The first in our PAM for Dummies series, this article offers a business-oriented definition of Privileged Access Management (PAM), an important technology for security and compliance, and how to implement it for robust cybersecurity in your organization.
Why do you need to know about privileged access management?
Getting into a technical talk about security and compliance is like walking into a movie that’s half over and you can’t follow the story, especially because it’s a somewhat boring movie to start with. Yet, the business impacts of security and compliance problems are well understood. A serious security incident can be extremely costly to handle and damaging to the brand. Compliance problems may not be quite the headline grabbers as data breaches, but they promise plenty of costly hassles and reputation damage when mishandled.
Security is Your Job, Even if It’s Not in Your Title
Security and compliance are actually part of your job, even if you don’t have “security” in your title. An officer of a corporation has a fiduciary duty to the shareholders to protect the assets of the corporation from risk. You are required to shield assets like trade secrets, customer data and brand name value from threats. Of course, this is easier said than done as those threats have only grown worse in recent years.
The Vulnerability That Stands Out
You already have security and compliance programs in place. They’re probably even pretty impressive. Every system of defenses has vulnerabilities, though. This is always true, no matter how much effort and money you put into it. And, the one type of vulnerability that stands out from the others is the abuse of privileged access. If you tick off the five worst data breaches in recent years on one hand, all five are the result of privileged access exposure.
Some of your employees have access privileges that entitles them to see data and software that others cannot. Privileged users can modify settings on your systems of record. For example, a privileged user can change a financial system user’s ability to execute a transaction. You might see this at work with Sarbanes-Oxley certification of internal controls. The controls frameworks that support SOX call for segregation of duties between people who, say, request and approve checks. A privileged user can switch those duties around. This privilege is an administrative necessity, but it’s also a big potential risk.
Who’s Watching the Watchers?
You need privileged users. You trust your people. But, what if there is a problem? For instance, what if a malicious actor impersonates a privileged user and gains access to your data? Insiders sometimes go rogue and attack their employers (hence Insider Threat). It’s naïve to pretend it doesn’t happen. Some of your privileged users may not even work for you. They’re contractors and vendors. Who’s keeping tabs on them? What if a privileged user makes a mistake and accidentally renders a system insecure?
Who’s watching the watchers? Who’s guarding the lockbox that contains the keys to all your systems and data repositories? If something goes wrong, you need to know who did what and figure out how to repair the damage.
Privileged Access Definition and Management
Solutions that help organizations stay on top of privileged access go by the names “Privileged Access Management” or “Privileged Account Management” (PAM). Sometimes, they’re known as “Privileged Session Management.” PAM keeps your organization safe from accidental or deliberate misuse of privileged access.
A definition: PAM solution offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems. PAM lets you:
- Monitor privilege account access in real time and block or flag activities that are suspicious.
- Grant privileges to users only for systems on which they are authorized.
- Grant access only when it’s needed and revoke access when the need expires.
- Centrally and quickly manage access all of your systems.
- Create an audit trail of privileged operations.
What’s in a PAM solution?
Privileged Access Management solutions vary in their design, but most of them have the following components:
- An Access Manager – Controlling access to privileged accounts. It is a single point of policy definition and policy enforcement for privileged access management. A privileged user requests access to a system through the Access Manager. Access Managers can also turn off a privileged user’s access.
- A Password Vault – Preventing privileged users from knowing the actual passwords to critical systems. This prevents a manual override on a physical device, for example.
- A Session Manager – Knowing, controlling, and creating an audit trail of what a privileged user did during an administrative session. A Session Manager tracks actions taken during a privileged account session.
Getting the Right PAM Solution
Want a PAM solution now? You probably already have one, but it may not be the right one. PAM solutions are notoriously difficult to use. When that happens, privileged users often ignore them, leaving you exposed to the very risks they are supposed to mitigate. This is the problem we solve.
The WALLIX PAM solution is easy to deploy. It’s simple and efficient to maintain, able to work with virtually any privileged account. What’s our secret? We have designed our PAM solution as “agent-less.” Unlike a lot of other PAM solutions, WALLIX doesn’t force the IT department to install special software on every system where they are managing privileged access. This can kill PAM through complexity and expense. Instead, our elegantly architected PAM solution gives your team the tools to make PAM an enduring, scalable, and consistent force in your security and compliance efforts.