Privileged Access Management

Conventional identity management deals with two types of accounts. They are ,

  • User accounts
  • Privileged Accounts

User accounts have a limited set of privileges to access different resources. Some examples are online shopping accounts, social media accounts and many more. Those resources are protected using an authentication mechanism such as passwords tokens, biometric method, etc.

Privileged accounts are not merely user accounts, but they provide administrative or specialized levels of access based on higher levels of permissions. These accounts are used in organizations to run the business effectively and maintain sensitive data. It could mean access to infrastructure, sensitive data, configuring systems, deploying patches, scanning for vulnerability, cloud environments and a lot more but varies depending on the organization type.

If the privilege credentials are tracked by an attacker it can make catastrophic damage to the organization. So the privileged credentials should have an extra layer of protection.

There are some other problems which are specially associated with an associated account. In an associated account there is no way to track who is using the account at a particular moment. Further in a typical shared account system there is no secure way to store or communicate the passwords.

Solution to all above problems comes with PAM (Privileged Access Management)

PAM is used to secure, control and monitor access to privileged accounts by reducing opportunities for malicious users to get access to privileged accounts. The whole purpose and the key benefit of implementing a PAM solution is the reduction in the risk of a security breach.

IAM focuses on all the user accounts and there is no special treatment on privileged user accounts. But PAM solutions control the connection between administrators and other privileged users with the role-based accounts that they need to do their jobs.

PAM solutions take the credentials of privileged accounts and put them inside vault which reduces the passwords are stolen from the attackers.

  • Storing the passwords in a secure place. So once the user has access to the particular resource allow them to check out and make them to check in back when the need for that specific account access is finished.
  • Changing the passwords automatically — This can be periodically or once the user leaves the company or no longer needs the access to the particular account.
  • Providing on-demand passwords for applications — As an example if some privileged person needs to access the resource an OTP is provided to users phone, email and make the password unavailable after it is used.
  • Monitoring auditing and recording all the sessions and the activities done in the privileged account for future activities.
  • Monitor password accounts to quickly detect and respond to malicious activity.
  • Even Though a user get access to the privileged account control the privileged actions based on the user’s role.
  • Prevent or limit malware attacks and ensure organizations productivity by providing an extra layer of protection to sensitive data
  • It is quick and easy to add or remove users to the privileged account both from inside and outside the organization.
  • All details are available for auditing and report generation.

I will explain my own experience here , for the better understanding on PAM.

I came to London and my flight was a bit delayed. So I reached the apartment bit later than expected. I used my access card to open the store room door where all the permanent keys are placed. But I could not open that door because the access card is expired. Previously I was informed to use the card within a certain time frame to collect the permanent keys but the time has already passed. I took a phone call and informed the hotel admins who work remotely, about the issue I faced and they asked me to stay a bit till they reach me back. I stayed outside by the road sitting on my bags taking selfies till they reach me back.

Hotel admins reached and informed me that they have given privileged access to my card to open the front door directly. I opened the front door and came upstairs, but all the mess I had I could not remember my room number. So I tried to open room number 3 using my access card, but that door did not open. Even though I have given the privileged access seems like I can’t open all the doors ;). Then tried using my card against room number 4, YES !!!, finally the door opened and it is my room. I kept all the bags there and went downstairs again to collect my permanent keys. I swiped my access card against the store room door to collect my permanent keys. In the return back to the room when I tried to open the front door using the previous access card, I could not use it. The have removed privileged access and I have demoted to a normal user level from privileged user level :)

Hope you have a basic understanding about PAM now. Thanks for reading the blog.

Associate Technical Lead @ WSO2