PAM systems are deployed on-premises, even if a cloud-hosted or SaaS option is available. Companies deploying PAM usually like to have complete control over the PAM system as it is such a critical part of their infrastructure. Also, the SaaS environment introduces new complexity, such as configuring networks and VPNs to allow a cloud-hosted PAM system to access on-premises services and devices.
What is PIM?
Privileged Identity Management (PIM) is a feature often provided in IAM tools. It goes some way towards improving the management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used.
However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.
What is Privileged User Management?
Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM)". PUM suffers the same limitations in how admin and privileged account credentials are used.
What is Privileged Process Automation?
Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Traditional approaches to automation aren't recommended for most IT processes.
Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes such as credit checks or claims processing.
However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation is needed. They can also be a concern when considering how to control the admin account credentials needed by the automation scripts to access services and devices.
Scripting, using PowerShell or BASH scripts, are popular with Admins, but they usually end up duplicating effort and may even have account credentials backed in!
When admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users. Admins can get on with more interesting work. For more information, see https://www.osirium.com/automation.
What is EPM?
EPM, also known as Endpoint Privilege Management or Privileged Endpoint Management (PEM), is Osirium's solution for removing local administrator accounts from Windows computers. End users can run approved applications with elevated permissions, so they aren't slowed down in their work and they don't have to contact the over-worked IT Help Desk whenever they need.
What is Privileged Endpoint Management?
Privileged Endpoint Management (PEM), also known as Endpoint Privilege Management (EPM), is Osirium’s solution for reducing risk on user workstations. It allows IT teams to remove local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.
What is Privileged Access Security?
Modern cyber security needs a multi-tiered approach to reduce the risk on attacks. Indeed many regulatory standards (for example, Cyber Essentials or DHCP) require a combination of security tools. Increasingly, cyber insurance providers are looking for protection on endpoints, on shared administrator access to IT systems and around processes that require privileged access.
Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation and is the modern extension beyond traditional PAM to provide broad and deep protection for vital IT systems.
It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.
What is PASM, PEDM, SUPM, SAPM?
These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM.
They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.