PAM (Privileged Access Management) class systems are one of the most crucial elements in securing IT infrastructure. They are primarily used to protect credentials of privileged accounts (shared accounts and technical accounts), especially in critical components of the IT environment. Implementing appropriate policies to maintain the security of account passwords such as root, admin, sys, dba, etc., is often challenging and requires manual work by IT teams. Automating the credential management process (including password rotation and encryption) and securing and verifying access to high-privileged accounts are fundamental for safeguarding critical infrastructure against unauthorized access.
- The area of PIM/PAM (Privilege Identity Management, Privilege Access Management) is identified by Gartner as one of the most significant investments in IT security.
- PAM systems address three basic needs – password management of privileged accounts, organisation of access and accountability for the use of accounts with high privileges, recording of remote sessions.
- A natural extension of PAM systems are PEDM (Privilege Elevation and Delegation Management) solutions that allow the precise setting of account privileges.
- The basic idea for PAM systems is to manage shared and technical accounts, but it is also advisable to support named privilege accounts.
- The correct implementation of a PAM system is a process that takes an average of four to eight weeks.
Not only recording sessions
PIM/PAM (Privilege Identity Management, Privilege Access Management) solutions are often perceived as systems that record remote sessions of IT administrators and subcontractors. Session recording is indeed one of the key functions of such tools, but it’s important to note that privileged access management (or privileged identity management) goes beyond just session recordings. A crucial aspect, especially for protecting critical accounts, is the implementation of mechanisms to limit and track the usage of privileged accounts.
Another significant design aspect, from a security perspective, is the ability to separate users from passwords. A properly implemented PIM/PAM system allows administrators to perform their work without compromising productivity by establishing sessions using privileged accounts and automatically substituting the credentials of those accounts. This way, administrators can perform actions using critical accounts without being burdened with the responsibility of knowing the passwords. The PAM system is responsible for the password change process, whether it’s done periodically or after each account usage.
The PAM system and contractors
One of the driving forces behind high-powered account protection projects is the desire for control over contractors who have access to critical IT infrastructure as part of service contracts. Whether it is in relation to network devices, servers or OT/SCADA environments – the lack of control over the actions of third-party representatives is a source of concern for IT and security teams. When awareness of risk and the need to address this area is high, organisations begin to consider security mechanisms. In such situations, a PIM/PAM system is the first choice. Naturally, privileged access management systems, with their advanced access control, credential substitution and session recording mechanisms, will more than cover the needs of such a use case. However, it is worth bearing in mind that these are systems built primarily with internal infrastructure in mind, and are designed primarily to protect IT environments from threats within the organisation.