What is Privileged Account Management (PAM)?
Privileged account management can be defined as managing and auditing account and data access by privileged users.
A privileged user is someone who has administrative access to critical systems. For instance, anyone who can set up and delete user accounts and roles on your Oracle database is a privileged user.
Like any privilege, a privileged account should only be extended to trusted people. You only give accounts with “root” privileges (like the ability to change system configurations, install software, change user accounts, or access secure data) to those that you trust. However, as the old saying goes, you should “trust but verify”.
Even trusted access needs to be controlled and monitored. That’s what privileged account management is for. Companies need to maintain the ability to revoke privilege at any time. And ideally, most account privileges should either automatically sunset or else be subject to periodic review. The best practice is to limit privileges to those who actively need them.
Doing all this manually, depending on the size and complexity of your organization, is either time-consuming or impossible.
But the scary reality is that stealing and exploiting privileged accounts is a critical success factor for attackers in virtually all advanced attacks, regardless of attack origin. Privileged accounts are quite literally the keys to your IT kingdom. Forget about all that “people are our most valuable asset” nonsense, we all know that your data is the most valuable asset for virtually any organization.
The larger and more complex your organization’s IT systems are; the more privileged users you have. Privileged users can be employees or contractors, remote or local, human or automated
How Does PAM Work?
PAM – Privileged Account Management – protects your systems from accidental or deliberate misuse of privileged accounts.
PAM offers a scalable and secure way to authorize and monitor all privileged accounts across all your systems. It allows you to:
- Grant privileges to users only for systems on which they are authorized.
- Grant access only when it’s needed and revoke access as soon as the need expires.
- Eliminate local/direct system passwords for privileged users.
- Centrally manage access over a disparate set of heterogeneous systems.
- Create an unalterable audit trail for any privileged operation.
Components of a PAM Solution
Privileged Account Management solutions vary, but most offer the following components:
- Access Managers – govern access to privileged accounts. They provide a single point of policy definition and policy enforcement for privileged account management. A privileged user requests access to a system through the Access Manager. The Access Manager knows which systems the user can access and at what level of privilege. A super admin can add/modify/delete privileged user accounts on the Access Manager in a centralized system—thus greatly improving efficiency and effective compliance levels.
- Password Vaults – PAM systems keep passwords in a secure vault. All system access is via the Password vault. Thus, end users never have direct access to root passwords.
- Session Managers – Session Managers track all actions taken during a privileged account session for future review and auditing. Further, some systems can prevent malicious or unauthorized actions and/or alert Super Admins if suspicious activity is detected.