An Introduction to Privileged Access Management

Talk to an expertLearn More

What is Privileged Access Management?

Every system, service, application, and device in your organization has powerful administrator accounts. Those “admin” accounts have huge power.

They can make substantial changes to those systems, access valuable corporate IP, or reveal personally identifiable information (PII). It’s no surprise that these accounts are prized targets for cyber attackers as they are so powerful.

Controlling access to those powerful accounts is a foundational need for the organization. When those accounts are not managed, all the IT and cybersecurity systems the business depends on are at risk.

The ultimate goal is to ensure that any person accessing a system has the least level of elevated rights they need to do their work.

They only have access to the systems they need. And they only have that access for a short period of time to get their work done.

Good PAM is not optional. Every organization is subject to regulation, such as GDPR, PCI DSS or Sarbanes-Oxley. They often need to implement best practices such as Cyber Essentials or ISO 27001 to improve customer service and reduce risk.

Every one of those standards has a requirement to manage privileged access. Osirium has several whitepapers to show how PAM is relevant to ISO270001, Cyber Essentials and Digital Security and Protection in the NHS.

For all these reasons, PAM is not an optional purchase. The decision for the company is how to acquire and implement the best PAM for their organization in the most cost-effective and business-enhancing manner possible.

If you would like more information, please get in touch.

Key Benefits of Privileged Access Management

Credential Management

Separate users from passwords

Privileged accounts such as Admin or Superuser are the most powerful and dangerous in your organization.

The best way to start protecting them is to make sure users can't actually get access to them.

That's where Privileged Access Management (PAM) is key.

Learn more about protecting valuable admin credentials

Session Management

Monitor and track privileged sessions

Once a user has gained access to a system using privileged access credentials, you need to know what they're doing.

That's especially true if it's a remote worker or third-party supplier where you don't have so much control over who is using the access.

That's where Session Management and Recording is so important.

Learn more about managing and recording privileged sessions

APPLICATIONS WITH PRIVILEGED ACCESS

Protect privileged applications

In some cases, IT experts need full access to a system or devices and need to use "root" level connections. In most cases that's more access than is really needed. The best practice is to only let the user access just the applications they need to do their work.

With Osirium PAM, the MAP Server ensures the user can only use the applications they need.

Learn more about protecting applications with Osirium MAP Server

Automation

Protect privileged work

The best, and most proactive, protection of privileged access is to ensure it can only be used to perform the work that it should.

By wrapping applications, services and devices with Automation can't do anything they shouldn't and a full audit trail is tracked.

See how Osirium's unique Automation is the ultimate privileged access protection.

Learn more about automating privileged tasks and processes

An overview of Privileged Access Management

Read this high-level overview to see how PAM can protect your shared devices and services, manage privileged users and accounts and simplify remote access.

Read the Overview
Talk to an expert
overview of Privileged Access Management

Critical PAM Capabilities

Every IT infrastructure is managed by privileged users. Users such as SysAdmins are granted elevated control of servers and devices to ensure that the uptime, performance, resources, and security of the computers meet the needs of the business.

Privileged account abuse presents one of today’s most critical security challenges. It is the hacker’s favoured way of breaching your defences so privileged account management becomes a critical priority for IT security teams.

Credential management should do more than be a password vault (although that is important). It should take care of the full lifecycle of privileged credentials: creation, rotation/regular update, and removal when no longer needed.

Find out more about credential management in Osirium PAM

Credential Management

Separate users from passwords

Or more accurately, ‘Separating SysAdmins from Credentials’. Secure PAM should start with the assumption that endpoints are compromised, and people are phishable.

Therefore, from the outset, credentials should never pass through endpoints or be revealed to humans (except in "break glass" emergencies).

In such an environment, you can think of this as a 'credential-injecting proxy'. This means that credentials only travel between PAM and the end device.

PAM also takes on management of the admin credentials and passwords, ensuring they comply with corporate policies, are rotated regularly and retired when no longer needed.

ID to role mapping

People have identities, while accounts on systems have roles. That's a key difference between an "identity management tool (IAM)" and "Privileged Access Management (PAM)".

IAM confirms that a person is who they say they are, compared to PAM controls what that person can do by assigning that person a "role."

It's important to know which identity used which role, on which system, and when. For ease of management, roles can be grouped as "Profiles", which map Identities through tools and tasks to roles on systems.

Multi-factor authentication

Before access to a role can be granted, the user must prove their identity. Therefore the quality of identity proof is crucial for highly secure operations.

Multi-factor Authentication (or MFA) adds an extra level of verification to incoming identities and may be provided by an identity and access management system.

MFA generally works based on something you know, something you've got, or something about you. Authentication services can either be handed off to Active Directory or defined as a series relationship.

For example, a user can be identified either locally or by Active Directory and then through an additional MFA stage such as Google Authenticator.

Just-in-time access

The best security is to not let anyone have access to systems and devices, but clearly, that's not realistic.

