privileged access management (PAM)

Privileged access management (PAM) is the combination of tools and technology used to secure, control and monitor access to an organization's critical information and resources. Subcategories of PAM include shared access password management, privileged session management, vendor privileged access management and application access management.

Privileged user accounts are significant targets for attack as they have elevated permissions, access to confidential information and the ability to change settings. If compromised, a large amount of damage could be made to organizational operations. Types of accounts that implement PAM can include emergency cybersecurity procedure, local administrative, Microsoft Active Directory, application or service and  domain administrative accounts. 

PAM software and tools work by gathering the credentials of privileged accounts, also known as system administrator accounts, into a secure repository to isolate their use and log their activity. The separation is intended to lower the risk of admin credentials being stolen or misused. Some PAM platforms do not allow privileged users to choose their own passwords. Instead, the password manager of the platform will tell admins what the password is for a given day or issue one-time passwords each time an admin logs in.  

PAM software features

Privileged access management is important for companies that are growing or have a large, complex IT system. Many popular vendors have begun offering enterprise PAM tools such as BeyondTrust, Centrify, CyberArk, SecureLink and Thycotic.

PAM tools and software typically provide the following features:

  • Multi-factor authentication (MFA) for administrators.
  • An access manager that stores permissions and privileged user information.
  • A password vault that stores secured, privileged passwords.
  • Session tracking once privileged access is granted.
  • Dynamic authorization abilities. For example, only granting access for specific periods of time.
  • Automated provisioning and deprovisioning to reduce insider threats.
  • Audit logging tools that help organizations meet compliance

Vendor privileged access management (VPAM)

Vendor privileged access management is a subset of PAM that focuses on high-level external threats that come from an organization's reliance on external partners to support, maintain or troubleshoot certain technologies and systems. Representatives from these vendors require remote privileged access to an enterprise network in order to complete these tasks, thus posing a unique threat to IT management.

VPAM solutions are specifically built for managing the distinctive, high-stakes threats that third-party vendors present. Third-party users complicate threat management as they are not tracked and managed in the same way as internal employees. Since employees working for vendors fall outside the control of their customers, companies may have little understanding about who they are, how they are using a company-provided login and when they are no longer working with the vendor. VPAM helps organizations control and monitor third parties’ privileged access to critical applications and systems, while streamlining the management of all transient users, like vendors.

VPAM products provide three key areas of value to mitigate risks associated with third-party vendor access:

  1. Identification and authentication: Vendor access is difficult to manage because of both the lack of oversight and the potential number of users. Therefore, implementing multi-factor authentication and vendor identity management techniques are critical. VPAM tools provide customized authentication options that can easily offboard and onboard users. This functionality prevents vendor reps that exit the company from taking their access with them.
  2. Access control: Once a user is authorized, permissions need to be granted. A VPAM solution gives network managers the ability to give access permissions and create an efficient working system to meet a desired set of requirements. For admins, access control can be as granular as individual accounts or as general as allowing access to an entire network application. They can also schedule access by supervised or unsupervised technicians at times convenient for monitoring, adding to the efficiency and security of an enterprise network.
  3. Recording and auditing: VPAM tools monitor user activity during every session and can document the exact who, what, where, when and why of any remote support session. An audit functionality within a VPAM platform also means that enterprise organizations can ensure vendor accountability and compliance with industry regulations.

PAM vs identity management

PAM is often confused with identity and access management (IAM). While some overlap exists, PAM is only focused on accounts with privileged or administrative access, while identity management encompasses any users that require access to a system. Identity management provides organizations with a way to authenticate and authorize general access to employees, partners and customers.

To ensure the highest level of security and usability, companies should look into implementing both privileged access and identity management. Identity management systems cover larger attack surfaces within the organization's network while PAM systems cover smaller, higher-valued attack surfaces.

This was last updated in March 2019

Continue Reading About privileged access management (PAM)

Dig Deeper on Privileged access management