Privileged Access Management (PAM)
WORLD OF PRIVILEGED ACCESS MANAGEMENT
Privileged Access Management (PAM) provides the controls to ensure secure elevated access to critical resources for both human and service accounts.
MANAGE ALL PRIVILEGED ACCESS ACCOUNTS REQUIRED TO RUN YOUR MODERN BUSINESS.
PAM includes both technologies and policies used to control and monitor privileged access. PAM provides additional controls over standard IAM controls to ensure organization have the ability to monitor access to privileged company resources. It also provides the ability to manage the credentials associated with privileged application and system accounts include the rotation of these credentials.
PAM is based on the principle of least privilege, where users only receive the minimum levels of access required to perform their job. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. This ensures organizations can reduce the attack surface and mitigate the risk from malicious insiders or external cyber-attacks that can lead to costly data breaches.
FEATURES & BENEFITS
Account discovery and onboarding
This capability provides features to discover, identify and onboard privileged accounts, including the ability to support periodic, ad hoc, or continuous discovery scans. This also includes the ability to automatically discover target services and systems for further discovering privileged accounts contained on them.
Privileged credential management
This capability provides core features and functions to manage and protect system and enterprise privileged account credentials or secrets, including SSH keys. It includes generation, vaulting, rotation, and retrieval for interactive access to these credentials by individuals. It also includes rotation of credentials for service and software accounts (i.e., embedded accounts) on target systems.
Privileged session management
This capability provides session establishment, management, recording and playback, real-time monitoring, protocol-based command filtering, and session separation for privileged access sessions. It includes functions to manage an interactive session with the PAM tool, from check-out of a credential to check-in of that credential — although in normal cases, this credential is not disclosed to the user.
Secrets management
This capability provides the ability to manage access to credentials (such as passwords, Auth tokens and SSH keys) for nonhuman use cases such as machines, applications, services, scripts, processes, and DevOps pipelines. It includes the ability to generate, vault, rotate and provide a credential to nonhuman entities (e.g., via API). It also includes the ability to broker trust between different nonhuman entities for the purpose of exchanging secrets and to manage authorizations and related functions. In combination, these functions support secrets management for dynamic environments and provide support for RPA platforms.
Logging and reporting
This capability provides the ability to record all single events, including changes and operations, as part of the PAM operation. A single event is based on user, time, date and location, and is processed with other events via correlation in a logical order. This is to monitor and determine the root cause of risk events and identify unauthorized access. This capability also provides features required for auditing and reporting of the event database, including prebuilt reports and support for ad hoc reports. Event data must also include information from privileged sessions. This capability also provides analytics (using machine learning) on privileged account activities to detect and flag anomalies, including baselining, risk scoring and alerting. The objective is to better identify lagging and leading indicators that identify privileged access anomalies to trigger automated countermeasures in response to alerts.
Privileged task automation
This capability provides functions and features for automating multistep, repetitive tasks related to privileged operations that are orchestrated and/or executed over a range of systems. PTA uses extensible libraries of preconfigured privileged operations for common IT systems and devices. It can orchestrate back and forth between different activities and ask for more information as needed, while providing guardrails by checking input against policies and settings.
Privilege elevation and delegation
This capability provides host-based functions and features for enforcing policies to permit authorised commands or applications to run under elevated privileges. Administrators will log in using an unprivileged account and elevate the privilege as needed. Any command that needs additional privilege would have to pass through these tools, in effect preventing administrators from carrying out unsafe activities.