The next best option is to not grant access until it's actually needed and then only for the minimum time access is required. In an ideal world, there should never be any "standing" privileged accounts.

Privileged accounts should only be created when they are needed and removed immediately afterwards.

In reality, there may always be a few standing privileged accounts for emergency or "break glass" scenarios. Extra care is needed to protect these accounts and ensure they are only in extreme situations.

Session Management

Often it is vital to know exactly what has been done to a system from where and by whom. Unusual behaviour or audit purposes are perfect reasons for this.

Osirium PAM's Privileged Session Management (PSM) enables security managers to record, store and playback any activities that take place across their entire hybrid-cloud infrastructures.

As a result, Privileged Session Management not only ensures full user access accountability but also acts as a unique deterrent against SysAdmin malpractice.

In conclusion, this provides irrefutable evidence of their privileged activities.

Find out more about session management in Osirium PAM

No bypassing PAM - ever!

All sessions can be recorded. A visual capture allows a video playback of each session along with a thumbnail layout to evaluate sessions at a glance.

Because all sessions have to pass through Osirium PAM there is no way to bypass recording.

Users never get access to the Privileged Credentials therefore they cannot make a session outside Osirium PAM's control.

Mis-use Deterrent

Although most users can be trusted, there's nothing like the security of being able to verify that correct processes are followed. That's particularly useful for new staff or external partners.

With Osirium PAM, every session, or selected users, can be shadowed in real-time - think of it like watching over their shoulder.

Just knowing that sessions may be monitored or recorded is enough to deter misuse of privileged accounts in most cases.

If something isn't right, you can immediately terminate the session. Since the users have no alternate means of access, the user can't bypass PAM to access your IT systems.

Search recordings and metadata

In addition to recording a video of a session, all keystrokes are also captured. Therefore, a SuperAdmin can search by all types of meta-information, including fuzzy keystrokes patterns.

Post-incident investigation

Key insight can be gained from session recordings as to why and when a device misconfiguration takes place. Consequently, this allows for the careful examination of changes and provides a quicker return to a stable and working environment.

Good session recordings can be made into mini training videos.

Application Protection

Legacy applications refer to software older than the current ‘official’ release. In any IT environment, there are legacy applications that cannot be replaced.

To combat this, companies use legacy management tools or ‘thick clients’, but this can cause a number of issues…

What is MAP Server?

Legacy applications all have dependencies, be it their own Dynamic Link Library (DLL)’s, or versions of .NET and Java.

Furthermore, it can be tricky or even impossible to have multiple versions of some management tools concurrently installed.

SysAdmins are forced to work across different versions of management tools, or install specific versions on jump boxes and access those. Resource intensive and a security risk, jump boxes are only accessible via a dedicated desktop, often shared by team members.

Find out more about MAP Server

Seamless Integration

Applications are presented on the user's desktop alongside their other applications.

Secure Environment

Secure environment for running legacy applications.

Reduce Compatibility and Dependency Issues

No need to ensure the user's desktop has all the necessary supporting libraries for each legacy application.

Separate People from Passwords

Credentials are injected in the mapped application and never revealed to the user.

Increase Security and Control

IT has control over who has access to which applications and the credentials that are used.

Jump Box on Steroids!

Multiple versions of management applications can be available to SysAdmin or DevOps desktop without any dependencies at the workstation.

Automation

Moving beyond protecting privileged accounts is to protect privileged activities - what users are doing with those accounts. Osirium PAM now includes free Osirium Automation licenses.

Osirium Automation, available standalone and as part of Osirium PAM is a flexible, secure framework to automate tasks that normally need expert administrators.

Automation uses the admin credentials from Osirium PAM which are never exposed to the user.

Find out more about automating privileged actions with Osirium Automation

Flexible, open architecture

Osirium Automation is built on the Privileged Process Automation (PPA) framework to automate processes on IT services, devices and applications via API, REST or web services.

Automated playbooks are built using a low-code task development environment and pre-built example playbooks and plug-ins are available in the PPA Resource Hub.

Safely delegate admin operations

As privileged credentials are always protected, users can't do anything they shouldn't and there's a full end-to-end audit trail, it is safe to delegate tasks to the help desk or even to end-users.

A broad range of applications

Osirium Automation can be used to automate any task that might normally need IT help. That can range from resetting account passwords to provisioning accounts for a new starter or setting firewall configurations. The list is endless.

Ransomware Protection for Backups

Ransomware attacks destroy your data and backups. Get Osirium Fast Protect for just £4,995 to stop attacks deleting your backups.

Protect your backups!
Talk to an expert

PAM Fundamentals

What are "Privileges"?

Privileges are the permissions, or powers, that an account on a device or service has. A standard user may have very limited privileges, for example, to read records in a database, but not to create or edit data. An administrator on a Linux server running as "root" will have the maximum powers available to install/remove software, create/delete user accounts, change system settings and much more.

