Planning and deploying Privileged Access Management (PAM) can seem like a daunting task, but with some clear understanding of the objectives and planning, it can be straightforward.
This checklist builds on years of practical experience to provide a roadmap for PAM success.
Privileged Access Management or PAM is a solution for managing powerful administrator accounts on applications, databases, services and devices.
Management of those privileged accounts includes credential life-cycle management including generating passwords, regularly updating credentials, and removing accounts when no longer needed. PAM provides a secure vault for those credentials and a central command and control point so that policies can be enforced and audit trails maintained.
Modern PAM solutions such as Osirium PAM take this further to include real-time session recording and management, automation and analytics.
Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing users proving who they are. This might include username/password combinations, biometric authentication or multi-factor authentication.
It’s essentially about “who you are”. Privileged Access Management (PAM) controls what the users do while connected to services and devices. The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the sessions for that user.
Privileged Access works by sitting between the user and the required service or device. Once the user proves who they are, Osirium PAM presents a list of devices, services and tasks that a person is allowed to access.
Once the required service is selected, PAM connects to the service and injects the administrator credentials to establish the user’s session. At no time are those credentials returned to the user ensuring they cannot be intercepted or leaked.
Osirium PAM supports a broad range of connection types including SSH terminal sessions, full remote desktop sessions and access to specific applications but not the full desktop.
Privileged accounts are those with enhanced capabilities, so Privileged Access Management could also be called Privileged Account Management but "access" is important because it covers what a user does while connected to a system, application or device as an administrator. For example, an administrator account may be able to create new accounts, update critical configurations, change system settings or access confidential data.
These accounts can be across the business, not just in IT. For example, Marketing may have an administrator account for their marketing automation system or access to a customer database.
The Finance team may have administrator accounts for accounting systems. Because of this power, administrator accounts are highly valued by cyber attackers as they unlock the most valuable systems and data.
The primary benefit of PAM is to protect valuable administrator credentials. Having this control and being able to prove it to auditors is a requirement not just for good business management but also for compliance with regulatory standards such as PCI DSS, NIST-800, Sarbanes Oxley, Cyber Essentials and many more standards. PAM is a critical capability that goes beyond Identity Management and Governance (sometimes known as IGA or Privileged Identity Management, PIM) as it's concern not just with the account credentials but what users do with those accounts.
Modern PAM is also an enabler for digital business by making it easier and faster for users to access IT systems, automating complex operations and securely allowing access for external partners and vendors.