What is a “Privileged Account”?

Any account that has more power, or permissions, than a regular user can be considered a “privileged account.” Often, they’re called “administrator,” “supervisor,” or “system” accounts. These accounts have the power to, for example, create/update/remove other user accounts, change system settings, install software, access sensitive databases, … the list is endless.

What is PAM?

PAM or Privileged Access Management system is used to manage the powerful admin accounts. This management covers the actual account credentials (i.e. usernames and passwords), who has access to those accounts, and how those accounts can be used.

An important factor with Osirium PAM is that no user will ever have direct access to those privileged account credentials. If a user can’t see the username & password, they cannot reveal those details to an attacker.

A modern PAM solution, like that from Osirium, goes further and monitors users while they use privileged connections. If necessary, the session can be interrupted to prevent malicious changes from being made. The sessions can also be recorded for later investigation if a security incident occurs.

What is the threat?

The threat of privileged access abuse can come from different areas, not all may be obvious.

External Attack

The most obvious source of risk is that of an external party trying to gain access to IT systems. Whether that’s through hacking firewalls to get inside, spearfishing staff to acquire their login credentials or planting malware to open backdoors or exfiltrate data.

Insider Threat

Insiders, or staff, can be a risk in several ways. The most obvious might be the disgruntled employee trying to do damage or steal customer information before leaving.

The less obvious risk is the “over-enthusiastic amateur” – someone who has managed to get admin credentials then tries to make changes they’re not fully trained for. It’s too easy for them to make a catastrophic change such as shutdown all internet traffic through the firewall or delete customer records (something seen recently at the Home Office in the UK).

With the increasing adoption of “shadow IT” and the prevalence of cloud-based services being purchased by business units without involving IT, there are more users with admin rights across the business than ever.

Third-Party or Supplier

Every organization depends on close relationships with suppliers, partners and outsourced staff. To do their work, they typically need access to corporate IT systems.

For example, you may outsource the management of your e-commerce webserver to a specialist agency. You may have a supplier that needs access to manage your heating and ventilation systems (the source of the famous breach at Target).

It’s hard to ensure that all these vendors have the same level of security hygiene as is used internally. It’s also hard to ensure that the people who have been granted access don’t share their credentials

How does PAM compare to IAM? How are IAM and PAM different?

Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing users' credentials – usernames and passwords. They may include tools for generating passwords or support multi-factor authentication (MFA) to aid in logging into IT services.

So IAM is essentially about proving “who you are.” IAM doesn’t provide any help in controlling what users can do once they’ve retrieved credentials and logged in. However, Privileged Access Management (PAM) controls “what you can do” and “how you do it.” Admin users are only allowed access tothe systems they need, with the least amount of privileged needed, for the shortest period of time needed.

The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the system access for that user.

PAM is a crucial addition and complement to existing IAM to protect the most valuable accounts.

What is POLP or Principle of Least Privilege?

"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the minimum access privilege they need (which may be none). They should only have access to the systems they need.

They should only have access  for the time they need it. This is where PAM is a vital asset. When all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems.

Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.

What are Privileged Sessions?

A "privileged session" is a connection made by a user to a device, service or system using credentials that have elevated privileges. For example, those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely. See "Principle of Least Privilege" above for more information.

The best Privileged Access Management systems include tools to monitor privileged sessions in real-time. They can also close the sessions if risky behaviour is shown and record the sessions for later investigation or audit.

Can PAM be SaaS or is it on-premise only?

Most PAM systems are actually deployed on-premises, even if a cloud-hosted or SaaS option is available. Companies deploying PAM usually like to have the confidence that they have complete control over the PAM system as it is such a critical part of their infrastructure. Also, SaaS environment introduces new complexity such as configuring networks and VPNs to allow a cloud-hosted PAM system to access on-premises services and devices.

What is PIM?

Privileged Identity Management (PIM) is a feature often provided in IAM tools. It goes some way towards improving the management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used.

However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.

What is Privileged User Management?

Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM) with the same limitations in how admin and privileged account credentials are used.

What is Privileged Process Automation?

Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Traditional approaches to automation aren't recommended for most IT processes.

Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes such as credit checks or claims processing.

However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation is needed. They can also be a concern when considering how to  control the admin account credentials needed by the automation scripts to access services and devices.

Scripting, using PowerShell or BASH scripts, are popular with Admins, but they usually end up duplicating effort and may even have account credentials backed in!

When all admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users and lets admins get on with more interesting work. For more information, see https://www.osirium.com/automation.

What is PEM?

PEM, also known as Privileged Endpoint Management, is Osirium’s solution for removing local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.

What is Privileged Endpoint Management?

PEM, also known as Privileged Endpoint Management, is Osirium’s solution for reducing risk on user workstations. It allows IT teams to remove local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.

What is Privileged Access Security?

Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation.

It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.

What is PASM, PEDM, SUPM, SAPM?

These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM.

They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.

Click to chat